Inactive Browser Hijack?

DaveC1947 · 2009/08/13

[Inactive] Browser Hijack?

Evan has asked me to open this thread and post the DDS logs

Original thread ... http://www.windowsbbs.com/internet-explorer/86287-browser-hijack.html

Problem:
I always set my homepage to About:blank, helps detect browser hijacks as about:blank is a local file and does not require internet access.
3 days ago Ad-Aware told me that I had a trojan in Wininet.dll, and promptly quarantined the file. Explorer.exe uses this file, so all I could get was my background screen and no programme access, not even in safe mode.
Re-installed XP and all service packs.
When I open IE6 or IE7, Zone Alarm tells me IE is asking for internet access through the loop-back adaptor 127.0.0.1 port 5152.
This has not happened for the previous 3 years on XP, and I believe that 5152 is a UDP port ie no handshake protocols
Is this a Trojan??, Google Chrome opens to the blank page without asking for access to the internet.
DDS (Ver_09-07-30.01) - NTFSx86
Run by Dave at 19:42:06.64 on 13/08/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.502 [GMT 2:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: avast! antivirus 4.8.1335 [VPS 090812-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
E:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Dave\Desktop\dds.scr
C:\Documents and Settings\Dave\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: &TerraTec Home Cinema: {ad6e6555-fb2c-47d4-8339-3e2965509877} - c:\progra~1\terratec\terrat~1\THCDES~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [EPSON Stylus D92 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibze.exe /fu "c:\docume~1\dave\locals~1\temp\E_S40.tmp" /EF "HKCU "
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe "
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-25 64160]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2009-2-27 17920]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-27 114768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-8-13 353672]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-27 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-27 138680]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 TomTomHOMEService;TomTomHOMEService;e:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-27 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-27 352920]
S2 gupdate1c9f695b2549a3e;Google Update Service (gupdate1c9f695b2549a3e);c:\program files\google\update\GoogleUpdate.exe [2009-6-26 133104]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2009-8-7 77312]

=============== Created Last 30 ================

2009-08-13 17:55 22,221 a------- c:\windows\system32\AAWService_2009_08_13_17_55_36.dmp
2009-08-13 15:40 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-08-13 15:40 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-08-13 15:40 350,192 a------- c:\windows\system32\vsconfig.xml
2009-08-13 10:15 230 a------- c:\windows\system32\spupdsvc.inf
2009-08-12 18:21 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-12 18:21 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-08-12 18:21 268,288 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-08-12 18:21 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-08-12 18:21 6,067,200 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-08-12 18:21 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-08-12 18:21 2,452,872 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-08-12 18:21 380,928 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-08-12 18:21 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-08-12 12:29 100,418 -------- c:\windows\hpgins13.dat.temp
2009-08-12 12:29 173 -------- c:\windows\hpgmdl13.dat
2009-08-11 21:58 457,607 -c------ c:\windows\system32\dllcache\mdlib.wmv
2009-08-11 21:58 5,971 -c------ c:\windows\system32\dllcache\events.js
2009-08-11 21:58 294,912 -c------ c:\windows\system32\dllcache\dlimport.exe
2009-08-11 21:58 381,425 -c------ c:\windows\system32\dllcache\copycd.wmv
2009-08-11 21:58 9,585 -c------ c:\windows\system32\dllcache\controls.css
2009-08-11 21:58 8,298 -c------ c:\windows\system32\dllcache\contents.htm
2009-08-11 21:58 6,878 -c------ c:\windows\system32\dllcache\controls.js
2009-08-11 21:58 773 -c------ c:\windows\system32\dllcache\cnth.gif
2009-08-11 21:58 773 -c------ c:\windows\system32\dllcache\cnt.gif
2009-08-11 21:58 772 -c------ c:\windows\system32\dllcache\cntd.gif
2009-08-11 21:58 760 -c------ c:\windows\system32\dllcache\cloapph.gif
2009-08-11 21:58 717 -c------ c:\windows\system32\dllcache\cloapp.gif
2009-08-11 21:58 999 -c------ c:\windows\system32\dllcache\bktrh.gif
2009-08-11 21:14 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-08-11 21:12 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-11 21:09 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-08-11 21:09 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-08-11 21:09 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-08-11 21:08 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-11 21:08 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-08-11 21:07 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-08-11 21:07 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-08-11 20:30 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
2009-08-11 20:30 156,672 ac------ c:\windows\system32\dllcache\winzm.ime
2009-08-11 20:30 156,672 ac------ c:\windows\system32\dllcache\winsp.ime
2009-08-11 20:30 156,672 ac------ c:\windows\system32\dllcache\winpy.ime
2009-08-11 20:30 65,536 ac------ c:\windows\system32\dllcache\winime.ime
2009-08-11 20:30 79,360 ac------ c:\windows\system32\dllcache\winar30.ime
2009-08-11 20:30 72,704 ac------ c:\windows\system32\dllcache\wingb.ime
2009-08-11 20:30 41,600 ac------ c:\windows\system32\dllcache\weitekp9.dll
2009-08-11 20:30 31,232 ac------ c:\windows\system32\dllcache\weitekp9.sys
2009-08-11 20:30 426,041 ac------ c:\windows\system32\dllcache\voicepad.dll
2009-08-11 20:30 86,073 ac------ c:\windows\system32\dllcache\voicesub.dll
2009-08-11 20:30 48,256 ac------ c:\windows\system32\dllcache\w32.dll
2009-08-11 20:28 92,416 ac------ c:\windows\system32\dllcache\mga.sys
2009-08-11 20:27 45,056 ac------ c:\windows\system32\dllcache\EXCH_aqadmin.dll
2009-08-11 20:27 5,632 ac------ c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-08-11 20:26 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-08-11 20:26 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-08-11 20:26 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-08-11 20:26 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-08-11 20:26 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-08-11 20:25 16,384 ac------ c:\windows\system32\dllcache\isignup.exe
2009-08-11 20:10 24,661 ac------ c:\windows\system32\dllcache\spxcoins.dll
2009-08-11 20:10 13,312 ac------ c:\windows\system32\dllcache\irclass.dll
2009-08-11 20:10 24,661 a------- c:\windows\system32\spxcoins.dll
2009-08-11 20:10 13,312 a------- c:\windows\system32\irclass.dll
2009-08-11 20:10 797,189 ac------ c:\windows\system32\dllcache\NT5IIS.CAT
2009-08-11 20:10 399,645 ac------ c:\windows\system32\dllcache\MAPIMIG.CAT
2009-08-11 20:10 37,484 ac------ c:\windows\system32\dllcache\MW770.CAT
2009-08-11 20:10 13,472 ac------ c:\windows\system32\dllcache\HPCRDP.CAT
2009-08-11 20:10 8,574 ac------ c:\windows\system32\dllcache\IASNT4.CAT
2009-08-11 20:10 7,382 ac------ c:\windows\system32\dllcache\OEMBIOS.CAT
2009-08-11 20:10 13,753 a----r-- c:\windows\SET90.tmp
2009-08-11 20:10 1,086,058 a----r-- c:\windows\SET84.tmp
2009-08-11 20:09 1,042,903 a----r-- c:\windows\SET81.tmp
2009-08-07 21:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCPitstop
2009-08-07 21:41 <DIR> --d----- c:\program files\PCPitstop
2009-08-05 11:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-07-31 08:45 268,648 a------- c:\windows\system32\mucltui.dll
2009-07-31 08:45 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-07-29 06:37 119,808 -c------ c:\windows\system32\dllcache\t2embed.dll
2009-07-29 06:37 81,920 -c------ c:\windows\system32\dllcache\fontsub.dll
2009-07-25 19:02 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-25 15:34 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-25 15:20 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-25 15:19 <DIR> --d----- c:\program files\Lavasoft
2009-07-25 12:46 <DIR> --d----- c:\docume~1\dave\applic~1\Windows Search
2009-07-18 18:05 3,069,440 ac------ c:\windows\system32\dllcache\mshtml.dll
2009-07-18 18:05 1,509,888 -c------ c:\windows\system32\dllcache\shdocvw.dll
2009-07-18 17:27 <DIR> --d----- c:\docume~1\dave\applic~1\AeroSnapApp
2009-07-16 22:45 <DIR> --d----- c:\docume~1\dave\applic~1\Windows Desktop Search
2009-07-16 22:37 <DIR> --d----- c:\windows\system32\XPSViewer
2009-07-16 22:36 575,488 a------- c:\windows\system32\xpsshhdr.dll
2009-07-16 22:36 117,760 a------- c:\windows\system32\prntvpt.dll
2009-07-16 22:36 1,676,288 a------- c:\windows\system32\xpssvcs.dll
2009-07-16 22:36 <DIR> --d----- C:\48b95bde1f6d16034b
2009-07-16 22:06 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-07-16 22:06 <DIR> --d----- c:\program files\Windows Desktop Search

==================== Find3M ====================

2009-08-13 15:40 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-08-12 12:49 100,418 a------- c:\windows\hpgins13.dat
2009-08-11 20:24 23,348 a------- c:\windows\system32\emptyregdb.dat
2009-08-05 11:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-29 06:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 06:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-17 21:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 18:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 18:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-26 18:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-25 10:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 10:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 10:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 10:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 10:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 10:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-24 13:18 92,928 a------- c:\windows\system32\drivers\ksecdd.sys
2009-06-12 14:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 16:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 08:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 21:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 19:42:25.04 ===============
DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/08/2009 20:30:17
System Uptime: 13/08/2009 17:55:59 (2 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-7312
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket AM2 | 2199/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 130.914 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 153 GiB total, 111.372 GiB free.
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 11/08/2009 20:37:29 - System Checkpoint
RP2: 11/08/2009 21:03:18 - Software Distribution Service 3.0
RP3: 11/08/2009 21:18:11 - Software Distribution Service 3.0
RP4: 11/08/2009 22:27:39 - Software Distribution Service 3.0
RP5: 11/08/2009 22:48:59 - Software Distribution Service 3.0
RP6: 12/08/2009 00:15:49 - Software Distribution Service 3.0
RP7: 12/08/2009 17:48:39 - Software Distribution Service 3.0
RP8: 12/08/2009 18:28:27 - Software Distribution Service 3.0
RP9: 13/08/2009 10:09:56 - Software Distribution Service 3.0

==== Installed Programs ======================

Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.6
Adobe Shockwave Player 11
AeroSnap 0.61
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
avast! Antivirus
AviSynth 2.5
Bonjour
BufferChm
Calculator Powertoy for Windows XP
CFi ShellToys v6.4.0
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
CueTour
d2mp
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
EclipseCrossword
EPSON Printer Software
EPSON Stylus C90_91_D92 Manual
EPSON Web-To-Page
Error Messages for Windows
eSupportQFolder
ffdshow [rev 2693] [2009-02-16]
FullDPAppQFolder
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Haali Media Splitter
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Product Assistant
HP Scanjet 3800 series 7.0
HP Solution Center 7.0
HP Update
hpg3800
hpg3800QFolder
HPProductAssistant
InstantShareDevices
iTunes
Java(TM) 6 Update 14
LAME v3.98.2 for Audacity
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB954430)
Nero Suite
OCR Software by I.R.I.S 7.0
PC Alert 4
PC Pitstop Exterminate2 2.0
PhotoGallery
Platform
PowerDVD
QuickTime
RandMap
Realtek AC'97 Audio
Scan
ScannerCopy
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SkinsHP1
SolutionCenter
Sonic_PrimoSDK
SpeedFan (remove only)
Spelling Dictionaries Support For Adobe Reader 8
Spotify
TerraTec Home Cinema
TomTom HOME 2.6.2.1586
TomTom HOME Visual Studio Merge Modules
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VC 9.0 Runtime
VIA Platform Device Manager
VIA Rhine-Family Fast-Ethernet Adapter
VIA/S3G Display Driver
VIA/S3G Display Driver 6.14.10.0297
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WebReg
WhiteCap
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Driver Package - Hewlett-Packard Image (12/28/2006 8.0.0.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
XviD 1.1 final uninstall
ZoneAlarm

==== Event Viewer Messages From Past Week ========

11/08/2009 20:34:19, error: BITS [16391] - The BITS job list is not in a recognized format. It may have been created by a different version of BITS. The job list has been cleared.
11/08/2009 20:31:41, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.
11/08/2009 20:26:50, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SENS with arguments " " in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}
11/08/2009 18:04:52, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD AmdK8 aswSP aswTdi Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip vsdatant
11/08/2009 18:04:52, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.
11/08/2009 18:04:52, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/08/2009 18:04:52, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/08/2009 18:04:52, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/08/2009 18:04:52, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/08/2009 18:04:52, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/08/2009 18:04:52, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/08/2009 17:59:45, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/08/2009 17:56:06, error: Service Control Manager [7023] - The WebClient service terminated with the following error: The specified module could not be found.
11/08/2009 17:56:06, error: Service Control Manager [7023] - The Network Connections service terminated with the following error: The specified module could not be found.
11/08/2009 17:56:06, error: Service Control Manager [7023] - The Cryptographic Services service terminated with the following error: The specified module could not be found.
11/08/2009 17:56:06, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Lavasoft Ad-Aware Service service to connect.
11/08/2009 17:56:06, error: Service Control Manager [7001] - The Windows Firewall/Internet Connection Sharing (ICS) service depends on the Network Connections service which failed to start because of the following error: The specified module could not be found.
11/08/2009 17:56:06, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the Cryptographic Services service which failed to start because of the following error: The specified module could not be found.
11/08/2009 17:56:06, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/08/2009 17:45:45, error: Service Control Manager [7023] - The Remote Access Connection Manager service terminated with the following error: Access is denied.
11/08/2009 17:45:45, error: Rasman [20035] - Remote Access Connection Manager failed to start because it could not create buffers. Restart the computer. Access is denied.
11/08/2009 17:43:37, error: Service Control Manager [7023] - The Remote Access Connection Manager service terminated with the following error: The specified module could not be found.
11/08/2009 17:43:37, error: RemoteAccess [20151] - The Control Protocol EAP in the Point to Point Protocol module C:\WINDOWS\System32\rasppp.dll returned an error while initializing. The specified module could not be found.
11/08/2009 17:43:37, error: RemoteAccess [20070] - Point to Point Protocol engine was unable to load the C:\WINDOWS\System32\rastls.dll module. The specified module could not be found.
11/08/2009 17:43:37, error: Rasman [20063] - Remote Access Connection Manager failed to start because the Point to Point Protocol failed to initialize. The specified module could not be found.
07/08/2009 13:18:35, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.

==== End Of File ===========================
many thnaks

Dave

broni · 2009/08/13

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE. If Combofix asks you to install Recovery Console, please allow it.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

DaveC1947 · 2009/08/14

Thanks Broni, logs follow

ComboFix 09-08-10.06 - Dave 14/08/2009 10:49.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.616 [GMT 2:00]
Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090813-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Dave\LOCALS~1\Temp\install_flash_player.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-14 to 2009-08-14 )))))))))))))))))))))))))))))))
.

2009-08-13 13:40 . 2009-02-15 22:10 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-08-13 13:40 . 2009-02-15 22:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-08-13 13:40 . 2009-02-15 22:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-08-13 13:40 . 2009-08-13 13:40 -------- d-----w- c:\windows\system32\ZoneLabs
2009-08-12 16:21 . 2009-06-29 16:12 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-12 16:21 . 2009-06-29 16:12 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-12 16:21 . 2009-06-29 16:12 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-08-12 16:21 . 2009-06-29 11:07 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-12 16:21 . 2009-07-19 13:32 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-08-12 16:21 . 2009-06-29 16:12 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2009-08-12 16:21 . 2009-06-29 16:12 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2009-08-12 16:21 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2009-08-12 10:48 . 2009-08-12 10:48 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-08-12 10:29 . 2006-03-08 16:33 173 ------w- c:\windows\hpgmdl13.dat
2009-08-11 19:59 . 2004-08-04 12:00 403 -c----w- c:\windows\system32\dllcache\npdrmv2.zip
2009-08-11 19:59 . 2004-08-04 12:00 22060 -c----w- c:\windows\system32\dllcache\npds.zip
2009-08-11 19:59 . 2008-04-13 21:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2009-08-11 19:58 . 2008-04-14 04:42 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2009-08-11 19:14 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-08-11 19:13 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-08-11 19:13 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-08-11 19:13 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-08-11 19:13 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-08-11 19:13 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-08-11 19:13 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-08-11 19:13 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-08-11 19:13 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-08-11 19:13 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-08-11 19:13 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-11 19:13 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-11 19:13 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-11 19:09 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-08-11 19:09 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-11 19:09 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-08-11 19:08 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 19:08 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-08-11 19:07 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-08-11 19:07 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-08-11 18:30 . 2004-08-04 12:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2009-08-11 18:30 . 2004-08-04 12:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2009-08-11 18:30 . 2008-04-14 00:11 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll
2009-08-11 18:30 . 2008-04-14 00:11 426041 -c--a-w- c:\windows\system32\dllcache\voicepad.dll
2009-08-11 18:30 . 2004-08-04 12:00 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll
2009-08-11 18:28 . 2004-08-04 12:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2009-08-11 18:27 . 2001-08-17 20:36 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2009-08-11 18:27 . 2001-08-17 20:36 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-08-11 18:25 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2009-08-11 18:10 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-08-11 18:10 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-08-11 18:10 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-08-11 18:10 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2009-08-07 19:42 . 2009-08-07 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-08-07 19:41 . 2009-08-07 19:41 -------- d-----w- c:\program files\PCPitstop
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-31 06:45 . 2008-10-16 12:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-07-29 04:37 . 2009-07-29 04:37 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-07-29 04:37 . 2009-07-29 04:37 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2009-07-25 17:02 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-25 13:34 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-25 13:20 . 2009-07-25 13:20 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-25 13:20 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-25 13:19 . 2009-07-25 13:19 -------- d-----w- c:\program files\Lavasoft
2009-07-25 10:46 . 2009-07-25 10:46 -------- d-----w- c:\documents and settings\Dave\Application Data\Windows Search
2009-07-18 16:05 . 2009-07-18 16:05 3069440 -c--a-w- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 16:05 . 2009-07-18 16:05 1509888 -c----w- c:\windows\system32\dllcache\shdocvw.dll
2009-07-18 15:27 . 2009-07-18 15:27 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\AeroSnapApp
2009-07-18 15:27 . 2009-07-18 15:27 -------- d-----w- c:\documents and settings\Dave\Application Data\AeroSnapApp
2009-07-16 20:45 . 2009-07-16 20:45 -------- d-----w- c:\documents and settings\Dave\Application Data\Windows Desktop Search
2009-07-16 20:37 . 2009-07-16 20:37 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-16 20:37 . 2009-07-16 20:37 -------- d-----w- c:\program files\MSBuild
2009-07-16 20:37 . 2009-07-16 20:37 -------- d-----w- c:\program files\Reference Assemblies
2009-07-16 20:36 . 2008-07-06 12:06 575488 ----a-w- c:\windows\system32\xpsshhdr.dll
2009-07-16 20:36 . 2008-07-06 12:06 117760 ----a-w- c:\windows\system32\prntvpt.dll
2009-07-16 20:36 . 2009-07-16 20:37 -------- d-----w- C:\48b95bde1f6d16034b
2009-07-16 20:36 . 2008-07-06 12:06 1676288 ----a-w- c:\windows\system32\xpssvcs.dll
2009-07-16 20:06 . 2009-07-17 21:23 -------- d-----w- c:\program files\Windows Desktop Search
2009-07-16 20:06 . 2009-07-16 20:06 -------- d-----w- c:\windows\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 13:52 . 2009-03-13 13:38 -------- d-----w- c:\program files\Bonjour
2009-08-13 13:40 . 2009-05-07 19:41 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-12 15:38 . 2009-06-09 10:17 -------- d-----w- c:\program files\SpeedFan
2009-08-12 10:49 . 2009-04-03 16:24 100418 ----a-w- c:\windows\hpgins13.dat
2009-08-12 10:49 . 2009-03-03 21:11 22560 ----a-w- c:\documents and settings\Dave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-12 10:26 . 2009-05-07 16:48 -------- d-----w- c:\program files\COL11002
2009-08-11 21:02 . 2009-05-06 22:05 -------- d-----w- c:\documents and settings\Dave\Application Data\U3
2009-08-11 18:24 . 2009-02-27 16:45 23348 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-08 22:53 . 2009-05-17 16:39 -------- d-----w- c:\documents and settings\Dave\Application Data\Spotify
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-01 08:39 . 2009-03-31 21:00 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-29 04:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-25 13:19 . 2009-06-11 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 10:21 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 12:01 . 2009-07-11 12:01 -------- d-----w- c:\program files\ToniArts
2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-26 19:40 . 2009-02-27 17:04 -------- d-----w- c:\program files\Google
2009-06-26 16:50 . 2004-08-04 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 20:10 . 2009-03-04 17:51 -------- d-----w- c:\program files\Java
2009-06-16 20:10 . 2009-06-16 20:10 152576 ----a-w- c:\documents and settings\Dave\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-16 20:04 . 2009-06-16 20:04 -------- d-----w- c:\program files\EclipseCrossword
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 07:19 . 2009-02-27 16:44 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-08 12:21 . 2009-06-08 12:21 1561305 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-30 11:43 . 2009-05-30 11:43 3584 ----a-r- c:\documents and settings\Dave\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-05-24 22:24 . 2008-05-26 20:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-21 09:33 . 2009-03-04 17:51 410984 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\CFi]
@= "{2DBD5D71-CBB7-41D1-B170-511646B170BD} "
[HKEY_CLASSES_ROOT\CLSID\{2DBD5D71-CBB7-41D1-B170-511646B170BD}]
2008-10-17 15:31 55296 ----a-w- c:\progra~1\CFi\SHELLT~1\CFiShlJP.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-03 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast! "= "c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"InCD "= "c:\program files\Ahead\InCD\InCD.exe" [2005-01-28 1381376]
"ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"VTTimer "= "VTTimer.exe" - c:\windows\system32\VTTimer.exe [2006-09-14 53248]
"VTTrayp "= "VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2007-04-25 176128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PC Alert 4.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PC Alert 4.lnk
backup=c:\windows\pss\PC Alert 4.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dave^Start Menu^Programs^Startup^speedfan.exe.lnk]
path=c:\documents and settings\Dave\Start Menu\Programs\Startup\speedfan.exe.lnk
backup=c:\windows\pss\speedfan.exe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"e:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"e:\\Program Files\\iTunes.exe "=
"c:\\Program Files\\Spotify\\spotify.exe "=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\tvtvSetup\\tvtv_Wizard.exe "=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\CinergyDvr.exe "=
"c:\\Program Files\\TerraTec\\TerraTec Home Cinema\\VersionCheck\\VersionCheck.exe "=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [25/07/2009 15:34 64160]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [27/02/2009 18:54 17920]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [27/02/2009 19:06 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [27/02/2009 19:06 20560]
R2 TomTomHOMEService;TomTomHOMEService;e:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 12:38 92008]
S2 gupdate1c9f695b2549a3e;Google Update Service (gupdate1c9f695b2549a3e);c:\program files\Google\Update\GoogleUpdate.exe [26/06/2009 21:38 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 16:49 1029456]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [07/08/2009 21:41 77312]
.
Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\Ad-Aware Update (Daily).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-26 19:38]

2009-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-26 19:38]

2009-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1935655697-839522115-1004.job
- c:\documents and settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-03 12:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-14 10:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-1935655697-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-08-14 10:54
ComboFix-quarantined-files.txt 2009-08-14 08:54

Pre-Run: 140,771,016,704 bytes free
Post-Run: 140,886,040,576 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

Current=5 Default=5 Failed=0 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
244 --- E O F --- 2009-08-13 08:10

Logfile of HijackThis v1.99.1
Scan saved at 10:59:58, on 14/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Dave\Desktop\Dave's Bits\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &TerraTec Home Cinema - {AD6E6555-FB2C-47D4-8339-3E2965509877} - C:\PROGRA~1\TerraTec\TERRAT~1\THCDES~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9f695b2549a3e) (gupdate1c9f695b2549a3e) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: TomTomHOMEService - TomTom - E:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Many thanks

Dave

broni · 2009/08/14

Your HJT version is little bit outdated, but it's good enough for me to say, that I don't see any indication of any infection coming from Combofix, or HJT log.

Please, repost your problem under Windows section.

Log in or Sign up

Inactive Browser Hijack?

DaveC1947 Inactive Thread Starter

broni Moderator Malware Analyst

DaveC1947 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Inactive Browser Hijack?

DaveC1947 Inactive Thread Starter

broni Moderator Malware Analyst

DaveC1947 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches