crytter

Members
  • Content Count

    11
  • Joined

  • Last visited

Community Reputation

0 Neutral

About crytter

  • Rank
    Member
  1. *****UPDATE***** After getting some help from Blade81 over in the HJT section, it turns out it was the malware infection that was preventing Ad-Aware from running properly. The issue has now been resolved, and Ad-Aware AE runs fine! Once again, many thanks to Blade81 for his time and help! Details of how the probelm was resolved can be found in this topic.
  2. Hi Blade, Final steps are completed, thanks very much for your time and all your help! Crytter
  3. Hi, Have deleted c:\windows\system32\4.tmp & F:\temp\RockXP4.exe, and uninstalled J2SE Runtime Environment 5.0 Update 6. Combofix did have some samples for me to upload, have done as requested with a link to this topic. My systems seem to be running fine now, indeed all visible signs of infection were gone after the first time I ran Combofix. My initial problem of Ad-Aware AE exiting during scans also appears to be resolved. It would seem it was the malware trying to prevent me from removing it. New DDS log is below as requested: DDS.txt DDS (Ver_09-09-24.01) - NTFSx86 Run by Ian at 10:48:49.78 on 27/09/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.767.448 [GMT 1:00] AV: avast! antivirus 4.8.1351 [VPS 090926-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Lexmark 2300 Series\ezprint.exe C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Google\Update\GoogleUpdate.exe svchost.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\WINDOWS\System32\lxcgcoms.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Documents and Settings\Ian\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.co.uk/ BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [siSUSBRG] c:\windows\SiSUSBrg.exe mRun: [soundMan] SOUNDMAN.EXE mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [WINDVDPatch] CTHELPER.EXE mRun: [updReg] c:\windows\UpdReg.EXE mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe" mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe" mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe" mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s mRun: [sAITEKAUTOCONFIGURE] c:\program files\saitek\saitek gaming extensions\saicnfig.exe /autorun mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,[email protected] mRun: [sunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\belkin 802.11g wireless pci card configuration utility\utility.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-21 64160] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-24 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-26 20560] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-11-24 138680] R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\belkin\belkin~1.11g\DNINDIS5.SYS [2008-8-19 17149] S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-11-24 254040] S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-11-24 352920] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432] S4 gupdate1c98892ba82b220;Google Update Service (gupdate1c98892ba82b220);c:\program files\google\update\GoogleUpdate.exe [2009-2-6 133104] =============== Created Last 30 ================ 2009-09-25 20:33 <DIR> a-dshr-- C:\cmdcons 2009-09-25 20:32 229,888 a------- c:\windows\PEV.exe 2009-09-25 20:32 161,792 a------- c:\windows\SWREG.exe 2009-09-25 20:32 98,816 a------- c:\windows\sed.exe 2009-09-21 19:47 231,390 a------- c:\temp\RootkitRevealer.zip 2009-09-21 18:03 15,688 a------- c:\windows\system32\lsdelete.exe 2009-09-21 15:51 <DIR> --d----- c:\program files\Trend Micro 2009-09-21 15:49 812,344 a------- c:\temp\HJTInstall.exe 2009-09-21 15:48 <DIR> --d----- C:\Erunt 2009-09-21 15:47 <DIR> --d----- C:\SysRestorePoint 2009-09-21 15:43 513,320 a------- c:\temp\erunt.zip 2009-09-21 15:43 9,334 a------- c:\temp\SysRestorePoint_v13.zip 2009-09-21 13:11 136,192 -c------ c:\windows\system32\dllcache\msv1_0.dll 2009-09-21 13:11 92,928 -c------ c:\windows\system32\dllcache\ksecdd.sys 2009-09-21 13:11 54,272 -c------ c:\windows\system32\dllcache\wdigest.dll 2009-09-21 13:11 301,568 -c------ c:\windows\system32\dllcache\kerberos.dll 2009-09-21 13:03 64,160 a------- c:\windows\system32\drivers\Lbd.sys 2009-09-21 13:02 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864} 2009-09-21 13:01 <DIR> --d----- c:\program files\Lavasoft 2009-09-21 12:59 60,857,536 a------- c:\temp\Ad-AwareAE.exe 2009-09-16 10:04 <DIR> --d----- c:\docume~1\ian\applic~1\LimeWire 2009-09-16 09:47 <DIR> --d----- c:\program files\Elaborate Bytes 2009-09-11 12:02 <DIR> --d----- c:\docume~1\ian\applic~1\Atari 2009-09-11 11:56 197,120 a------- c:\windows\patchw32.dll 2009-09-11 11:56 <DIR> --d----- c:\program files\common files\PocketSoft 2009-09-11 11:51 <DIR> --d----- c:\program files\Atari 2009-09-11 11:46 153,088 -c------ c:\windows\system32\dllcache\triedit.dll ==================== Find3M ==================== 2009-09-15 23:54 43,520 a------- c:\windows\system32\CmdLineExt03.dll 2009-08-18 11:16 47,104 a------- c:\windows\system32\KMVIDC32.DLL 2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll 2009-07-12 12:21 233,472 -------- c:\windows\system32\wmpdxm.dll 2009-07-03 18:09 915,456 -------- c:\windows\system32\wininet.dll 2003-12-18 11:33 20,102 a------- c:\program files\Readme.txt 2003-09-03 07:46 10,960 a------- c:\program files\EULA.txt ============= FINISH: 10:49:23.68 =============== Attach.txt UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-09-24.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume1 Install Date: 16/08/2008 19:49:05 System Uptime: 27/09/2009 10:37:56 (0 hours ago) Motherboard: | | SiS-661 Processor: Intel® Pentium® 4 CPU 3.20GHz | Socket 478 | 3207/200mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 114 GiB total, 88.086 GiB free. D: is CDROM () E: is CDROM () F: is FIXED (NTFS) - 25 GiB total, 11.482 GiB free. G: is Removable H: is Removable I: is Removable J: is Removable ==== Disabled Device Manager Items ============= Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Belkin 802.11g Wireless Card Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_700A1799&REV_01\3&61AAA01&1&58 Manufacturer: Belkin Components Name: Belkin 802.11g Wireless Card PNP Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_700A1799&REV_01\3&61AAA01&1&58 Service: RT2500 Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: 1394 Net Adapter Device ID: V1394\NIC1394\FF1A09990AE6 Manufacturer: Microsoft Name: 1394 Net Adapter #2 PNP Device ID: V1394\NIC1394\FF1A09990AE6 Service: NIC1394 Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Realtek RTL8139/810x Family Fast Ethernet NIC Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&1&70 Manufacturer: Realtek Semiconductor Corp. Name: Realtek RTL8139/810x Family Fast Ethernet NIC PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&1&70 Service: RTL8023 ==== System Restore Points =================== RP60: 05/07/2009 14:15:16 - Software Distribution Service 3.0 RP61: 09/07/2009 18:32:03 - Software Distribution Service 3.0 RP62: 16/07/2009 17:50:22 - Software Distribution Service 3.0 RP63: 27/07/2009 22:10:28 - System Checkpoint RP64: 28/07/2009 22:32:05 - Software Distribution Service 3.0 RP65: 03/08/2009 21:45:05 - System Checkpoint RP66: 10/08/2009 00:35:50 - Software Distribution Service 3.0 RP67: 10/08/2009 20:28:30 - Printer Driver Microsoft XPS Document Writer Installed RP68: 11/08/2009 23:12:23 - System Checkpoint RP69: 18/08/2009 17:24:14 - Software Distribution Service 3.0 RP70: 21/08/2009 18:10:45 - Installed Adabas D 13.01.00 RP71: 21/08/2009 18:11:22 - Installed J2SE Runtime Environment 5.0 Update 6 RP72: 21/08/2009 18:12:33 - Installed StarOffice 8 RP73: 22/08/2009 11:55:34 - Installed Java 6 Update 15 RP74: 26/08/2009 19:37:08 - System Checkpoint RP75: 26/08/2009 21:03:50 - Software Distribution Service 3.0 RP76: 31/08/2009 15:46:13 - System Checkpoint RP77: 02/09/2009 23:31:14 - Software Distribution Service 3.0 RP78: 11/09/2009 11:51:22 - Installed RollerCoaster Tycoon® 3 RP79: 11/09/2009 11:56:18 - Installed Windows Media Format 9 Series Runtime Setup RP80: 11/09/2009 13:00:40 - Software Distribution Service 3.0 RP81: 21/09/2009 13:34:08 - Software Distribution Service 3.0 RP82: 21/09/2009 15:47:29 - Automatic Restore Point RP83: 25/09/2009 20:32:56 - ComboFix created restore point RP84: 26/09/2009 11:47:38 - Removed Adobe Reader 6.0 RP85: 26/09/2009 11:52:51 - Installed Adobe Reader 9.1. RP86: 27/09/2009 10:44:35 - Removed J2SE Runtime Environment 5.0 Update 6 ==== Installed Programs ====================== ABBYY FineReader 6.0 Sprint Acrobat.com Ad-Aware Adabas D 13.01.00 Adobe AIR Adobe Flash Player 10 ActiveX Adobe Reader 9.1.3 Apple Software Update avast! Antivirus Belkin 802.11g Wireless PCI Card Deus Ex DivX Codec Google Earth Google Update Helper Google Updater HijackThis 2.0.2 Homeworld Homeworld Ship Editor Homeworld2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Java 6 Update 15 Lexmark 2300 Series Lexmark Fax Solutions LucasArts' Balance of Power LucasArts' X-Wing vs. TIE Fighter Microsoft .NET Framework (English) Microsoft .NET Framework (English) v1.0.3705 Microsoft .NET Framework 1.0 Hotfix (KB928367) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Internationalized Domain Names Mitigation APIs Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 Microsoft National Language Support Downlevel APIs Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Word 2000 Microsoft Works 2000 Microsoft Works 2000 Setup Launcher MSVC80_x86 MSXML 4.0 SP2 (KB954430) Nero Media Player Nero OEM NeroVision Express 2 SE Nokia Connectivity Cable Driver Nokia MTP driver Nokia PC Suite Nokia Software Updater NVIDIA Drivers Operation Flashpoint Gold Upgrade uninstall Operation Flashpoint uninstall PC Connectivity Solution PowerDVD QuickTime RealPlayer Basic Realtek AC'97 Audio REALTEK Gigabit and Fast Ethernet NIC Driver RollerCoaster Tycoon® 3 Saitek Gaming Extensions Security Update for Windows Internet Explorer 7 (KB938127-v2) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 8 (KB969897) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973869) Sky Broadband SopCast 2.0.4 Sound Blaster Live! Web 2K/XP Star Trek STCS v205 Beta 3 StarOffice 8 Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 8 (KB971930) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB973815) VideoLAN VLC media player 0.8.6d Viewpoint Media Player Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 WebFldrs XP Windows Driver Package - Nokia Modem (02/23/2009 7.01.0.2) Windows Driver Package - Nokia Modem (02/24/2009 4.0) Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0) Windows Genuine Advantage Validation Tool (KB892130) Windows Internet Explorer 7 Windows Internet Explorer 8 Windows Live installer Windows Live Messenger Windows Live Sign-in Assistant Windows XP Service Pack 3 WinRAR archiver Word in Works Suite add-in Worms2 ==== Event Viewer Messages From Past Week ======== 26/09/2009 17:07:57, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the avast! Web Scanner service to connect. 26/09/2009 17:07:57, error: Service Control Manager [7000] - The avast! Web Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 26/09/2009 11:47:45, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found. 26/09/2009 11:36:39, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect. 26/09/2009 11:20:25, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 000D87DC8C7A has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message). 25/09/2009 20:18:00, error: Dhcp [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 000D87DC8C7A has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message). 21/09/2009 17:52:18, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. 21/09/2009 13:56:02, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. 21/09/2009 13:42:48, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Lavasoft Ad-Aware Service service, but this action failed with the following error: An instance of the service is already running. 21/09/2009 13:40:27, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 21/09/2009 13:37:42, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip 21/09/2009 13:37:42, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning. 21/09/2009 13:37:42, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning. 21/09/2009 13:37:42, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 21/09/2009 13:37:42, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 21/09/2009 13:37:07, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 21/09/2009 13:33:38, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 4 time(s). 21/09/2009 13:32:41, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 3 time(s). 21/09/2009 13:32:19, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s). ==== End Of File ===========================
  4. All done, logs requested are as follows: Kaspersky Log -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Saturday, September 26, 2009 Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Saturday, September 26, 2009 12:41:22 Records in database: 2923309 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ Scan statistics: Objects scanned: 178576 Threats found: 3 Infected objects found: 3 Suspicious objects found: 0 Scan duration: 04:14:58 File name / Threat / Threats count C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP82\A0043224.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.cl 1 C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP82\A0043228.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ff 1 F:\temp\RockXP4.exe Infected: not-a-virus:PSWTool.Win32.RAS.k 1 Selected area has been scanned. DDS.txt DDS (Ver_09-09-24.01) - NTFSx86 Run by Ian at 17:10:09.60 on 26/09/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.767.522 [GMT 1:00] AV: avast! antivirus 4.8.1351 [VPS 090926-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Lexmark 2300 Series\lxcgmon.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe C:\WINDOWS\System32\lxcgcoms.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\explorer.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\DllHost.exe C:\Documents and Settings\Ian\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.co.uk/ BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [siSUSBRG] c:\windows\SiSUSBrg.exe mRun: [soundMan] SOUNDMAN.EXE mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [WINDVDPatch] CTHELPER.EXE mRun: [updReg] c:\windows\UpdReg.EXE mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe" mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe" mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe" mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s mRun: [sAITEKAUTOCONFIGURE] c:\program files\saitek\saitek gaming extensions\saicnfig.exe /autorun mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,[email protected] mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRunOnce: [uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /Get1noarp dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\belkin 802.11g wireless pci card configuration utility\utility.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-21 64160] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-24 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-26 20560] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-11-24 138680] R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\belkin\belkin~1.11g\DNINDIS5.SYS [2008-8-19 17149] S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-11-24 254040] S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-11-24 352920] S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2007-11-12 14336] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432] S4 gupdate1c98892ba82b220;Google Update Service (gupdate1c98892ba82b220);c:\program files\google\update\GoogleUpdate.exe [2009-2-6 133104] =============== Created Last 30 ================ 2009-09-26 11:21 0 a------- c:\windows\system32\4.tmp 2009-09-25 20:33 <DIR> a-dshr-- C:\cmdcons 2009-09-25 20:32 229,888 a------- c:\windows\PEV.exe 2009-09-25 20:32 161,792 a------- c:\windows\SWREG.exe 2009-09-25 20:32 98,816 a------- c:\windows\sed.exe 2009-09-21 19:47 231,390 a------- c:\temp\RootkitRevealer.zip 2009-09-21 18:03 15,688 a------- c:\windows\system32\lsdelete.exe 2009-09-21 15:51 <DIR> --d----- c:\program files\Trend Micro 2009-09-21 15:49 812,344 a------- c:\temp\HJTInstall.exe 2009-09-21 15:48 <DIR> --d----- C:\Erunt 2009-09-21 15:47 <DIR> --d----- C:\SysRestorePoint 2009-09-21 15:43 513,320 a------- c:\temp\erunt.zip 2009-09-21 15:43 9,334 a------- c:\temp\SysRestorePoint_v13.zip 2009-09-21 13:11 136,192 -c------ c:\windows\system32\dllcache\msv1_0.dll 2009-09-21 13:11 92,928 -c------ c:\windows\system32\dllcache\ksecdd.sys 2009-09-21 13:11 54,272 -c------ c:\windows\system32\dllcache\wdigest.dll 2009-09-21 13:11 301,568 -c------ c:\windows\system32\dllcache\kerberos.dll 2009-09-21 13:03 64,160 a------- c:\windows\system32\drivers\Lbd.sys 2009-09-21 13:02 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864} 2009-09-21 13:01 <DIR> --d----- c:\program files\Lavasoft 2009-09-21 12:59 60,857,536 a------- c:\temp\Ad-AwareAE.exe 2009-09-16 10:04 <DIR> --d----- c:\docume~1\ian\applic~1\LimeWire 2009-09-16 09:47 <DIR> --d----- c:\program files\Elaborate Bytes 2009-09-11 12:02 <DIR> --d----- c:\docume~1\ian\applic~1\Atari 2009-09-11 11:56 197,120 a------- c:\windows\patchw32.dll 2009-09-11 11:56 <DIR> --d----- c:\program files\common files\PocketSoft 2009-09-11 11:51 <DIR> --d----- c:\program files\Atari 2009-09-11 11:46 153,088 -c------ c:\windows\system32\dllcache\triedit.dll ==================== Find3M ==================== 2009-09-15 23:54 43,520 a------- c:\windows\system32\CmdLineExt03.dll 2009-08-18 11:16 47,104 a------- c:\windows\system32\KMVIDC32.DLL 2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll 2009-07-12 12:21 233,472 -------- c:\windows\system32\wmpdxm.dll 2009-07-03 18:09 915,456 -------- c:\windows\system32\wininet.dll 2003-12-18 11:33 20,102 a------- c:\program files\Readme.txt 2003-09-03 07:46 10,960 a------- c:\program files\EULA.txt ============= FINISH: 17:10:56.60 =============== Attach.txt UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-09-24.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume1 Install Date: 16/08/2008 19:49:05 System Uptime: 26/09/2009 11:37:33 (6 hours ago) Motherboard: | | SiS-661 Processor: Intel® Pentium® 4 CPU 3.20GHz | Socket 478 | 3207/200mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 114 GiB total, 88.061 GiB free. D: is CDROM () E: is CDROM () F: is FIXED (NTFS) - 25 GiB total, 11.482 GiB free. G: is Removable H: is Removable I: is Removable J: is Removable ==== Disabled Device Manager Items ============= Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Belkin 802.11g Wireless Card Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_700A1799&REV_01\3&61AAA01&1&58 Manufacturer: Belkin Components Name: Belkin 802.11g Wireless Card PNP Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_700A1799&REV_01\3&61AAA01&1&58 Service: RT2500 Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: 1394 Net Adapter Device ID: V1394\NIC1394\FF1A09990AE6 Manufacturer: Microsoft Name: 1394 Net Adapter #2 PNP Device ID: V1394\NIC1394\FF1A09990AE6 Service: NIC1394 Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Realtek RTL8139/810x Family Fast Ethernet NIC Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&1&70 Manufacturer: Realtek Semiconductor Corp. Name: Realtek RTL8139/810x Family Fast Ethernet NIC PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&1&70 Service: RTL8023 ==== System Restore Points =================== RP60: 05/07/2009 14:15:16 - Software Distribution Service 3.0 RP61: 09/07/2009 18:32:03 - Software Distribution Service 3.0 RP62: 16/07/2009 17:50:22 - Software Distribution Service 3.0 RP63: 27/07/2009 22:10:28 - System Checkpoint RP64: 28/07/2009 22:32:05 - Software Distribution Service 3.0 RP65: 03/08/2009 21:45:05 - System Checkpoint RP66: 10/08/2009 00:35:50 - Software Distribution Service 3.0 RP67: 10/08/2009 20:28:30 - Printer Driver Microsoft XPS Document Writer Installed RP68: 11/08/2009 23:12:23 - System Checkpoint RP69: 18/08/2009 17:24:14 - Software Distribution Service 3.0 RP70: 21/08/2009 18:10:45 - Installed Adabas D 13.01.00 RP71: 21/08/2009 18:11:22 - Installed J2SE Runtime Environment 5.0 Update 6 RP72: 21/08/2009 18:12:33 - Installed StarOffice 8 RP73: 22/08/2009 11:55:34 - Installed Java 6 Update 15 RP74: 26/08/2009 19:37:08 - System Checkpoint RP75: 26/08/2009 21:03:50 - Software Distribution Service 3.0 RP76: 31/08/2009 15:46:13 - System Checkpoint RP77: 02/09/2009 23:31:14 - Software Distribution Service 3.0 RP78: 11/09/2009 11:51:22 - Installed RollerCoaster Tycoon® 3 RP79: 11/09/2009 11:56:18 - Installed Windows Media Format 9 Series Runtime Setup RP80: 11/09/2009 13:00:40 - Software Distribution Service 3.0 RP81: 21/09/2009 13:34:08 - Software Distribution Service 3.0 RP82: 21/09/2009 15:47:29 - Automatic Restore Point RP83: 25/09/2009 20:32:56 - ComboFix created restore point RP84: 26/09/2009 11:47:38 - Removed Adobe Reader 6.0 RP85: 26/09/2009 11:52:51 - Installed Adobe Reader 9.1. ==== Installed Programs ====================== ABBYY FineReader 6.0 Sprint Acrobat.com Ad-Aware Adabas D 13.01.00 Adobe AIR Adobe Download Manager Adobe Flash Player 10 ActiveX Adobe Reader 9.1.3 Apple Software Update avast! Antivirus Belkin 802.11g Wireless PCI Card Deus Ex DivX Codec Google Earth Google Update Helper Google Updater HijackThis 2.0.2 Homeworld Homeworld Ship Editor Homeworld2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) J2SE Runtime Environment 5.0 Update 6 Java 6 Update 15 Lexmark 2300 Series Lexmark Fax Solutions LucasArts' Balance of Power LucasArts' X-Wing vs. TIE Fighter Microsoft .NET Framework (English) Microsoft .NET Framework (English) v1.0.3705 Microsoft .NET Framework 1.0 Hotfix (KB928367) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Internationalized Domain Names Mitigation APIs Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 Microsoft National Language Support Downlevel APIs Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Word 2000 Microsoft Works 2000 Microsoft Works 2000 Setup Launcher MSVC80_x86 MSXML 4.0 SP2 (KB954430) Nero Media Player Nero OEM NeroVision Express 2 SE Nokia Connectivity Cable Driver Nokia MTP driver Nokia PC Suite Nokia Software Updater NVIDIA Drivers Operation Flashpoint Gold Upgrade uninstall Operation Flashpoint uninstall PC Connectivity Solution PowerDVD QuickTime RealPlayer Basic Realtek AC'97 Audio REALTEK Gigabit and Fast Ethernet NIC Driver RollerCoaster Tycoon® 3 Saitek Gaming Extensions Security Update for Windows Internet Explorer 7 (KB938127-v2) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 8 (KB969897) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973869) Sky Broadband SopCast 2.0.4 Sound Blaster Live! Web 2K/XP Star Trek STCS v205 Beta 3 StarOffice 8 Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 8 (KB971930) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB973815) VideoLAN VLC media player 0.8.6d Viewpoint Media Player Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 WebFldrs XP Windows Driver Package - Nokia Modem (02/23/2009 7.01.0.2) Windows Driver Package - Nokia Modem (02/24/2009 4.0) Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0) Windows Genuine Advantage Validation Tool (KB892130) Windows Internet Explorer 7 Windows Internet Explorer 8 Windows Live installer Windows Live Messenger Windows Live Sign-in Assistant Windows XP Service Pack 3 WinRAR archiver Word in Works Suite add-in Worms2 ==== Event Viewer Messages From Past Week ======== 26/09/2009 17:07:57, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the avast! Web Scanner service to connect. 26/09/2009 17:07:57, error: Service Control Manager [7000] - The avast! Web Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 26/09/2009 11:47:44, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found. 26/09/2009 11:20:25, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 000D87DC8C7A has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message). 25/09/2009 20:37:13, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect. 22/09/2009 19:13:03, error: Dhcp [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 000D87DC8C7A has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message). 21/09/2009 13:56:02, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. 21/09/2009 13:42:48, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Lavasoft Ad-Aware Service service, but this action failed with the following error: An instance of the service is already running. 21/09/2009 13:42:43, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. 21/09/2009 13:40:27, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 21/09/2009 13:37:42, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip 21/09/2009 13:37:42, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning. 21/09/2009 13:37:42, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning. 21/09/2009 13:37:42, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 21/09/2009 13:37:42, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 21/09/2009 13:37:07, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 21/09/2009 13:33:38, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 4 time(s). 21/09/2009 13:32:41, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 3 time(s). 21/09/2009 13:32:19, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s). ==== End Of File =========================== Combofix Log ComboFix 09-09-25.01 - Ian 26/09/2009 11:29.2.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.767.412 [GMT 1:00] Running from: c:\documents and settings\Ian\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ian\Desktop\CFScript.txt AV: avast! antivirus 4.8.1351 [VPS 090926-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FILE :: "c:\docume~1\ian\locals~1\temp\jswmidin.sys" file zipped: c:\windows\system32\27.tmp file zipped: c:\windows\system32\CTSPKHLP32.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Ian\Application Data2000000603ef599669C.manifest c:\documents and settings\Ian\Application Data2000000603ef599669O.manifest c:\documents and settings\Ian\Application Data2000000603ef599669P.manifest c:\documents and settings\Ian\Application Data2000000603ef599669S.manifest c:\windows\system32\27.tmp c:\windows\system32\CTSPKHLP32.dll c:\windows\system32\GroupPolicy000.dat c:\windows\system32\LocalService c:\windows\system32\LocalService\5.tmp . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_JSWMIDIN -------\Service_jswmidin ((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 ))))))))))))))))))))))))))))))) . 2009-09-21 18:47 . 2009-09-21 18:47 231390 ----a-w- c:\temp\RootkitRevealer.zip 2009-09-21 17:03 . 2009-09-21 12:02 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-09-21 14:51 . 2009-09-21 14:51 -------- d-----w- c:\program files\Trend Micro 2009-09-21 14:49 . 2009-09-21 14:49 812344 ----a-w- c:\temp\HJTInstall.exe 2009-09-21 14:48 . 2009-09-21 18:48 -------- d-----w- C:\Erunt 2009-09-21 14:47 . 2009-09-21 14:47 -------- d-----w- C:\SysRestorePoint 2009-09-21 14:43 . 2009-09-21 14:43 513320 ----a-w- c:\temp\erunt.zip 2009-09-21 14:43 . 2009-09-21 14:43 9334 ----a-w- c:\temp\SysRestorePoint_v13.zip 2009-09-21 12:11 . 2009-06-25 08:25 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll 2009-09-21 12:11 . 2009-06-25 08:25 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll 2009-09-21 12:11 . 2009-06-24 11:18 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys 2009-09-21 12:11 . 2009-06-25 08:25 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll 2009-09-21 12:03 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-09-21 12:02 . 2009-09-21 12:02 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} 2009-09-21 12:01 . 2009-09-21 12:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-09-21 12:01 . 2009-09-21 12:01 -------- d-----w- c:\program files\Lavasoft 2009-09-21 11:59 . 2009-09-21 11:59 60857536 ----a-w- c:\temp\Ad-AwareAE.exe 2009-09-17 09:41 . 2009-09-17 09:41 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-09-16 09:04 . 2009-09-16 09:26 -------- d-----w- c:\documents and settings\Ian\Application Data\LimeWire 2009-09-16 08:47 . 2009-09-16 08:48 -------- d-----w- c:\program files\Elaborate Bytes 2009-09-14 11:30 . 2009-09-16 08:48 -------- d-----w- c:\documents and settings\Ian\Local Settings\Application Data\Yahoo! 2009-09-11 11:02 . 2009-09-11 11:02 -------- d-----w- c:\documents and settings\Ian\Application Data\Atari 2009-09-11 10:56 . 2009-09-11 10:56 -------- d-----w- c:\program files\Common Files\PocketSoft 2009-09-11 10:56 . 2002-02-27 17:50 197120 ----a-w- c:\windows\patchw32.dll 2009-09-11 10:51 . 2009-09-11 10:51 -------- d-----w- c:\program files\Atari 2009-09-11 10:46 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-26 10:37 . 2008-08-18 20:00 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000A-00001102-00000002-80311102}.dat 2009-09-26 10:37 . 2008-08-18 20:00 24 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-0000000A-00001102-00000002-80311102}.dat 2009-09-26 10:21 . 2009-09-26 10:21 0 ----a-w- c:\windows\system32\4.tmp 2009-09-26 10:21 . 2009-02-06 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-09-25 19:23 . 2009-05-04 11:22 -------- d-----w- c:\program files\BitComet 2009-09-17 08:38 . 2008-08-19 15:15 -------- d-----w- c:\program files\Lx_cats 2009-09-15 22:54 . 2008-08-26 16:15 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll 2009-09-12 14:07 . 2008-12-29 20:02 -------- d-----w- c:\documents and settings\Ian\Application Data\AdobeUM 2009-09-11 10:51 . 2004-02-02 17:57 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-09-04 20:54 . 2008-08-18 19:45 32544 ----a-w- c:\documents and settings\Ian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-01 18:23 . 2008-08-22 16:24 -------- d-----w- c:\program files\hwse 2009-08-31 17:25 . 2009-08-21 17:22 -------- d-----w- c:\documents and settings\Ian\Application Data\StarOffice8 2009-08-22 10:55 . 2008-11-25 16:07 -------- d-----w- c:\program files\Java 2009-08-21 17:12 . 2009-08-21 17:12 -------- d-----w- c:\program files\Sun 2009-08-21 17:11 . 2009-08-21 17:11 -------- d-----w- c:\program files\Common Files\Java 2009-08-18 10:16 . 2009-08-18 10:15 47104 ----a-w- c:\windows\system32\KMVIDC32.DLL 2009-08-17 16:10 . 2008-11-24 16:18 1279456 ----a-w- c:\windows\system32\aswBoot.exe 2009-08-17 16:06 . 2008-11-24 16:18 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys 2009-08-17 16:06 . 2008-11-24 16:18 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2009-08-17 16:05 . 2008-11-24 16:18 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys 2009-08-17 16:05 . 2008-11-25 23:06 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2009-08-17 16:04 . 2008-11-24 16:18 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2009-08-17 16:04 . 2008-11-24 16:18 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2009-08-17 16:03 . 2008-11-24 16:18 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2009-08-17 16:02 . 2008-11-24 16:18 97480 ----a-w- c:\windows\system32\AvastSS.scr 2009-08-12 12:26 . 2009-02-02 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations 2009-08-12 12:26 . 2009-02-02 16:15 -------- d-----w- c:\program files\Nokia 2009-08-12 12:26 . 2009-02-02 16:16 -------- d-----w- c:\program files\Common Files\Nokia 2009-08-09 23:40 . 2009-08-09 23:40 -------- d-----w- c:\program files\MSBuild 2009-08-09 23:40 . 2009-08-09 23:40 -------- d-----w- c:\program files\Reference Assemblies 2009-08-05 09:01 . 2007-11-12 22:29 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-02 18:46 . 2009-08-02 18:45 -------- d-----w- c:\program files\begin 3.0 2009-07-25 04:23 . 2008-11-25 16:07 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-07-17 19:01 . 2007-11-12 22:27 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-12 11:21 . 2003-03-27 08:19 233472 ------w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2007-11-12 22:30 915456 ------w- c:\windows\system32\wininet.dll 2003-12-18 10:33 . 2008-08-26 16:08 20102 ----a-w- c:\program files\Readme.txt 2003-09-03 06:46 . 2008-08-26 16:08 10960 ----a-w- c:\program files\EULA.txt . ((((((((((((((((((((((((((((( [email protected]_19.49.23 ))))))))))))))))))))))))))))))))))))))))) . + 2009-09-26 10:38 . 2009-09-26 10:38 16384 c:\windows\Temp\Perflib_Perfdata_438.dat + 2009-09-26 10:20 . 2009-09-26 10:20 16384 c:\windows\Temp\Perflib_Perfdata_428.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-13 106496] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-10-22 7700480] "NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-10-22 86016] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672] "lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704] "EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208] "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008] "SAITEKAUTOCONFIGURE"="c:\program files\Saitek\Saitek Gaming Extensions\saicnfig.exe" [2000-08-02 45056] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000] "LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728] "SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-10-09 57344] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016] "WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-02 24576] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] "NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2006-10-22 86016] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Belkin 802.11g Wireless PCI Card Configuration Utility.lnk - c:\program files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe [2008-8-19 327765] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-9-5 65588] Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-5 53317] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WLSetupSvc"=3 (0x3) "usnjsvc"=3 (0x3) "ServiceLayer"=3 (0x3) "JavaQuickStarterService"=2 (0x2) "idsvc"=3 (0x3) "gusvc"=2 (0x2) "gupdate1c98892ba82b220"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"= "c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"= "c:\\Team17\\Worms2\\frontend.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12264:TCP"= 12264:TCP:BitComet 12264 TCP "12264:UDP"= 12264:UDP:BitComet 12264 UDP R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [21/09/2009 13:03 64160] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [24/11/2008 17:18 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26/11/2008 00:06 20560] R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [19/08/2008 16:10 17149] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1028432] S4 gupdate1c98892ba82b220;Google Update Service (gupdate1c98892ba82b220);c:\program files\Google\Update\GoogleUpdate.exe [06/02/2009 20:40 133104] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-09-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 12:02] 2009-09-26 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-06 21:36] 2009-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-06 19:40] 2009-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-06 19:40] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.co.uk/ IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . - - - - ORPHANS REMOVED - - - - Notify-d80196dc669 - c:\windows\System32\CTSPKHLP32.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-26 11:38 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,[email protected]??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(4028) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\windows\system32\nvsvc32.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\windows\system32\lxcgcoms.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-09-26 11:43 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-26 10:43 Pre-Run: 94,999,236,608 bytes free Post-Run: 94,895,726,592 bytes free 241 --- E O F --- 2009-09-21 12:34
  5. Combofix log and new DDS logs are below: Combofix log ComboFix 09-09-24.01 - Ian 25/09/2009 20:37.1.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.767.453 [GMT 1:00] Running from: c:\documents and settings\Ian\Desktop\ComboFix.exe AV: avast! antivirus 4.8.1351 [VPS 090925-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrator\Application Data2000000603ef599669C.manifest c:\documents and settings\Administrator\Application Data2000000603ef599669O.manifest c:\documents and settings\Administrator\Application Data2000000603ef599669P.manifest c:\documents and settings\Administrator\Application Data2000000603ef599669S.manifest c:\documents and settings\Eve\Application Data\WeatherDPA c:\documents and settings\Eve\Application Data\WeatherDPA\Weather\WeatherStartup.xml c:\documents and settings\Ian\Application Data2000000603ef599669C.manifest c:\documents and settings\Ian\Application Data2000000603ef599669O.manifest c:\documents and settings\Ian\Application Data2000000603ef599669P.manifest c:\documents and settings\Ian\Application Data2000000603ef599669S.manifest c:\program files\INSTALL.LOG c:\windows\desktop c:\windows\desktop\Saitek Gaming Extensions.lnk c:\windows\Installer\52ed7.msp c:\windows\system32\GroupPolicy000.dat c:\windows\system32\LocalService c:\windows\system32\LocalService\4E.tmp c:\windows\system32\nZzbloC.vbs . ((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 ))))))))))))))))))))))))))))))) . 2009-09-21 18:47 . 2009-09-21 18:47 231390 ----a-w- c:\temp\RootkitRevealer.zip 2009-09-21 17:03 . 2009-09-21 12:02 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-09-21 14:51 . 2009-09-21 14:51 -------- d-----w- c:\program files\Trend Micro 2009-09-21 14:49 . 2009-09-21 14:49 812344 ----a-w- c:\temp\HJTInstall.exe 2009-09-21 14:48 . 2009-09-21 18:48 -------- d-----w- C:\Erunt 2009-09-21 14:47 . 2009-09-21 14:47 -------- d-----w- C:\SysRestorePoint 2009-09-21 14:43 . 2009-09-21 14:43 513320 ----a-w- c:\temp\erunt.zip 2009-09-21 14:43 . 2009-09-21 14:43 9334 ----a-w- c:\temp\SysRestorePoint_v13.zip 2009-09-21 12:11 . 2009-06-25 08:25 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll 2009-09-21 12:11 . 2009-06-25 08:25 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll 2009-09-21 12:11 . 2009-06-24 11:18 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys 2009-09-21 12:11 . 2009-06-25 08:25 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll 2009-09-21 12:03 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-09-21 12:02 . 2009-09-21 12:02 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} 2009-09-21 12:01 . 2009-09-21 12:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-09-21 12:01 . 2009-09-21 12:01 -------- d-----w- c:\program files\Lavasoft 2009-09-21 11:59 . 2009-09-21 11:59 60857536 ----a-w- c:\temp\Ad-AwareAE.exe 2009-09-17 09:41 . 2009-09-17 09:41 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-09-16 09:15 . 2009-09-16 09:15 122880 ----a-w- c:\windows\system32\CTSPKHLP32.dll 2009-09-16 09:04 . 2009-09-16 09:26 -------- d-----w- c:\documents and settings\Ian\Application Data\LimeWire 2009-09-16 08:47 . 2009-09-16 08:48 -------- d-----w- c:\program files\Elaborate Bytes 2009-09-14 11:30 . 2009-09-16 08:48 -------- d-----w- c:\documents and settings\Ian\Local Settings\Application Data\Yahoo! 2009-09-11 11:02 . 2009-09-11 11:02 -------- d-----w- c:\documents and settings\Ian\Application Data\Atari 2009-09-11 10:56 . 2009-09-11 10:56 -------- d-----w- c:\program files\Common Files\PocketSoft 2009-09-11 10:56 . 2002-02-27 17:50 197120 ----a-w- c:\windows\patchw32.dll 2009-09-11 10:51 . 2009-09-11 10:51 -------- d-----w- c:\program files\Atari 2009-09-11 10:46 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-25 19:23 . 2009-05-04 11:22 -------- d-----w- c:\program files\BitComet 2009-09-25 17:42 . 2008-08-18 20:00 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000A-00001102-00000002-80311102}.dat 2009-09-25 17:42 . 2008-08-18 20:00 24 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-0000000A-00001102-00000002-80311102}.dat 2009-09-24 22:03 . 2009-02-06 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-09-17 08:38 . 2008-08-19 15:15 -------- d-----w- c:\program files\Lx_cats 2009-09-16 09:15 . 2009-09-16 09:15 0 ----a-w- c:\windows\system32\27.tmp 2009-09-15 22:54 . 2008-08-26 16:15 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll 2009-09-12 14:07 . 2008-12-29 20:02 -------- d-----w- c:\documents and settings\Ian\Application Data\AdobeUM 2009-09-11 10:51 . 2004-02-02 17:57 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-09-04 20:54 . 2008-08-18 19:45 32544 ----a-w- c:\documents and settings\Ian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-01 18:23 . 2008-08-22 16:24 -------- d-----w- c:\program files\hwse 2009-08-31 17:25 . 2009-08-21 17:22 -------- d-----w- c:\documents and settings\Ian\Application Data\StarOffice8 2009-08-22 10:55 . 2008-11-25 16:07 -------- d-----w- c:\program files\Java 2009-08-21 17:12 . 2009-08-21 17:12 -------- d-----w- c:\program files\Sun 2009-08-21 17:11 . 2009-08-21 17:11 -------- d-----w- c:\program files\Common Files\Java 2009-08-18 10:16 . 2009-08-18 10:15 47104 ----a-w- c:\windows\system32\KMVIDC32.DLL 2009-08-17 16:10 . 2008-11-24 16:18 1279456 ----a-w- c:\windows\system32\aswBoot.exe 2009-08-17 16:06 . 2008-11-24 16:18 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys 2009-08-17 16:06 . 2008-11-24 16:18 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2009-08-17 16:05 . 2008-11-24 16:18 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys 2009-08-17 16:05 . 2008-11-25 23:06 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2009-08-17 16:04 . 2008-11-24 16:18 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2009-08-17 16:04 . 2008-11-24 16:18 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2009-08-17 16:03 . 2008-11-24 16:18 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2009-08-17 16:02 . 2008-11-24 16:18 97480 ----a-w- c:\windows\system32\AvastSS.scr 2009-08-12 12:26 . 2009-02-02 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations 2009-08-12 12:26 . 2009-02-02 16:15 -------- d-----w- c:\program files\Nokia 2009-08-12 12:26 . 2009-02-02 16:16 -------- d-----w- c:\program files\Common Files\Nokia 2009-08-09 23:40 . 2009-08-09 23:40 -------- d-----w- c:\program files\MSBuild 2009-08-09 23:40 . 2009-08-09 23:40 -------- d-----w- c:\program files\Reference Assemblies 2009-08-05 09:01 . 2007-11-12 22:29 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-02 18:46 . 2009-08-02 18:45 -------- d-----w- c:\program files\begin 3.0 2009-07-25 04:23 . 2008-11-25 16:07 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-07-17 19:01 . 2007-11-12 22:27 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-12 11:21 . 2003-03-27 08:19 233472 ------w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2007-11-12 22:30 915456 ----a-w- c:\windows\system32\wininet.dll 2003-12-18 10:33 . 2008-08-26 16:08 20102 ----a-w- c:\program files\Readme.txt 2003-09-03 06:46 . 2008-08-26 16:08 10960 ----a-w- c:\program files\EULA.txt . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-13 106496] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-10-22 7700480] "NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-10-22 86016] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672] "lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704] "EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208] "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008] "SAITEKAUTOCONFIGURE"="c:\program files\Saitek\Saitek Gaming Extensions\saicnfig.exe" [2000-08-02 45056] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000] "LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728] "SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-10-09 57344] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016] "WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-02 24576] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] "NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2006-10-22 86016] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Belkin 802.11g Wireless PCI Card Configuration Utility.lnk - c:\program files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe [2008-8-19 327765] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-9-5 65588] Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-5 53317] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\d80196dc669] 2009-09-16 09:15 122880 ----a-w- c:\windows\system32\CTSPKHLP32.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WLSetupSvc"=3 (0x3) "usnjsvc"=3 (0x3) "ServiceLayer"=3 (0x3) "JavaQuickStarterService"=2 (0x2) "idsvc"=3 (0x3) "gusvc"=2 (0x2) "gupdate1c98892ba82b220"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"= "c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"= "c:\\Team17\\Worms2\\frontend.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "12264:TCP"= 12264:TCP:BitComet 12264 TCP "12264:UDP"= 12264:UDP:BitComet 12264 UDP R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [21/09/2009 13:03 64160] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [24/11/2008 17:18 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26/11/2008 00:06 20560] R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [19/08/2008 16:10 17149] S3 jswmidin;jswmidin;\??\c:\docume~1\Ian\LOCALS~1\Temp\jswmidin.sys --> c:\docume~1\Ian\LOCALS~1\Temp\jswmidin.sys [?] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1028432] S4 gupdate1c98892ba82b220;Google Update Service (gupdate1c98892ba82b220);c:\program files\Google\Update\GoogleUpdate.exe [06/02/2009 20:40 133104] --- Other Services/Drivers In Memory --- *NewlyCreated* - HTTPFILTER [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-09-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 12:02] 2009-09-25 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-06 21:36] 2009-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-06 19:40] 2009-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-06 19:40] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.co.uk/ IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . - - - - ORPHANS REMOVED - - - - HKLM-Run-OemReset - c:\windows\OPTIONS\OEMRESET.EXE AddRemove-Flashpoint Resistance - c:\program files\Codemasters\UnInstallResistance.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-25 20:49 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,[email protected]??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(508) c:\windows\System32\CTSPKHLP32.dll - - - - - - - > 'lsass.exe'(568) c:\windows\System32\CTSPKHLP32.dll . Completion time: 2009-09-25 20:52 ComboFix-quarantined-files.txt 2009-09-25 19:51 Pre-Run: 93,845,729,280 bytes free Post-Run: 94,987,087,872 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 237 --- E O F --- 2009-09-21 12:34 DDS.txt DDS (Ver_09-09-24.01) - NTFSx86 Run by Ian at 23:01:44.71 on 25/09/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.767.374 [GMT 1:00] AV: avast! antivirus 4.8.1351 [VPS 090925-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe C:\WINDOWS\System32\lxcgcoms.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\explorer.exe C:\Documents and Settings\Ian\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.co.uk/ BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File mRun: [siSUSBRG] c:\windows\SiSUSBrg.exe mRun: [soundMan] SOUNDMAN.EXE mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [WINDVDPatch] CTHELPER.EXE mRun: [updReg] c:\windows\UpdReg.EXE mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe" mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe" mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe" mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s mRun: [sAITEKAUTOCONFIGURE] c:\program files\saitek\saitek gaming extensions\saicnfig.exe /autorun mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,[email protected] dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\belkin 802.11g wireless pci card configuration utility\utility.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab Notify: d80196dc669 - c:\windows\system32\CTSPKHLP32.dll ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-21 64160] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-24 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-26 20560] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-11-24 138680] R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\belkin\belkin~1.11g\DNINDIS5.SYS [2008-8-19 17149] S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-11-24 254040] S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-11-24 352920] S3 jswmidin;jswmidin;\??\c:\docume~1\ian\locals~1\temp\jswmidin.sys --> c:\docume~1\ian\locals~1\temp\jswmidin.sys [?] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432] S4 gupdate1c98892ba82b220;Google Update Service (gupdate1c98892ba82b220);c:\program files\google\update\GoogleUpdate.exe [2009-2-6 133104] =============== Created Last 30 ================ 2009-09-25 20:33 <DIR> a-dshr-- C:\cmdcons 2009-09-25 20:32 229,888 a------- c:\windows\PEV.exe 2009-09-25 20:32 161,792 a------- c:\windows\SWREG.exe 2009-09-25 20:32 98,816 a------- c:\windows\sed.exe 2009-09-25 20:32 <DIR> --d----- C:\ComboFix 2009-09-21 19:47 231,390 a------- c:\temp\RootkitRevealer.zip 2009-09-21 18:03 15,688 a------- c:\windows\system32\lsdelete.exe 2009-09-21 15:51 <DIR> --d----- c:\program files\Trend Micro 2009-09-21 15:49 812,344 a------- c:\temp\HJTInstall.exe 2009-09-21 15:48 <DIR> --d----- C:\Erunt 2009-09-21 15:47 <DIR> --d----- C:\SysRestorePoint 2009-09-21 15:43 513,320 a------- c:\temp\erunt.zip 2009-09-21 15:43 9,334 a------- c:\temp\SysRestorePoint_v13.zip 2009-09-21 13:11 136,192 -c------ c:\windows\system32\dllcache\msv1_0.dll 2009-09-21 13:11 92,928 -c------ c:\windows\system32\dllcache\ksecdd.sys 2009-09-21 13:11 54,272 -c------ c:\windows\system32\dllcache\wdigest.dll 2009-09-21 13:11 301,568 -c------ c:\windows\system32\dllcache\kerberos.dll 2009-09-21 13:03 64,160 a------- c:\windows\system32\drivers\Lbd.sys 2009-09-21 13:02 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864} 2009-09-21 13:01 <DIR> --d----- c:\program files\Lavasoft 2009-09-21 12:59 60,857,536 a------- c:\temp\Ad-AwareAE.exe 2009-09-16 10:15 0 a------- c:\windows\system32\27.tmp 2009-09-16 10:15 122,880 a------- c:\windows\system32\CTSPKHLP32.dll 2009-09-16 10:04 <DIR> --d----- c:\docume~1\ian\applic~1\LimeWire 2009-09-16 09:47 <DIR> --d----- c:\program files\Elaborate Bytes 2009-09-11 12:02 <DIR> --d----- c:\docume~1\ian\applic~1\Atari 2009-09-11 11:56 197,120 a------- c:\windows\patchw32.dll 2009-09-11 11:56 <DIR> --d----- c:\program files\common files\PocketSoft 2009-09-11 11:51 <DIR> --d----- c:\program files\Atari 2009-09-11 11:46 153,088 -c------ c:\windows\system32\dllcache\triedit.dll ==================== Find3M ==================== 2009-09-15 23:54 43,520 a------- c:\windows\system32\CmdLineExt03.dll 2009-08-18 11:16 47,104 a------- c:\windows\system32\KMVIDC32.DLL 2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll 2009-07-12 12:21 233,472 -------- c:\windows\system32\wmpdxm.dll 2009-07-03 18:09 915,456 -------- c:\windows\system32\wininet.dll 2003-12-18 11:33 20,102 a------- c:\program files\Readme.txt 2003-09-03 07:46 10,960 a------- c:\program files\EULA.txt ============= FINISH: 23:01:56.14 =============== Attach.txt UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-09-24.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume1 Install Date: 16/08/2008 19:49:05 System Uptime: 25/09/2009 20:17:35 (3 hours ago) Motherboard: | | SiS-661 Processor: Intel® Pentium® 4 CPU 3.20GHz | Socket 478 | 3207/200mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 114 GiB total, 88.502 GiB free. D: is CDROM () E: is CDROM () F: is FIXED (NTFS) - 25 GiB total, 11.482 GiB free. G: is Removable H: is Removable I: is Removable J: is Removable ==== Disabled Device Manager Items ============= Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Belkin 802.11g Wireless Card Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_700A1799&REV_01\3&61AAA01&1&58 Manufacturer: Belkin Components Name: Belkin 802.11g Wireless Card PNP Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_700A1799&REV_01\3&61AAA01&1&58 Service: RT2500 Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: 1394 Net Adapter Device ID: V1394\NIC1394\FF1A09990AE6 Manufacturer: Microsoft Name: 1394 Net Adapter #2 PNP Device ID: V1394\NIC1394\FF1A09990AE6 Service: NIC1394 Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Realtek RTL8139/810x Family Fast Ethernet NIC Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&1&70 Manufacturer: Realtek Semiconductor Corp. Name: Realtek RTL8139/810x Family Fast Ethernet NIC PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&1&70 Service: RTL8023 ==== System Restore Points =================== RP58: 26/05/2009 15:50:32 - System Checkpoint RP59: 02/06/2009 12:26:51 - System Checkpoint RP60: 05/07/2009 14:15:16 - Software Distribution Service 3.0 RP61: 09/07/2009 18:32:03 - Software Distribution Service 3.0 RP62: 16/07/2009 17:50:22 - Software Distribution Service 3.0 RP63: 27/07/2009 22:10:28 - System Checkpoint RP64: 28/07/2009 22:32:05 - Software Distribution Service 3.0 RP65: 03/08/2009 21:45:05 - System Checkpoint RP66: 10/08/2009 00:35:50 - Software Distribution Service 3.0 RP67: 10/08/2009 20:28:30 - Printer Driver Microsoft XPS Document Writer Installed RP68: 11/08/2009 23:12:23 - System Checkpoint RP69: 18/08/2009 17:24:14 - Software Distribution Service 3.0 RP70: 21/08/2009 18:10:45 - Installed Adabas D 13.01.00 RP71: 21/08/2009 18:11:22 - Installed J2SE Runtime Environment 5.0 Update 6 RP72: 21/08/2009 18:12:33 - Installed StarOffice 8 RP73: 22/08/2009 11:55:34 - Installed Java 6 Update 15 RP74: 26/08/2009 19:37:08 - System Checkpoint RP75: 26/08/2009 21:03:50 - Software Distribution Service 3.0 RP76: 31/08/2009 15:46:13 - System Checkpoint RP77: 02/09/2009 23:31:14 - Software Distribution Service 3.0 RP78: 11/09/2009 11:51:22 - Installed RollerCoaster Tycoon® 3 RP79: 11/09/2009 11:56:18 - Installed Windows Media Format 9 Series Runtime Setup RP80: 11/09/2009 13:00:40 - Software Distribution Service 3.0 RP81: 21/09/2009 13:34:08 - Software Distribution Service 3.0 RP82: 21/09/2009 15:47:29 - Automatic Restore Point RP83: 25/09/2009 20:32:56 - ComboFix created restore point ==== Installed Programs ====================== ABBYY FineReader 6.0 Sprint Ad-Aware Adabas D 13.01.00 Adobe Flash Player 10 ActiveX Adobe Reader 6.0 Apple Software Update avast! Antivirus Belkin 802.11g Wireless PCI Card Deus Ex DivX Codec Google Earth Google Update Helper Google Updater HijackThis 2.0.2 Homeworld Homeworld Ship Editor Homeworld2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) J2SE Runtime Environment 5.0 Update 6 Java 6 Update 15 Lexmark 2300 Series Lexmark Fax Solutions LucasArts' Balance of Power LucasArts' X-Wing vs. TIE Fighter Microsoft .NET Framework (English) Microsoft .NET Framework (English) v1.0.3705 Microsoft .NET Framework 1.0 Hotfix (KB928367) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Internationalized Domain Names Mitigation APIs Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 Microsoft National Language Support Downlevel APIs Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Word 2000 Microsoft Works 2000 Microsoft Works 2000 Setup Launcher MSVC80_x86 MSXML 4.0 SP2 (KB954430) Nero Media Player Nero OEM NeroVision Express 2 SE Nokia Connectivity Cable Driver Nokia MTP driver Nokia PC Suite Nokia Software Updater NVIDIA Drivers Operation Flashpoint Gold Upgrade uninstall Operation Flashpoint uninstall PC Connectivity Solution PowerDVD QuickTime RealPlayer Basic Realtek AC'97 Audio REALTEK Gigabit and Fast Ethernet NIC Driver RollerCoaster Tycoon® 3 Saitek Gaming Extensions Security Update for Windows Internet Explorer 7 (KB938127-v2) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 8 (KB969897) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973869) Sky Broadband SopCast 2.0.4 Sound Blaster Live! Web 2K/XP Star Trek STCS v205 Beta 3 StarOffice 8 Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 8 (KB971930) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB973815) VideoLAN VLC media player 0.8.6d Viewpoint Media Player Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 WebFldrs XP Windows Driver Package - Nokia Modem (02/23/2009 7.01.0.2) Windows Driver Package - Nokia Modem (02/24/2009 4.0) Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0) Windows Genuine Advantage Validation Tool (KB892130) Windows Internet Explorer 7 Windows Internet Explorer 8 Windows Live installer Windows Live Messenger Windows Live Sign-in Assistant Windows XP Service Pack 3 WinRAR archiver Word in Works Suite add-in Worms2 ==== Event Viewer Messages From Past Week ======== 25/09/2009 20:37:13, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect. 22/09/2009 19:13:03, error: Dhcp [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 000D87DC8C7A has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message). 21/09/2009 13:42:48, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Lavasoft Ad-Aware Service service, but this action failed with the following error: An instance of the service is already running. 21/09/2009 13:40:27, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 21/09/2009 13:39:56, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. 21/09/2009 13:37:42, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip 21/09/2009 13:37:42, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning. 21/09/2009 13:37:42, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning. 21/09/2009 13:37:42, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 21/09/2009 13:37:42, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 21/09/2009 13:37:07, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 21/09/2009 13:33:38, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 4 time(s). 21/09/2009 13:32:41, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 3 time(s). 21/09/2009 13:32:19, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s). 21/09/2009 13:32:12, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. ==== End Of File ===========================
  6. Here are the scan logs requested: DDS.txt: DDS (Ver_09-09-24.01) - NTFSx86 Run by Ian at 17:56:41.93 on 25/09/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.767.496 [GMT 1:00] AV: avast! antivirus 4.8.1351 [VPS 090924-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Lexmark 2300 Series\ezprint.exe C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe svchost.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\WINDOWS\System32\lxcgcoms.exe C:\Documents and Settings\Ian\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.co.uk/ uWindow Title = Internet Explorer Provided By Sky Broadband uDefault_Page_URL = hxxp://www.sky.com BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No File TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT mRun: [siSUSBRG] c:\windows\SiSUSBrg.exe mRun: [soundMan] SOUNDMAN.EXE mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [WINDVDPatch] CTHELPER.EXE mRun: [updReg] c:\windows\UpdReg.EXE mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe" mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe" mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe" mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s mRun: [sAITEKAUTOCONFIGURE] c:\program files\saitek\saitek gaming extensions\saicnfig.exe /autorun mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,[email protected] dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\belkin 802.11g wireless pci card configuration utility\utility.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab Notify: d80196dc669 - c:\windows\system32\CTSPKHLP32.dll AppInit_DLLs: c:\windows\system32\CTSPKHLP32.dll ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-21 64160] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-24 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-26 20560] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-11-24 138680] R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\belkin\belkin~1.11g\DNINDIS5.SYS [2008-8-19 17149] S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-11-24 254040] S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-11-24 352920] S3 jswmidin;jswmidin;c:\docume~1\ian\locals~1\temp\jswmidin.sys [2007-5-8 29696] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432] S4 gupdate1c98892ba82b220;Google Update Service (gupdate1c98892ba82b220);c:\program files\google\update\GoogleUpdate.exe [2009-2-6 133104] =============== Created Last 30 ================ 2009-09-25 17:50 <DIR> --dsh--- c:\windows\system32\LocalService 2009-09-21 19:47 231,390 a------- c:\temp\RootkitRevealer.zip 2009-09-21 18:03 15,688 a------- c:\windows\system32\lsdelete.exe 2009-09-21 15:51 <DIR> --d----- c:\program files\Trend Micro 2009-09-21 15:49 812,344 a------- c:\temp\HJTInstall.exe 2009-09-21 15:48 <DIR> --d----- C:\Erunt 2009-09-21 15:47 <DIR> --d----- C:\SysRestorePoint 2009-09-21 15:43 513,320 a------- c:\temp\erunt.zip 2009-09-21 15:43 9,334 a------- c:\temp\SysRestorePoint_v13.zip 2009-09-21 13:11 136,192 -c------ c:\windows\system32\dllcache\msv1_0.dll 2009-09-21 13:11 92,928 -c------ c:\windows\system32\dllcache\ksecdd.sys 2009-09-21 13:11 54,272 -c------ c:\windows\system32\dllcache\wdigest.dll 2009-09-21 13:11 301,568 -c------ c:\windows\system32\dllcache\kerberos.dll 2009-09-21 13:03 64,160 a------- c:\windows\system32\drivers\Lbd.sys 2009-09-21 13:02 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864} 2009-09-21 13:01 <DIR> --d----- c:\program files\Lavasoft 2009-09-21 12:59 60,857,536 a------- c:\temp\Ad-AwareAE.exe 2009-09-16 10:15 1,482 a--sh--- c:\windows\system32\GroupPolicy000.dat 2009-09-16 10:15 0 a------- c:\windows\system32\27.tmp 2009-09-16 10:15 122,880 a------- c:\windows\system32\CTSPKHLP32.dll 2009-09-16 10:15 615 a------- c:\windows\system32\nZzbloC.vbs 2009-09-16 10:04 <DIR> --d----- c:\docume~1\ian\applic~1\LimeWire 2009-09-16 09:47 <DIR> --d----- c:\program files\Elaborate Bytes 2009-09-11 12:02 <DIR> --d----- c:\docume~1\ian\applic~1\Atari 2009-09-11 11:56 197,120 a------- c:\windows\patchw32.dll 2009-09-11 11:56 <DIR> --d----- c:\program files\common files\PocketSoft 2009-09-11 11:51 <DIR> --d----- c:\program files\Atari 2009-09-11 11:46 153,088 -c------ c:\windows\system32\dllcache\triedit.dll ==================== Find3M ==================== 2009-09-15 23:54 43,520 a------- c:\windows\system32\CmdLineExt03.dll 2009-08-18 11:16 47,104 a------- c:\windows\system32\KMVIDC32.DLL 2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll 2009-07-12 12:21 233,472 -------- c:\windows\system32\wmpdxm.dll 2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll 2008-08-26 17:08 349 a------- c:\program files\INSTALL.LOG 2003-12-18 11:33 20,102 a------- c:\program files\Readme.txt 2003-09-03 07:46 10,960 a------- c:\program files\EULA.txt ============= FINISH: 17:58:47.81 =============== Attach.txt: UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-09-24.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume1 Install Date: 16/08/2008 19:49:05 System Uptime: 25/09/2009 17:45:02 (0 hours ago) Motherboard: | | SiS-661 Processor: Intel® Pentium® 4 CPU 3.20GHz | Socket 478 | 3207/200mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 114 GiB total, 87.467 GiB free. D: is CDROM () E: is CDROM () F: is FIXED (NTFS) - 25 GiB total, 11.482 GiB free. G: is Removable H: is Removable I: is Removable J: is Removable ==== Disabled Device Manager Items ============= Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Belkin 802.11g Wireless Card Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_700A1799&REV_01\3&61AAA01&1&58 Manufacturer: Belkin Components Name: Belkin 802.11g Wireless Card PNP Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_700A1799&REV_01\3&61AAA01&1&58 Service: RT2500 Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: 1394 Net Adapter Device ID: V1394\NIC1394\FF1A09990AE6 Manufacturer: Microsoft Name: 1394 Net Adapter #2 PNP Device ID: V1394\NIC1394\FF1A09990AE6 Service: NIC1394 Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Realtek RTL8139/810x Family Fast Ethernet NIC Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&1&70 Manufacturer: Realtek Semiconductor Corp. Name: Realtek RTL8139/810x Family Fast Ethernet NIC PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&1&70 Service: RTL8023 ==== System Restore Points =================== RP58: 26/05/2009 15:50:32 - System Checkpoint RP59: 02/06/2009 12:26:51 - System Checkpoint RP60: 05/07/2009 14:15:16 - Software Distribution Service 3.0 RP61: 09/07/2009 18:32:03 - Software Distribution Service 3.0 RP62: 16/07/2009 17:50:22 - Software Distribution Service 3.0 RP63: 27/07/2009 22:10:28 - System Checkpoint RP64: 28/07/2009 22:32:05 - Software Distribution Service 3.0 RP65: 03/08/2009 21:45:05 - System Checkpoint RP66: 10/08/2009 00:35:50 - Software Distribution Service 3.0 RP67: 10/08/2009 20:28:30 - Printer Driver Microsoft XPS Document Writer Installed RP68: 11/08/2009 23:12:23 - System Checkpoint RP69: 18/08/2009 17:24:14 - Software Distribution Service 3.0 RP70: 21/08/2009 18:10:45 - Installed Adabas D 13.01.00 RP71: 21/08/2009 18:11:22 - Installed J2SE Runtime Environment 5.0 Update 6 RP72: 21/08/2009 18:12:33 - Installed StarOffice 8 RP73: 22/08/2009 11:55:34 - Installed Java 6 Update 15 RP74: 26/08/2009 19:37:08 - System Checkpoint RP75: 26/08/2009 21:03:50 - Software Distribution Service 3.0 RP76: 31/08/2009 15:46:13 - System Checkpoint RP77: 02/09/2009 23:31:14 - Software Distribution Service 3.0 RP78: 11/09/2009 11:51:22 - Installed RollerCoaster Tycoon® 3 RP79: 11/09/2009 11:56:18 - Installed Windows Media Format 9 Series Runtime Setup RP80: 11/09/2009 13:00:40 - Software Distribution Service 3.0 RP81: 21/09/2009 13:34:08 - Software Distribution Service 3.0 RP82: 21/09/2009 15:47:29 - Automatic Restore Point ==== Installed Programs ====================== ABBYY FineReader 6.0 Sprint Ad-Aware Adabas D 13.01.00 Adobe Flash Player 10 ActiveX Adobe Reader 6.0 Apple Software Update avast! Antivirus Belkin 802.11g Wireless PCI Card BitComet 0.67 Deus Ex DivX Codec Flashpoint Resistance uninstall Google Earth Google Update Helper Google Updater HijackThis 2.0.2 Homeworld Homeworld Ship Editor Homeworld2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) J2SE Runtime Environment 5.0 Update 6 Java 6 Update 15 Lexmark 2300 Series Lexmark Fax Solutions LimeWire 4.18.8 LucasArts' Balance of Power LucasArts' X-Wing vs. TIE Fighter Microsoft .NET Framework (English) Microsoft .NET Framework (English) v1.0.3705 Microsoft .NET Framework 1.0 Hotfix (KB928367) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Internationalized Domain Names Mitigation APIs Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 Microsoft National Language Support Downlevel APIs Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Word 2000 Microsoft Works 2000 Microsoft Works 2000 Setup Launcher MSVC80_x86 MSXML 4.0 SP2 (KB954430) Nero Media Player Nero OEM NeroVision Express 2 SE Nokia Connectivity Cable Driver Nokia MTP driver Nokia PC Suite Nokia Software Updater NVIDIA Drivers Operation Flashpoint Gold Upgrade uninstall Operation Flashpoint uninstall PC Connectivity Solution PowerDVD QuickTime RealPlayer Basic Realtek AC'97 Audio REALTEK Gigabit and Fast Ethernet NIC Driver RollerCoaster Tycoon® 3 Saitek Gaming Extensions Security Update for Windows Internet Explorer 7 (KB938127-v2) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 8 (KB969897) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973869) Sky Broadband SopCast 2.0.4 Sound Blaster Live! Web 2K/XP Star Trek STCS v205 Beta 3 StarOffice 8 Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 8 (KB971930) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB973815) VideoLAN VLC media player 0.8.6d Viewpoint Media Player Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 WebFldrs XP Windows Driver Package - Nokia Modem (02/23/2009 7.01.0.2) Windows Driver Package - Nokia Modem (02/24/2009 4.0) Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0) Windows Genuine Advantage Validation Tool (KB892130) Windows Internet Explorer 7 Windows Internet Explorer 8 Windows Live installer Windows Live Messenger Windows Live Sign-in Assistant Windows XP Service Pack 3 WinRAR archiver Word in Works Suite add-in Worms2 ==== Event Viewer Messages From Past Week ======== 22/09/2009 19:13:03, error: Dhcp [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 000D87DC8C7A has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message). 21/09/2009 13:42:48, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Lavasoft Ad-Aware Service service, but this action failed with the following error: An instance of the service is already running. 21/09/2009 13:37:42, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip 21/09/2009 13:37:42, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning. 21/09/2009 13:37:42, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning. 21/09/2009 13:37:42, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 21/09/2009 13:37:42, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 21/09/2009 13:37:11, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 21/09/2009 13:37:07, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 21/09/2009 13:32:19, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s). 21/09/2009 13:07:11, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 4 time(s). 21/09/2009 13:06:41, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 3 time(s). 21/09/2009 13:06:17, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. 21/09/2009 13:04:36, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. ==== End Of File =========================== GMER.txt GMER 1.0.15.15087 - http://www.gmer.net Rootkit scan 2009-09-25 18:17:51 Windows 5.1.2600 Service Pack 3 Running: GMER.exe; Driver: C:\DOCUME~1\Ian\LOCALS~1\Temp\pwloyfoc.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF4B2D6B8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF4B2D574] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF4B2DA52] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF4B2D14C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF4B2D64E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF4B2D08C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF4B2D0F0] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF4B2D76E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF4B2D72E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF4B2D8AE] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[556] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 006C0002 IAT C:\WINDOWS\system32\services.exe[556] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 006C0000 ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows ® 2000 DDK provider) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) ---- EOF - GMER 1.0.15 ----
  7. I realise this, I was simply adding the information that I could scan my computer after a fashion. It would appear that I'm not the only person with this problem and I'd like to find a solution to it, as the limited scan that I can do is not sufficent to remove the malware infection. As yet, i'm still waiting for help on my post of my HJT log as well :-(
  8. *****UPDATE****** I have found that I can scan items by right-clicking and selecting 'Scan with Ad-Aware' from the context menu. This works without any problems, and I have been able to remove some things. However, the infection remains A scan started from within Ad-Aware itself seems to exit when it's scanning the processes running. It simply scans them for a few seconds then vanishes! Weird........
  9. This is my HiJack This log relating to this topic : http://www.lavasoftsupport.com/index.php?showtopic=27102 Log is as follows: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:51:57, on 21/09/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Lexmark 2300 Series\ezprint.exe C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\lxcgcoms.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe" O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [sAITEKAUTOCONFIGURE] C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe /autorun O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,[email protected] O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUxdm561YYGB O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...etup1.0.1.1.cab O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab O20 - AppInit_DLLs: C:\WINDOWS\System32\CTSPKHLP32.dll O20 - Winlogon Notify: d80196dc669 - C:\WINDOWS\System32\CTSPKHLP32.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: lxcg_device - - C:\WINDOWS\System32\lxcgcoms.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe -- End of file - 7713 bytes Any help greatly appreciated! Thanks, Crytter
  10. I have recently installed Ad-Aware AE as I believe I have a malware infection. Every time I try to scan my computer it runs for a few seconds then just crashes to the desktop. The program simply vanishes, no warning, no error message, no nothing! I run Windows XP and Avast Antivirus, and have tried disabling this to no effect. I have also tried booting into safe mode and running a scan, also with the same result. I don't know what else to do, please help!!!