I'm having a big problem with Iexplore.exe

January 7, 2010 at 04:42:12
Specs: Windows XP
Please can someone help me. I have looked through many threads on the internet, but no-one seems to have experience the same iexplore.exe. problem as me.

Iexplore.exe. is running all the time and taking up 99% of my CPU usage, So I have read that I have virus. It seems to done something to stop AVG from working, so I have run my Anti virus CD, which I have done twice and it didn't clear it. Most Threads say to download a spyware/anti virus software, but this virus seems to have broken Internet Explore and Firefox. I have tried running in safe mode and even taken a USB stick to try and upload an anti virus software, but nothing seems to work. I just can't seem to get ride of it. If anybody has any advise or could help I would very much appreciate it. Thanks Rob


See More: Im having a big problem with Iexplore.exe

Report •


#1
January 7, 2010 at 15:28:43
It has probably changed some IE settings.

Go to start> control panel> internet options> connections> settings and make sure the proxy box is not checked, if it is uncheck it >ok. Then click " lan settings" and do the same thing and make sure the "auto detect" box is check on lan settings> ok> apply> ok.

If that got you online follow these suggestions and post their logs.

You may need to download these to a usb drive or cd and run it on the infected computer but first try to run it from the infected computer.

Please download Rkill from the following link.

Rkill

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. This link will help you disable them:

Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)

A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Report •

#2
January 9, 2010 at 04:56:54
Jabuck,

first of all thanks for taking the time to help me. I have
followed your instructions. and have posted the exeHelper
comments below.

exeHelper by Raktor
Build 20091220
Run at 12:14:51 on 01/09/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

I couldn't get on to the internet using Internet explore or
firefox so I ran it all by copying it to a flash drive and then
copying that to my desktop and ran it from there.
However, the MalwareBytes software didn't work despite me
changing the name to tools.exe.

Now Iexplore doesn't run all the time and the speed of my
laptop is ok (until I try and open internet explorer), however, I
still can't log on to the internet.

If I try and open Firefox, nothing happens. It appears in task
manager (CPU 83ish% 40,628 mem Usage), but nothing
opens (I have tried to download this again from a flashdrive,
but I get the same results)
If I try and open Internet explorer, nothing happens and it
appears in task manager (99% 21,688 Mem usage). (Again I
have tried to download this again from a flashdrive)

Have I done something wrong, if you have any further advise
It would really be appreciated
Thanks in advance Rob


Report •

#3
January 9, 2010 at 07:36:08
Boot into safe mode. Shut the computer dow> wait 30 seconds> restart the computer and tap F8 intermittenly as the computer boots up. You will get an option screen> choose "safe mode with networking". (Do not try any other method of intering safe mode)

Once the computer boots up do the following:

Try to install/run malwarebytes. Remember..your antivirus and any real time antispyware must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

Related Solutions

#4
January 9, 2010 at 11:41:22
Jabuck,

thanks for the quick response, I have followed your instructions and the virus seems to have gone now. I can log on to both Internet Explorer and Firefox. As request below is the log from combofix. Is there anyway of knowing that it has definatly gone?

As AVG did not detect this, should I use a different anti virus package in future?

Thanks again for all your help, I really wouldn't have known what to do without you.

Rob

p.s can you see from the logs what this virus was and how I got it, I have had a laptop for many years and have never had a virus before.

ComboFix 10-01-04.01 - Rob 09/01/2010 18:35:55.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.489 [GMT 1:00]
Running from: E:\Combo-Fix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {A8381738-BDFF-4DAD-9F19-A14F25271696}
FW: Trend Micro Internet Security *enabled* {0C24B78A-2958-44C1-92AB-B0DBFAD0A08D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\program files\mediapipe
c:\program files\mediapipe\insdl.dll
c:\program files\mediapipe\install.log
c:\program files\mediapipe\ItBill_terms.txt
c:\program files\mediapipe\MediaPipe.ini
c:\program files\mediapipe\register.dll
c:\program files\p2pnetworks
c:\program files\p2pnetworks\AlConfig.xml
c:\program files\p2pnetworks\alp2plib.log
c:\program files\p2pnetworks\alp2plib.log.bak
c:\program files\p2pnetworks\install.log
c:\program files\p2pnetworks\sp2p.cache
c:\program files\p2pnetworks\uninst.exe
c:\recycler\S-1-5-21-1487346102-2310465710-608140913-1003
c:\windows\system32\drivers\H8SRTkmxfaklrrv.sys
c:\windows\system32\H8SRTidujnadent.dll
c:\windows\system32\H8SRTkxvrorwulr.dat
c:\windows\system32\H8SRTrsqodjomxq.dll
c:\windows\system32\H8SRTwspilxylqg.dll
c:\windows\system32\srcr.dat
c:\windows\system32\STEC3.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys
-------\Legacy_STEC3
-------\Service_STEC3


((((((((((((((((((((((((( Files Created from 2009-12-09 to 2010-01-09 )))))))))))))))))))))))))))))))
.

2010-01-09 12:32 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 12:32 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-09 12:08 . 2010-01-09 17:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-09 12:08 . 2010-01-09 12:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-08 19:33 . 2009-09-25 05:37 81920 -c--a-w- c:\windows\system32\dllcache\ieencode.dll
2010-01-08 19:33 . 2009-09-25 05:37 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-01-03 11:00 . 2010-01-03 11:00 -------- d-----w- c:\program files\Trend Micro
2010-01-02 20:23 . 2010-01-02 20:26 -------- d-----w- C:\3b607c82a93c270cad35d12b
2010-01-02 09:36 . 2010-01-02 09:43 -------- d-----w- c:\program files\Registry Easy
2010-01-02 09:04 . 2010-01-02 09:04 -------- d-----w- c:\documents and settings\Rob\Local Settings\Application Data\PCHealth
2010-01-01 10:46 . 2010-01-01 10:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-31 09:56 . 2010-01-09 11:48 853 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-28 20:01 . 2009-12-28 20:01 -------- d-----w- c:\documents and settings\Rob\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-09 16:56 . 2009-11-16 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-04 21:40 . 2003-09-11 02:52 771712 ----a-w- c:\windows\system32\drivers\TM_CFW.sys
2010-01-04 21:34 . 2003-08-22 07:01 1195384 ----a-w- c:\windows\system32\drivers\VSAPINT.SYS
2010-01-04 21:34 . 2003-08-22 07:17 205328 ----a-w- c:\windows\system32\drivers\TmXPFlt.sys
2010-01-04 21:34 . 2003-08-22 07:17 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-01-01 10:54 . 2007-07-29 18:07 -------- d-----w- c:\documents and settings\Rob\Application Data\Azureus
2009-12-31 12:37 . 2007-12-09 17:03 -------- d-----w- c:\documents and settings\Rob\Application Data\dvdcss
2009-12-31 09:54 . 2009-12-31 09:54 8677824 ----a-w- c:\documents and settings\Rob\Application Data\Azureus\tmp\AZU2716797427916867805.tmp\Vuze_4.3.0.6b_win32.exe
2009-12-28 19:59 . 2008-01-30 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-12-22 22:43 . 2007-11-01 20:58 -------- d-----w- c:\documents and settings\Rob\Application Data\LimeWire
2009-12-22 17:58 . 2007-01-14 21:31 -------- d-----w- c:\program files\FinePixViewer
2009-12-19 08:04 . 2009-12-22 22:15 294656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll
2009-12-17 18:36 . 2006-01-01 21:17 62504 ----a-w- c:\documents and settings\Rob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-16 22:20 . 2009-01-03 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-16 22:17 . 2005-10-19 03:13 -------- d-----w- c:\program files\Microsoft Works
2009-12-14 21:15 . 2009-12-22 22:16 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-14 21:15 . 2009-12-22 22:16 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-14 21:09 . 2009-12-19 08:05 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-14 21:09 . 2009-12-22 22:15 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-28 16:40 . 2009-11-28 16:40 -------- d-----w- c:\program files\SopCast
2009-11-20 07:27 . 2007-07-29 18:04 -------- d-----w- c:\program files\Azureus
2009-11-17 20:03 . 2008-03-25 18:54 -------- d-----w- c:\program files\InterActual
2009-11-17 19:50 . 2009-11-17 19:50 -------- d-----w- c:\program files\AskBarDis
2009-11-16 22:08 . 2009-03-15 15:27 -------- d-----w- c:\program files\AVG
2009-11-14 16:17 . 2009-11-14 16:17 -------- d-----w- c:\documents and settings\Rob\Application Data\FCTB000061107
2009-11-14 16:16 . 2009-11-14 16:17 59760 ----a-w- c:\documents and settings\Rob\Application Data\FCTB000061107\Toolbar\Uninst.exe
2009-11-14 16:16 . 2009-11-14 16:16 -------- d-----w- c:\program files\AddThis Toolbar
2009-11-14 16:16 . 2009-11-14 16:17 1432576 ----a-w- c:\documents and settings\Rob\Application Data\FCTB000061107\Toolbar\Toolbar.dll
2009-11-14 16:16 . 2009-11-14 16:17 242688 ----a-w- c:\documents and settings\Rob\Application Data\FCTB000061107\Toolbar\Helper.dll
2009-10-29 05:38 . 2005-10-18 12:36 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2005-10-18 12:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-10-18 12:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 23:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2005-10-18 12:36 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 20:31 . 2009-11-14 16:17 371200 ----a-w- c:\documents and settings\Rob\Application Data\FCTB000061107\Toolbar\RSSReader_plugin.dll
2009-10-12 13:38 . 2005-10-18 12:36 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-10-18 12:36 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 11:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9EBF8AAF-0A31-4786-909A-97A0EF101743}]
2009-11-14 16:16 1432576 ----a-w- c:\program files\AddThis Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B43176CC-4D9E-493B-A636-D9CBFE39C6DA}"= "c:\program files\AddThis Toolbar\Toolbar.dll" [2009-11-14 1432576]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{b43176cc-4d9e-493b-a636-d9cbfe39c6da}]
[HKEY_CLASSES_ROOT\FCTB000061107.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{58E510FE-36D8-4DEF-9385-CD04A1F555A3}]
[HKEY_CLASSES_ROOT\FCTB000061107.IEToolbar]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B43176CC-4D9E-493B-A636-D9CBFE39C6DA}"= "c:\program files\AddThis Toolbar\Toolbar.dll" [2009-11-14 1432576]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{b43176cc-4d9e-493b-a636-d9cbfe39c6da}]
[HKEY_CLASSES_ROOT\FCTB000061107.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{58E510FE-36D8-4DEF-9385-CD04A1F555A3}]
[HKEY_CLASSES_ROOT\FCTB000061107.IEToolbar]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]
"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 299008]
"ANT Agent"="c:\garmin\ANT Agent\ANT Agent.exe" [2009-07-30 11017728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 339968]
"SoundMan"="SOUNDMAN.EXE" [2005-08-01 77824]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-08-01 98393]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 688217]
"LaunchAp"="c:\launch manager\LaunchAp.exe" [2005-03-30 32768]
"HotkeyApp"="c:\launch manager\HotkeyApp.exe" [2005-05-02 57344]
"LMgrVolOSD"="c:\launch manager\OSD.exe" [2005-03-16 204800]
"LMgrOSD"="c:\launch manager\OSDCtrl.exe" [2004-10-11 245760]
"Wbutton"="c:\launch manager\Wbutton.exe" [2005-04-18 81920]
"CtrlVol"="c:\launch manager\CtrlVol.exe" [2003-09-16 20480]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-16 148888]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-01-09 53340]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-22 185896]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2003-11-10 406016]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-10-19 20480]
"P1370Mon.exe"="c:\windows\P1370Mon.exe" [2006-06-19 36864]
"Creative Software Update"="c:\program files\Creative\Shared Files\Software Update\AutoUpdate.exe" [2006-02-07 417881]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security\pccguide.exe" [2010-01-04 966718]
"PCClient.exe"="c:\program files\Trend Micro\Internet Security\PCClient.exe" [2010-01-04 663618]
"TM Outbreak Agent"="c:\program files\Trend Micro\Internet Security\TMOAgent.exe" [2010-01-04 450627]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Rob\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher 2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-1-14 294912]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-11 73728]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]
Wireless-G Notebook Adapter.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2006-1-5 36864]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoNetSetup"= 0 (0x0)
"NoNetSetupIDPage"= 0 (0x0)
"NoNetSetupSecurityPage"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"NoEntireNetwork"= 0 (0x0)
"NoFileSharingControl"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AddThis Toolbar\\TroubleShooter.exe"=
"c:\\Program Files\\AddThis Toolbar\\ToolbarUpdate.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=

R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [17/11/2009 20:50 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [17/11/2009 20:51 234888]
R2 PccPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\PCCPFW.exe [22/09/2003 05:50 729147]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [22/08/2003 08:17 205328]
R2 Tmntsrv;Trend NT Realtime Service;c:\program files\Trend Micro\Internet Security\Tmntsrv.exe [22/09/2003 05:53 262214]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [22/08/2003 08:17 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\tmproxy.exe [22/09/2003 05:55 204870]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [18/10/2005 13:39 200192]
S1 mailKmd;mailKmd; [x]
S3 ESI_GigaportAG;usb-audio.de driver for ESI - GIGAPortAG;c:\windows\system32\drivers\gigapAG.sys [11/04/2006 21:53 325440]
S3 P1370Aud;Creative WebCam Audio Control;c:\windows\system32\drivers\P1370Aud.sys [31/05/2009 11:14 93056]
S3 P1370Aul;PD1370 Lower Filter Driver;c:\windows\system32\drivers\P1370Aul.sys [31/05/2009 11:14 4992]
S3 P1370Vfx;P1370Vfx;c:\windows\system32\drivers\P1370Vfx.sys [31/05/2009 11:14 6272]
S3 P1370VID;Live! Cam Voice;c:\windows\system32\drivers\P1370Vid.sys [31/05/2009 11:14 297792]
S3 pgusbmme;usb-audio.de MME-Adapter;c:\windows\system32\drivers\pgusbmm3.sys [11/04/2006 21:53 23360]
.
Contents of the 'Scheduled Tasks' folder

2009-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-01-09 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mStart Page = hxxp://uk.yahoo.com/fsc/
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} - hxxps://www.basisbank.dk/package/sdc/external/activex/ActiveXSikkerhedssoftware-prod-1.30.cab
DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} - hxxps://netbank.danskebank.dk/html/activex/DB/Menu.cab
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://ebanking.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
FF - ProfilePath - c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\k7vb0fjf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://uk.msn.com
FF - prefs.js: keyword.URL - hxxp://dk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_dk&p=
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKLM-Run-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
HKLM-Run-PCLEUSBTip - c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-09 18:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CtrlVol = c:\launch manager\CtrlVol.exe???????8???????????T??????|x??|????q??|?j?wQj?w????????,??? ???|???????????\??????|????????h?????@????????????????s???????s???sx??s@??????????????|h??sl??????????s?????????????????C?sc"?sx??s????(J?w??@?N'?s?>??-6@??>?????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1856)
c:\windows\system32\Ati2evxx.dll
c:\program files\Funk Software\Funk Client\odLogin.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2010-01-09 19:05:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-09 18:05

Pre-Run: 6,116,016,128 bytes free
Post-Run: 8,969,175,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - DAB81C5A0E6C9D6077EF19CE12BC4716


Report •

#5
January 9, 2010 at 17:09:54
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\krl32mainweq.dll

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

A little clean-up to do.

Delete RSIT, Rkill, andexeHelper from your desktop

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

#6
January 12, 2010 at 09:47:38
jabuck,

sorry for the delay, below is the log from ComboFix.

Once again thanks for all your help.
My computer is working fine on the internet now and I think I'm virus clear.

It has recently been very slow to start with, once I re start/turn on my computer, would I need to go in to some sort of restart menu to delete items from this and how would I know which items to delete from start up?

I Can see in task manager that there are 79 items under the Processes tab most are using 00 CPU but it does say that they are taking up Mem Usage, The overall CPU Usage seems to be around 40% and the computer doesn't seem to be slow, It just takes a long time to start up
Sorry If these is a different item

ComboFix 10-01-04.01 - Rob 11/01/2010 22:47:20.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.312 [GMT 1:00]
Running from: E:\Combo-Fix.exe
Command switches used :: c:\documents and settings\Rob\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

FILE ::
"c:\windows\system32\krl32mainweq.dll"
.

((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))
.

2010-01-09 18:58 . 2010-01-09 18:58 -------- d-----w- c:\documents and settings\Rob\Application Data\Malwarebytes
2010-01-09 18:36 . 2010-01-09 18:36 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-01-09 18:36 . 2010-01-09 18:36 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-09 18:36 . 2010-01-09 18:36 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-01-09 18:36 . 2010-01-09 18:36 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-09 18:36 . 2010-01-09 18:36 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-09 18:36 . 2010-01-09 18:36 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-09 18:35 . 2010-01-11 21:20 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-09 18:34 . 2010-01-09 18:34 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-01-09 18:34 . 2010-01-09 18:34 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-01-09 12:32 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 12:32 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-09 12:08 . 2010-01-09 17:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-09 12:08 . 2010-01-09 12:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-08 19:33 . 2009-09-25 05:37 81920 -c--a-w- c:\windows\system32\dllcache\ieencode.dll
2010-01-08 19:33 . 2009-09-25 05:37 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-01-03 11:00 . 2010-01-03 11:00 -------- d-----w- c:\program files\Trend Micro
2010-01-02 20:23 . 2010-01-02 20:26 -------- d-----w- C:\3b607c82a93c270cad35d12b
2010-01-02 09:36 . 2010-01-02 09:43 -------- d-----w- c:\program files\Registry Easy
2010-01-02 09:04 . 2010-01-02 09:04 -------- d-----w- c:\documents and settings\Rob\Local Settings\Application Data\PCHealth
2010-01-01 10:46 . 2010-01-01 10:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-28 20:01 . 2009-12-28 20:01 -------- d-----w- c:\documents and settings\Rob\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 22:07 . 2006-09-24 16:05 -------- d-----w- c:\program files\BearShare MediaBar
2010-01-10 16:59 . 2007-07-29 18:07 -------- d-----w- c:\documents and settings\Rob\Application Data\Azureus
2010-01-10 01:05 . 2007-11-01 20:58 -------- d-----w- c:\documents and settings\Rob\Application Data\LimeWire
2010-01-09 18:34 . 2009-11-16 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-31 12:37 . 2007-12-09 17:03 -------- d-----w- c:\documents and settings\Rob\Application Data\dvdcss
2009-12-28 19:59 . 2008-01-30 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-12-22 17:58 . 2007-01-14 21:31 -------- d-----w- c:\program files\FinePixViewer
2009-12-17 18:36 . 2006-01-01 21:17 62504 ----a-w- c:\documents and settings\Rob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-16 22:20 . 2009-01-03 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-16 22:17 . 2005-10-19 03:13 -------- d-----w- c:\program files\Microsoft Works
2009-11-28 16:40 . 2009-11-28 16:40 -------- d-----w- c:\program files\SopCast
2009-11-20 07:27 . 2007-07-29 18:04 -------- d-----w- c:\program files\Azureus
2009-11-17 20:03 . 2008-03-25 18:54 -------- d-----w- c:\program files\InterActual
2009-11-17 19:50 . 2009-11-17 19:50 -------- d-----w- c:\program files\AskBarDis
2009-11-16 22:08 . 2009-03-15 15:27 -------- d-----w- c:\program files\AVG
2009-11-14 16:17 . 2009-11-14 16:17 -------- d-----w- c:\documents and settings\Rob\Application Data\FCTB000061107
2009-11-14 16:16 . 2009-11-14 16:16 -------- d-----w- c:\program files\AddThis Toolbar
2009-10-29 05:38 . 2005-10-18 12:36 667136 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2005-10-18 12:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-10-18 12:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 23:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 11:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9EBF8AAF-0A31-4786-909A-97A0EF101743}]
2009-11-14 16:16 1432576 ----a-w- c:\program files\AddThis Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B43176CC-4D9E-493B-A636-D9CBFE39C6DA}"= "c:\program files\AddThis Toolbar\Toolbar.dll" [2009-11-14 1432576]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{b43176cc-4d9e-493b-a636-d9cbfe39c6da}]
[HKEY_CLASSES_ROOT\FCTB000061107.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{58E510FE-36D8-4DEF-9385-CD04A1F555A3}]
[HKEY_CLASSES_ROOT\FCTB000061107.IEToolbar]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B43176CC-4D9E-493B-A636-D9CBFE39C6DA}"= "c:\program files\AddThis Toolbar\Toolbar.dll" [2009-11-14 1432576]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{b43176cc-4d9e-493b-a636-d9cbfe39c6da}]
[HKEY_CLASSES_ROOT\FCTB000061107.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{58E510FE-36D8-4DEF-9385-CD04A1F555A3}]
[HKEY_CLASSES_ROOT\FCTB000061107.IEToolbar]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]
"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 299008]
"ANT Agent"="c:\garmin\ANT Agent\ANT Agent.exe" [2009-07-30 11017728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 339968]
"SoundMan"="SOUNDMAN.EXE" [2005-08-01 77824]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-08-01 98393]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 688217]
"LaunchAp"="c:\launch manager\LaunchAp.exe" [2005-03-30 32768]
"HotkeyApp"="c:\launch manager\HotkeyApp.exe" [2005-05-02 57344]
"LMgrVolOSD"="c:\launch manager\OSD.exe" [2005-03-16 204800]
"LMgrOSD"="c:\launch manager\OSDCtrl.exe" [2004-10-11 245760]
"Wbutton"="c:\launch manager\Wbutton.exe" [2005-04-18 81920]
"CtrlVol"="c:\launch manager\CtrlVol.exe" [2003-09-16 20480]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-16 148888]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-01-09 53340]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-22 185896]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2003-11-10 406016]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-10-19 20480]
"P1370Mon.exe"="c:\windows\P1370Mon.exe" [2006-06-19 36864]
"Creative Software Update"="c:\program files\Creative\Shared Files\Software Update\AutoUpdate.exe" [2006-02-07 417881]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-09 2033432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Rob\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher 2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-1-14 294912]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-11 73728]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]
Wireless-G Notebook Adapter.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2006-1-5 36864]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoNetSetup"= 0 (0x0)
"NoNetSetupIDPage"= 0 (0x0)
"NoNetSetupSecurityPage"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"NoEntireNetwork"= 0 (0x0)
"NoFileSharingControl"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-09 18:36 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AddThis Toolbar\\TroubleShooter.exe"=
"c:\\Program Files\\AddThis Toolbar\\ToolbarUpdate.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [09/01/2010 19:36 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [09/01/2010 19:36 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/01/2010 19:36 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/01/2010 19:36 360584]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [17/11/2009 20:50 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [17/11/2009 20:51 234888]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [09/01/2010 19:35 906520]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [09/01/2010 19:35 285392]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [09/01/2010 19:35 2303680]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [09/01/2010 19:35 5832712]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [09/01/2010 19:34 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [09/01/2010 19:35 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [09/01/2010 19:35 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [09/01/2010 19:35 25736]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [18/10/2005 13:39 200192]
S1 mailKmd;mailKmd; [x]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [09/01/2010 19:34 30104]
S3 ESI_GigaportAG;usb-audio.de driver for ESI - GIGAPortAG;c:\windows\system32\drivers\gigapAG.sys [11/04/2006 21:53 325440]
S3 P1370Aud;Creative WebCam Audio Control;c:\windows\system32\drivers\P1370Aud.sys [31/05/2009 11:14 93056]
S3 P1370Aul;PD1370 Lower Filter Driver;c:\windows\system32\drivers\P1370Aul.sys [31/05/2009 11:14 4992]
S3 P1370Vfx;P1370Vfx;c:\windows\system32\drivers\P1370Vfx.sys [31/05/2009 11:14 6272]
S3 P1370VID;Live! Cam Voice;c:\windows\system32\drivers\P1370Vid.sys [31/05/2009 11:14 297792]
S3 pgusbmme;usb-audio.de MME-Adapter;c:\windows\system32\drivers\pgusbmm3.sys [11/04/2006 21:53 23360]
.
Contents of the 'Scheduled Tasks' folder

2009-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-01-10 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mStart Page = hxxp://uk.yahoo.com/fsc/
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} - hxxps://www.basisbank.dk/package/sdc/external/activex/ActiveXSikkerhedssoftware-prod-1.30.cab
DPF: {3D2CB570-D425-11D5-ABD0-00008369C46F} - hxxps://netbank.danskebank.dk/html/activex/DB/Menu.cab
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://ebanking.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
FF - ProfilePath - c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\k7vb0fjf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://uk.msn.com
FF - prefs.js: keyword.URL - hxxp://dk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_dk&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 23:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CtrlVol = c:\launch manager\CtrlVol.exe???????8???????????T??????|x??|????q??|?j?wQj?w????????,??? ???|???????????\??????|????????h?????@????????????????s???????s???sx??s@??????????????|h??sl??????????s?????????????????C?sc"?sx??s????(J?w??@?N'?s?>??-6@??>?????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1012)
c:\windows\system32\Ati2evxx.dll
c:\program files\Funk Software\Funk Client\odLogin.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2010-01-11 23:25:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-11 22:24
ComboFix2.txt 2010-01-09 18:05

Pre-Run: 1,236,602,880 bytes free
Post-Run: 1,733,840,896 bytes free

- - End Of File - - 4143C421CAEEA14646E25CC2DDC04E93


Report •

#7
January 12, 2010 at 15:30:59
Go to add/remove programs and uninstall these programs as they are know to harbor spyware.


Ask Toolbar
BearShare

While you are in add/ remove programs lok at Java. It should be version 6update 17, if it is an earlier version do the following.

Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 17 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.

A little clean-up to do.

Delete RSIT from your desktop

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

Ask Question