Author Topic: [Resolved] all sites are redirected-cannot update antivirus (Read 1384 times)

moezila · « **on:** August 25, 2010, 11:35:32 PM »

Hello, I can only access the intenet via safe mode with networking.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:07 AM, on 8/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KP67CRWB\hijackthis[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [younkqsp] C:\Documents and Settings\owner\Local Settings\Application Data\egtkhuaau\vnbiqetshdw.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Firewall - AVAST Software - C:\Program Files\Alwil Software\Avast5\afwServ.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4723 bytes

kevinf80 · « **Reply #1 on:** August 26, 2010, 12:11:48 AM »

Hi moezila,

I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.

Please proceed as follows :-

Download Combofix from either of these links and save to your Desktop that is very important :-

You must run Combofix from the Desktop

Link 1
Link 2

Using ComboFix

If you get a successful download and it will not run, delete it. Re-download again from the link that worked, but rename it to EXPLORER before saving to your desktop. Very Important

Print out this guide from another PC if required, we will close all the open windows and programs, including your web browser, before starting the ComboFix program.

To download ComboFix, simply left-click on one of the links above and you will see a prompt similar to the figure below.

Click on the Save button, and when it asks you where to save it, make sure you save it directly to your Windows Desktop. An image showing this is below.

When you have the Save as screen configured to save ComboFix.exe to the Desktop, click on the Save button. ComboFix will now start downloading to your computer. If you are on a dialup, this may take a few minutes. When ComboFix has finished downloading you will now see an icon on your desktop similar to the one below.

ComboFix Icon

We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

Close all open Windows including this one.
Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Click HERE to see a list of list of programs that should be disabled, please note; this list is not all inclusive.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Once you double-click on the icon, you may see a screen similar to the one below.

Windows Open File Security Warning

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue. If you are using Windows Vista, and receive UAC prompt asking if you would like to continue running the program, you should press the Continue button.

You will now see the first ComboFix screen as shown below. The screen says wait Combofix is preparing to run

ComboFix is Preparing to Run

ComboFix is now preparing to run and when it has finished you will see a screen showing the authorized locations to download Combofix. This screen, press the OK button and you will now see the Disclaimer screen shown below.

ComboFix Disclaimer

If you do not agree to the disclaimer, then click on the No button to exit the program. Otherwise, to continue you should press the Yes button to continue. If you decided to continue, then ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.

ComboFix is backing up the Windows Registry

Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:

ComboFix Recovery Console

At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console. Once it has finished installing, you will be presented with the screen shown below.

ComboFix Recovery Console Finished

You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer. When it is done, and a log has been created, you can then perform the manual install of the Recovery Console using the steps found in the Manually installing the Windows Recovery Console section.

ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

ComboFix is scanning the computer for infections

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.

Stages of the ComboFix AutoScan

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.

34th Stage of the ComboFix AutoScan

At the time of this writing there are a total of 50 stages as shown in the image below, so please be patient. The amount of stages will go up as time goes on, so if the amount of stages is different when you run it, please do not be concerned.

ComboFix is preparing the log report

When ComboFix has finished running, you will see a screen stating that it is preparing the log report as shown below.

ComboFix is almost done!

This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. This can be seen in the image below.

When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you as shown below.

ComboFix Log File

You should now post this log in your next reply.

Copy and paste the log in you reply from here.. C:\ComboFix.txt if you don`t see it on your desk top.

kevinf80

moezila · « **Reply #2 on:** August 26, 2010, 09:44:04 AM »

Hello kevinf80,
First of all thanks a lot for the help. I was not able to run combofix.exe under normal startup mode even after renamed EXPLORER as almost all my programs are disabled. So this log was run from safe mode. Does it matter?
Here is the log.

ComboFix 10-08-25.01 - Administrator 08/26/2010 10:21:04.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1711 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! Internet Security *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\owner\Local Settings\Application Data\egtkhuaau
c:\documents and settings\owner\Local Settings\Application Data\egtkhuaau\vnbiqetshdw.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-26 to 2010-08-26 )))))))))))))))))))))))))))))))
.

2010-08-26 01:11 . 2010-08-26 16:03   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-08-25 18:41 . 2010-08-25 18:41   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-08-25 18:28 . 2010-08-26 06:18   1   ----a-w-   c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-08-25 18:28 . 2010-08-25 18:28   --------   d-----w-   c:\documents and settings\Administrator\Application Data\OpenOffice.org
2010-08-25 14:06 . 2010-06-28 20:39   312912   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2010-08-25 14:06 . 2010-06-28 20:39   99280   ----a-w-   c:\windows\system32\drivers\aswFW.sys
2010-08-25 14:06 . 2010-06-28 20:38   188168   ----a-w-   c:\windows\system32\drivers\aswNdis2.sys
2010-08-25 14:05 . 2010-06-28 20:10   12112   ----a-w-   c:\windows\system32\drivers\aswNdis.sys
2010-08-25 14:05 . 2010-06-28 20:57   38848   ----a-w-   c:\windows\avastSS.scr
2010-08-25 14:05 . 2010-08-25 14:05   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-25 13:58 . 2010-08-25 13:58   --------   d-sh--w-   c:\documents and settings\Administrator\PrivacIE
2010-08-24 23:04 . 2010-08-24 23:04   --------   d-----w-   c:\windows\Sun
2010-08-24 20:46 . 2010-08-24 20:46   --------   d-----w-   c:\program files\Common Files\Adobe
2010-08-24 20:45 . 2010-08-24 20:45   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-08-24 20:44 . 2010-08-24 20:47   --------   d-----w-   c:\documents and settings\owner\Local Settings\Application Data\Adobe
2010-08-24 19:46 . 2010-08-25 23:46   --------   d-----w-   C:\dnotes
2010-08-24 06:18 . 2010-08-24 21:25   1   ----a-w-   c:\documents and settings\owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-08-24 06:16 . 2010-08-24 06:16   --------   d-----w-   c:\documents and settings\owner\Application Data\OpenOffice.org
2010-08-24 05:14 . 2010-08-24 05:14   --------   d-----w-   c:\documents and settings\owner\Application Data\CyberLink
2010-08-24 05:13 . 2010-08-24 05:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\CyberLink
2010-08-24 04:04 . 2010-08-24 04:08   --------   d-----w-   c:\windows\ie8updates
2010-08-24 04:01 . 2010-06-24 12:22   12800   -c----w-   c:\windows\system32\dllcache\xpshims.dll
2010-08-24 04:01 . 2010-06-24 12:21   599040   -c----w-   c:\windows\system32\dllcache\msfeeds.dll
2010-08-24 04:01 . 2010-06-24 12:21   247808   -c----w-   c:\windows\system32\dllcache\ieproxy.dll
2010-08-24 04:01 . 2010-06-24 12:21   55296   -c----w-   c:\windows\system32\dllcache\msfeedsbs.dll
2010-08-24 04:01 . 2010-06-24 12:21   1986560   -c----w-   c:\windows\system32\dllcache\iertutil.dll
2010-08-24 04:01 . 2010-06-24 12:21   743424   -c----w-   c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 14:07 . 2009-12-17 04:47   --------   d-----w-   c:\program files\Alwil Software
2010-08-24 20:45 . 2010-08-25 13:57   53632   ----a-w-   c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-24 20:07 . 2009-11-23 20:57   --------   d-----w-   c:\program files\OpenOffice.org 3
2010-06-30 12:31 . 2008-04-13 23:00   149504   ----a-w-   c:\windows\system32\schannel.dll
2010-06-28 20:57 . 2009-12-17 04:47   165032   ----a-w-   c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2009-12-17 04:47   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2009-12-17 04:47   165456   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2009-12-17 04:47   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2009-12-17 04:47   100176   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2009-12-17 04:47   94544   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2009-12-17 04:47   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2009-12-17 04:47   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-06-24 12:22 . 2008-04-13 23:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-13 23:00   1851904   ----a-w-   c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-13 23:00   354304   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-13 23:00   80384   ----a-w-   c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-11-23 20:21   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-13 23:00   1172480   ----a-w-   c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-11 13594624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [8/25/2010 8:05 AM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [8/25/2010 8:06 AM 188168]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [8/25/2010 8:06 AM 99280]
S0 cerc6;cerc6;

S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/25/2010 8:06 AM 312912]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/16/2009 10:47 PM 165456]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/16/2009 10:47 PM 17744]
S2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [8/25/2010 8:05 AM 119200]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 12:32 PM 97536]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder

2010-08-26 c:\windows\Tasks\User_Feed_Synchronization-{65240C7C-60E5-488D-B465-61671EE9FB0C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-younkqsp - c:\documents and settings\owner\Local Settings\Application Data\egtkhuaau\vnbiqetshdw.exe
AddRemove-HijackThis - c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KP67CRWB\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-26 10:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-1708537768-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a9,71,e5,46,9e,f8,0b,42,a7,c5,f1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a9,71,e5,46,9e,f8,0b,42,a7,c5,f1,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1260)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-08-26 10:24:09
ComboFix-quarantined-files.txt 2010-08-26 16:24

Pre-Run: 110,454,358,016 bytes free
Post-Run: 110,465,998,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 47A1332F777B4F51A63CA8D333303C8E

kevinf80 · « **Reply #3 on:** August 26, 2010, 12:38:15 PM »

Hiya moezila,

Running Combofix in Safe mode is OK, I should have told you that in the instructions. Proceed as follows :-

Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

Code: [Select]

KillAll::
DirLook::
C:\dnotes
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
RegLock::
[HKEY_USERS\S-1-5-21-1454471165-1708537768-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Post both logs in your reply please, also how is system; can you access normal mode?

Kevin..

moezila · « **Reply #4 on:** August 26, 2010, 04:47:31 PM »

Hey kevin,
Thanks for staying on top of it... You already have helped a bunch! I actually started having full control of my computer from the first combofix scan. Now I'm able to access the internet under normal mode and my antivirus is updating again.
Here is the log from combofix then follow the one from mbam

ComboFix 10-08-26.02 - owner 08/26/2010 15:11:53.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1579 [GMT -6:00]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\owner\Desktop\CFScript.txt
AV: avast! Internet Security *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-07-26 to 2010-08-26 )))))))))))))))))))))))))))))))
.

2010-08-26 01:11 . 2010-08-26 16:46   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-08-25 18:41 . 2010-08-25 18:41   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-08-25 18:28 . 2010-08-26 06:18   1   ----a-w-   c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-08-25 18:28 . 2010-08-25 18:28   --------   d-----w-   c:\documents and settings\Administrator\Application Data\OpenOffice.org
2010-08-25 14:06 . 2010-06-28 20:39   312912   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2010-08-25 14:06 . 2010-06-28 20:39   99280   ----a-w-   c:\windows\system32\drivers\aswFW.sys
2010-08-25 14:06 . 2010-06-28 20:38   188168   ----a-w-   c:\windows\system32\drivers\aswNdis2.sys
2010-08-25 14:05 . 2010-06-28 20:10   12112   ----a-w-   c:\windows\system32\drivers\aswNdis.sys
2010-08-25 14:05 . 2010-06-28 20:57   38848   ----a-w-   c:\windows\avastSS.scr
2010-08-25 14:05 . 2010-08-25 14:05   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-25 13:58 . 2010-08-25 13:58   --------   d-sh--w-   c:\documents and settings\Administrator\PrivacIE
2010-08-24 23:04 . 2010-08-24 23:04   --------   d-----w-   c:\windows\Sun
2010-08-24 20:46 . 2010-08-24 20:46   --------   d-----w-   c:\program files\Common Files\Adobe
2010-08-24 20:45 . 2010-08-24 20:45   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-08-24 20:44 . 2010-08-24 20:47   --------   d-----w-   c:\documents and settings\owner\Local Settings\Application Data\Adobe
2010-08-24 19:46 . 2010-08-25 23:46   --------   d-----w-   C:\dnotes
2010-08-24 06:18 . 2010-08-24 21:25   1   ----a-w-   c:\documents and settings\owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-08-24 06:16 . 2010-08-24 06:16   --------   d-----w-   c:\documents and settings\owner\Application Data\OpenOffice.org
2010-08-24 05:14 . 2010-08-24 05:14   --------   d-----w-   c:\documents and settings\owner\Application Data\CyberLink
2010-08-24 05:13 . 2010-08-24 05:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\CyberLink
2010-08-24 04:04 . 2010-08-24 04:08   --------   d-----w-   c:\windows\ie8updates
2010-08-24 04:01 . 2010-06-24 12:22   12800   -c----w-   c:\windows\system32\dllcache\xpshims.dll
2010-08-24 04:01 . 2010-06-24 12:21   599040   -c----w-   c:\windows\system32\dllcache\msfeeds.dll
2010-08-24 04:01 . 2010-06-24 12:21   247808   -c----w-   c:\windows\system32\dllcache\ieproxy.dll
2010-08-24 04:01 . 2010-06-24 12:21   55296   -c----w-   c:\windows\system32\dllcache\msfeedsbs.dll
2010-08-24 04:01 . 2010-06-24 12:21   1986560   -c----w-   c:\windows\system32\dllcache\iertutil.dll
2010-08-24 04:01 . 2010-06-24 12:21   743424   -c----w-   c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 14:07 . 2009-12-17 04:47   --------   d-----w-   c:\program files\Alwil Software
2010-08-24 20:45 . 2010-08-25 13:57   53632   ----a-w-   c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-24 20:07 . 2009-11-23 20:57   --------   d-----w-   c:\program files\OpenOffice.org 3
2010-06-30 12:31 . 2008-04-13 23:00   149504   ----a-w-   c:\windows\system32\schannel.dll
2010-06-28 20:57 . 2009-12-17 04:47   165032   ----a-w-   c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2009-12-17 04:47   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2009-12-17 04:47   165456   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2009-12-17 04:47   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2009-12-17 04:47   100176   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2009-12-17 04:47   94544   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2009-12-17 04:47   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2009-12-17 04:47   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-06-24 12:22 . 2008-04-13 23:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-13 23:00   1851904   ----a-w-   c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-13 23:00   354304   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-13 23:00   80384   ----a-w-   c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-11-23 20:21   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-13 23:00   1172480   ----a-w-   c:\windows\system32\msxml3.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\dnotes ----

2010-08-24 21:00 . 2010-08-24 21:00   322703   ----a-w-   c:\dnotes\additional notes\General Consent[1].odt
2010-08-24 20:56 . 2010-08-24 20:56   575838   ----a-w-   c:\dnotes\additional notes\Comparitive Note[1].odt
2010-08-24 20:50 . 2010-08-24 20:50   99671   ----a-w-   c:\dnotes\READ THIS FIRST.pdf
2010-08-24 20:38 . 2010-08-24 20:38   573436   ----a-w-   c:\dnotes\Oncology Note Unsigned[1].odt
2010-08-24 20:29 . 2010-08-24 20:29   611524   ----a-w-   c:\dnotes\Chiropractor Note[1].odt
2010-08-24 20:25 . 2010-08-24 20:25   684820   ----a-w-   c:\dnotes\Dermatologist Note[1].odt
2010-08-24 20:23 . 2010-08-24 20:23   773618   ----a-w-   c:\dnotes\Ear Nose and Throat Note[1].odt
2010-08-24 20:21 . 2010-08-24 20:21   590643   ----a-w-   c:\dnotes\Emergency Room 2[1].odt
2010-08-24 20:19 . 2010-08-24 20:19   354947   ----a-w-   c:\dnotes\Emergency Room Visit[1].odt
2010-08-24 20:17 . 2010-08-24 20:17   478547   ----a-w-   c:\dnotes\General Clinic Letter[1].odt
2010-08-24 20:16 . 2010-08-24 20:16   478450   ----a-w-   c:\dnotes\Gynecologist Note[1].odt
2010-08-24 20:14 . 2010-08-24 20:14   388162   ----a-w-   c:\dnotes\Health Services Letter[1].odt
2010-08-24 20:13 . 2010-08-24 20:13   803740   ----a-w-   c:\dnotes\Hospital Printout[1].odt
2010-08-24 20:12 . 2010-08-24 20:12   621411   ----a-w-   c:\dnotes\Mental Health Letter[1].odt
2010-08-24 20:10 . 2010-08-24 20:10   323895   ----a-w-   c:\dnotes\Mental Health Note[1].odt
2010-08-24 19:58 . 2010-08-24 19:58   385236   ----a-w-   c:\dnotes\Oral Surgery Note[1].odt
2010-08-24 19:55 . 2010-08-24 19:55   508113   ----a-w-   c:\dnotes\Pulmonary Clinic Letter[1].odt
2010-08-24 19:49 . 2010-08-24 19:49   356865   ----a-w-   c:\dnotes\Urologist Note[1].odt

((((((((((((((((((((((((((((( SnapShot@2010-08-26_16.23.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-26 21:25 . 2010-08-26 21:25   16384 c:\windows\temp\Perflib_Perfdata_538.dat
+ 2008-04-13 23:00 . 2010-08-26 20:53   41238 c:\windows\system32\perfc009.dat
+ 2008-04-13 23:00 . 2010-08-26 20:53   315076 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-11 13594624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [8/25/2010 8:05 AM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [8/25/2010 8:06 AM 188168]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [8/25/2010 8:06 AM 99280]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/25/2010 8:06 AM 312912]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/16/2009 10:47 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/16/2009 10:47 PM 17744]
R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [8/25/2010 8:05 AM 119200]
S0 cerc6;cerc6;

S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 12:32 PM 97536]
.
Contents of the 'Scheduled Tasks' folder

2010-08-26 c:\windows\Tasks\User_Feed_Synchronization-{65240C7C-60E5-488D-B465-61671EE9FB0C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-26 15:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1404)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2568)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
.
**************************************************************************
.
Completion time: 2010-08-26 15:27:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-26 21:27
ComboFix2.txt 2010-08-26 17:34
ComboFix3.txt 2010-08-26 16:24

Pre-Run: 110,376,488,960 bytes free
Post-Run: 110,369,910,784 bytes free

- - End Of File - - 1D360AE8FE6253085085931AB067E3E5

moezila · « **Reply #5 on:** August 26, 2010, 04:54:27 PM »

LOG FROM MBAM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4486

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/26/2010 5:19:48 PM
mbam-log-2010-08-26 (17-19-48).txt

Scan type: Quick scan
Objects scanned: 133396
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

kevinf80 · « **Reply #6 on:** August 26, 2010, 05:20:56 PM »

Hiya moezila,

Good to hear things are getting back to normal. Logs look OK now, but you still seem to have a proxy running. Proceed as follows :-

Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

Code: [Select]

killall::
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6522

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

Lets just double check all is OK by running an online virus scan with Kaspersky from HERE. This scan is very thorough and may take several hours to run, please allow it to complete.
1. At the main page. Press on "Accept". After reading the contents.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.

The following animation may help.

Kaspersky Gif

Step 3

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

What i`d like in your reply :-

New log from Combofix
Log from Kaspersky
Log from Security Checks

Kevin...

moezila · « **Reply #7 on:** August 26, 2010, 11:28:02 PM »

Hello Kevin,
Here are the logs you requested. I accidently lost the first combofix log (apologies), then did it again following the same instructions.

ComboFix 10-08-26.02 - owner 08/26/2010 23:55:38.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1688 [GMT -6:00]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\owner\Desktop\CFScript.txt
AV: avast! Internet Security *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-07-27 to 2010-08-27 )))))))))))))))))))))))))))))))
.

2010-08-26 23:06 . 2010-08-26 23:06   --------   d-----w-   c:\documents and settings\owner\Application Data\Malwarebytes
2010-08-26 23:04 . 2010-04-29 21:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-26 23:04 . 2010-08-26 23:05   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-08-26 23:04 . 2010-08-26 23:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-26 23:04 . 2010-04-29 21:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-08-26 01:11 . 2010-08-26 16:46   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-08-25 18:41 . 2010-08-25 18:41   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-08-25 18:28 . 2010-08-26 06:18   1   ----a-w-   c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-08-25 18:28 . 2010-08-25 18:28   --------   d-----w-   c:\documents and settings\Administrator\Application Data\OpenOffice.org
2010-08-25 14:06 . 2010-06-28 20:39   312912   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2010-08-25 14:06 . 2010-06-28 20:39   99280   ----a-w-   c:\windows\system32\drivers\aswFW.sys
2010-08-25 14:06 . 2010-06-28 20:38   188168   ----a-w-   c:\windows\system32\drivers\aswNdis2.sys
2010-08-25 14:05 . 2010-06-28 20:10   12112   ----a-w-   c:\windows\system32\drivers\aswNdis.sys
2010-08-25 14:05 . 2010-06-28 20:57   38848   ----a-w-   c:\windows\avastSS.scr
2010-08-25 14:05 . 2010-08-25 14:05   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-25 13:58 . 2010-08-25 13:58   --------   d-sh--w-   c:\documents and settings\Administrator\PrivacIE
2010-08-24 23:04 . 2010-08-24 23:04   --------   d-----w-   c:\windows\Sun
2010-08-24 20:46 . 2010-08-24 20:46   --------   d-----w-   c:\program files\Common Files\Adobe
2010-08-24 20:45 . 2010-08-24 20:45   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-08-24 20:44 . 2010-08-24 20:47   --------   d-----w-   c:\documents and settings\owner\Local Settings\Application Data\Adobe
2010-08-24 19:46 . 2010-08-25 23:46   --------   d-----w-   C:\dnotes
2010-08-24 06:18 . 2010-08-24 21:25   1   ----a-w-   c:\documents and settings\owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-08-24 06:16 . 2010-08-24 06:16   --------   d-----w-   c:\documents and settings\owner\Application Data\OpenOffice.org
2010-08-24 05:14 . 2010-08-24 05:14   --------   d-----w-   c:\documents and settings\owner\Application Data\CyberLink
2010-08-24 05:13 . 2010-08-24 05:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\CyberLink
2010-08-24 04:04 . 2010-08-24 04:08   --------   d-----w-   c:\windows\ie8updates
2010-08-24 04:01 . 2010-06-24 12:22   12800   -c----w-   c:\windows\system32\dllcache\xpshims.dll
2010-08-24 04:01 . 2010-06-24 12:21   599040   -c----w-   c:\windows\system32\dllcache\msfeeds.dll
2010-08-24 04:01 . 2010-06-24 12:21   247808   -c----w-   c:\windows\system32\dllcache\ieproxy.dll
2010-08-24 04:01 . 2010-06-24 12:21   55296   -c----w-   c:\windows\system32\dllcache\msfeedsbs.dll
2010-08-24 04:01 . 2010-06-24 12:21   1986560   -c----w-   c:\windows\system32\dllcache\iertutil.dll
2010-08-24 04:01 . 2010-06-24 12:21   743424   -c----w-   c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 14:07 . 2009-12-17 04:47   --------   d-----w-   c:\program files\Alwil Software
2010-08-24 20:45 . 2010-08-25 13:57   53632   ----a-w-   c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-24 20:07 . 2009-11-23 20:57   --------   d-----w-   c:\program files\OpenOffice.org 3
2010-06-30 12:31 . 2008-04-13 23:00   149504   ----a-w-   c:\windows\system32\schannel.dll
2010-06-28 20:57 . 2009-12-17 04:47   165032   ----a-w-   c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2009-12-17 04:47   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2009-12-17 04:47   165456   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2009-12-17 04:47   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2009-12-17 04:47   100176   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2009-12-17 04:47   94544   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2009-12-17 04:47   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2009-12-17 04:47   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-06-24 12:22 . 2008-04-13 23:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-13 23:00   1851904   ----a-w-   c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-13 23:00   354304   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-13 23:00   80384   ----a-w-   c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-11-23 20:21   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-13 23:00   1172480   ----a-w-   c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-08-26_16.23.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-27 06:09 . 2010-08-27 06:09   16384 c:\windows\temp\Perflib_Perfdata_1f0.dat
+ 2008-04-13 23:00 . 2010-08-27 05:39   41238 c:\windows\system32\perfc009.dat
+ 2008-04-13 23:00 . 2010-08-27 05:39   315076 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-11 13594624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [8/25/2010 8:05 AM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [8/25/2010 8:06 AM 188168]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [8/25/2010 8:06 AM 99280]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/25/2010 8:06 AM 312912]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/16/2009 10:47 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/16/2009 10:47 PM 17744]
R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [8/25/2010 8:05 AM 119200]
S0 cerc6;cerc6;

S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 12:32 PM 97536]
.
Contents of the 'Scheduled Tasks' folder

2010-08-26 c:\windows\Tasks\User_Feed_Synchronization-{65240C7C-60E5-488D-B465-61671EE9FB0C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1404)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2112)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
.
**************************************************************************
.
Completion time: 2010-08-27 00:11:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-27 06:11
ComboFix2.txt 2010-08-27 01:52
ComboFix3.txt 2010-08-26 21:54
ComboFix4.txt 2010-08-26 17:34
ComboFix5.txt 2010-08-27 05:32

Pre-Run: 111,459,500,032 bytes free
Post-Run: 111,564,951,552 bytes free

- - End Of File - - 9617C3B312F4403EC2A781B0785AD8EF

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, August 26, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, August 26, 2010 22:28:11
Records in database: 4163272
--------------------------------------------------------------------------------

Scan settings:
   scan using the following database: extended
   Scan archives: yes
   Scan e-mail databases: yes

Scan area - My Computer:
   C:\
   D:\

Scan statistics:
   Objects scanned: 32505
   Threats found: 1
   Infected objects found: 2
   Suspicious objects found: 0
   Scan duration: 00:42:55

File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\owner\Local Settings\Application Data\egtkhuaau\vnbiqetshdw.exe.vir   Infected: Trojan.Win32.FraudPack.bguz   1
C:\System Volume Information\_restore{5D17CACC-341B-487C-9B35-487E34199AED}\RP28\A0015533.exe   Infected: Trojan.Win32.FraudPack.bguz   1

Selected area has been scanned.

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Internet Security
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner (remove only)
Java(TM) 6 Update 17
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player
Adobe Reader 9.3.4
````````````````````````````````
Process Check:
objlist.exe by Laurent
Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 AvastUI.exe
Alwil Software Avast5 afwServ.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

kevinf80 · « **Reply #8 on:** August 27, 2010, 02:21:59 AM »

Hiya moezila,

Those logs look fine, the entries identified by Kaspersky will be dealt with during the clean up process. Please proceed as follows :-

Step 1

Remove Combofix now that we're done with it

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
Please follow the prompts to uninstall Combofix.
You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

The above procedure will delete the following:

ComboFix and its associated files and folders.
VundoFix backups, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

Step 2

Unistall the following from Add/Remove Programs via the Control Panel

Java(TM) 6 Update 7

Step 3

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
Scroll down to "JDK 6 Update 21 (JDK or JRE).
Click the Download JRE button to the right.
Select your Platform: "Windows".
Select your Language: "Multi-language".
Read the License Agreement, and then check the box that says: "Accept License Agreement".
Click Continue and the page will refresh.
Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications.
To disable the JQS service if you don't want to use it:

Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
Click Ok and reboot your computer.

Step 4

You have CCleaner installed, now would be a good time to run the cleaner section. Next, post back and let me know how you system is responding and if there are any specific issues.

Kevin.

moezila · « **Reply #9 on:** August 27, 2010, 08:58:47 AM »

KEVIN......
You are the man!!! Thank you very very much for the help. You sure have saved my computer, it's running great! Now that Combofix is deleted from my computer, I still have Avast internet security, Advance System Care, CCleaner, Malwarebytes and Defraggler on it. Is all of this fine or am I being redundant? If so what best combination would you recommend? I was also considering switching to opera or google chrome or do you think Internet explorer if fine.
Anyway Thanks a lot man and anything I can do?

kevinf80 · « **Reply #10 on:** August 27, 2010, 09:12:19 AM »

Hiya moezila,

Those kind words are reward enough for me, have a read through my closure speech; you`ll get some good tips and advice from it. Dont forget the best form of defense is common sense.
Keep well away from P2P applications, never open anything you dont recognize and if it looks too good to be true, it usually aint.

Your latest logs are clean and you say that your system is running well, it would be an excellent idea to keep it that way. The following advice will go along way to keeping you secure so that you can enjoy safe and happy surfing.

Here are some tips to reduce the potential for malware infection in the future; I strongly recommend that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing....
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

Firefox,

Opera, and

Chrome.

All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

Available for Firefox and Internet Explorer.

Green to go,
Yellow for caution, and
Red to stop.

Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.

Here a couple of links by two security experts that will give some excellent tips and advice.
So how did I get infected in the first place by Tony Klein
How to prevent Malware by Miekiemoes
Finally this link HERE[/b] will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

Please reply so I know you have read this, its been a pleasure to work you.
Take care,

Kevin

moezila · « **Reply #11 on:** August 28, 2010, 09:48:22 AM »

Hello kevin,
I spent a good amount a time trying to figure out a good security combination for my computer and finaly decided to go with microsoft securty essentials instead of avast maybe due to the fact that it uses less resources (just need to figure out if it works better lol...), kept malwarebytes, downloaded comodo firewall and kept advance system care for system optimization purposes. Your closing pitch was most helpful.
My next project is the my desktop. Its been acting slow and I believe was infected by the same viruses. It got better with the antivirus but still not right. Would you be able to assist me on that or should I post with it's own title ?

take care,
Moezila

kevinf80 · « **Reply #12 on:** August 28, 2010, 11:20:28 AM »

Hiya moezila,

Yep start a new thread for you PC and post a HJT log. I`ll watch for it, you can mark for attention kevinf80 if you wish. It doesn`t really matter who takes your log, all of the guys are very good at what they do. I should know, they trained me....I`ll close this one out..

Kevin.

moezila · « **Reply #13 on:** August 28, 2010, 11:56:56 AM »

THANKS AGAIN..

Moezila.

kevinf80 · « **Reply #14 on:** August 28, 2010, 12:25:02 PM »

Since this issue appears to be resolved the topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

The fixes and advice in this thread are for this System only. Do not apply the instructions from this thread to your own System. Please start a new thread describing your issue and someone will be along to assist you.

News:

Author Topic: [Resolved] all sites are redirected-cannot update antivirus (Read 1384 times)

moezila

[Resolved] all sites are redirected-cannot update antivirus

kevinf80

Re: [Resolved] all sites are redirected-cannot update antivirus

moezila

Re: [Resolved] all sites are redirected-cannot update antivirus

kevinf80

Re: [Resolved] all sites are redirected-cannot update antivirus

moezila

Re: [Resolved] all sites are redirected-cannot update antivirus

moezila

Re: [Resolved] all sites are redirected-cannot update antivirus

kevinf80

Re: [Resolved] all sites are redirected-cannot update antivirus

moezila

Re: [Resolved] all sites are redirected-cannot update antivirus

kevinf80

Re: [Resolved] all sites are redirected-cannot update antivirus

moezila

Re: [Resolved] all sites are redirected-cannot update antivirus

kevinf80

Re: [Resolved] all sites are redirected-cannot update antivirus

moezila

Re: [Resolved] all sites are redirected-cannot update antivirus

kevinf80

Re: [Resolved] all sites are redirected-cannot update antivirus

moezila

Re: [Resolved] all sites are redirected-cannot update antivirus

kevinf80

Re: [Resolved] all sites are redirected-cannot update antivirus