Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Firefox AND IE hijacked.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Firefox AND IE hijacked.

Unread postby GrannyGrump » March 29th, 2010, 12:16 am

Both browsers are going to other sites when I try to access certain sites. Sometimes the sites are popunder, but sometimes the site will flash and then go to another site. AVG and AdAware show nothing....Trendmicro freebies show nothing other than the HijackThis file.....oh and ever so often I get a window from Windows Security(?) that says I need to allow a microsoft program to be installed....I have a screenshot of that if needed.

help please?

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:15:42 AM, on 3/29/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\AVG9\avgchsvx.exe
C:\AVG9\avgrsx.exe
C:\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Anyplace Control\apc_host.exe
C:\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\AVG9\avgnsx.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\AVG9\avgtray.exe
C:\ZoneAlarm\zlclient.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Magic Mail\Magic.exe
C:\Firefox3point6\firefox.exe
C:\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Acrobat 6\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Acrobat 6\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Acrobat 6\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\AVG9\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Elf%20Bowling%207%2017%20-%20The%20Last%20Insult/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Elf%20Bowling%207%2017%20-%20The%20Last%20Insult/Images/armhelper.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{00D5BE73-FD50-40A8-B647-CD3AB4AF0079}: NameServer = 93.188.164.57,93.188.166.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.57,93.188.166.67
O17 - HKLM\System\CS1\Services\Tcpip\..\{00D5BE73-FD50-40A8-B647-CD3AB4AF0079}: NameServer = 93.188.164.57,93.188.166.67
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.57,93.188.166.67
O17 - HKLM\System\CS2\Services\Tcpip\..\{00D5BE73-FD50-40A8-B647-CD3AB4AF0079}: NameServer = 93.188.164.57,93.188.166.67
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.57,93.188.166.67
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: APC-Host - Anyplace Control Software - C:\Anyplace Control\apc_host.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\AVG9\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Nero7Ultra\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SeaPort - Unknown owner - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8338 bytes





The 2nd file required:
Ad-Aware
Ad-Aware
Adobe Acrobat 6.0.1 Professional
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
Adobe Shockwave Player 11
AnswerWorks Runtime
Anyplace Control 4.14_Full
Apple Application Support
ATI Display Driver
AVG 9.0
Big Fish Games Client
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 3.0
Canon MP560 series MP Drivers
Canon MP560 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Choice Guard
Clooz
Compatibility Pack for the 2007 Office system
Corel Applications
EasyCleaner
email-Upwords
Family Tree Maker 2009
Family Tree Maker Version 16
Haunted Manor Lord of Mirrors Collectors Edition 1.00
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
HP Image Zone Express
HP Imaging Device Functions 5.3
HP Product Assistant
HP PSC & OfficeJet 5.3.B
HP Solution Center & Imaging Support Tools 5.3
HP Update
Java(TM) 6 Update 13
Java(TM) 6 Update 3
Junk Mail filter update
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Edition 2003
Microsoft Primary Interoperability Assemblies 2005
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft WSE 3.0
Mozilla Firefox (3.6)
Mozilla Thunderbird (2.0.0.9)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB927977)
Nero 7 Ultra Edition
Personal Phonebook Plus! 2.0
PowerDVD
Print Artist 22 Platinum
QualXServ Service Agreement
QuickTime
Registry Defragmentation
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
TextBridge Pro 11.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
VC 9.0 Runtime
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VR-1 Game Launcher
Weather Pulse 2.2.4.4
WebEx Support Manager for Internet Explorer
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
WinZip
WinZip 12.0
ZIP RAR ACE Password Recovery
ZoneAlarm
GrannyGrump
Regular Member
 
Posts: 19
Joined: March 29th, 2010, 12:11 am
Advertisement
Register to Remove

Re: Firefox AND IE hijacked.

Unread postby MWR 3 day Mod » April 1st, 2010, 2:17 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Firefox AND IE hijacked.

Unread postby km2357 » April 1st, 2010, 2:34 pm

Hello and welcome to Malware Removal.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh HiJackThis Log and an Uninstall List
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Firefox AND IE hijacked.

Unread postby GrannyGrump » April 1st, 2010, 5:15 pm

I'm ready whenever you are.
GrannyGrump
Regular Member
 
Posts: 19
Joined: March 29th, 2010, 12:11 am

Re: Firefox AND IE hijacked.

Unread postby km2357 » April 1st, 2010, 8:18 pm

Please post a fresh HiJackThis Log and a fresh Uninstall List and we'll begin.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Firefox AND IE hijacked.

Unread postby GrannyGrump » April 1st, 2010, 9:17 pm

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:16:22 PM, on 4/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\AVG9\avgchsvx.exe
C:\AVG9\avgrsx.exe
C:\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Anyplace Control\apc_host.exe
C:\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\AVG9\avgnsx.exe
C:\AVG9\avgtray.exe
C:\ZoneAlarm\zlclient.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Magic Mail\Magic.exe
C:\Thunderbird\thunderbird.exe
C:\Firefox3point6\firefox.exe
C:\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Acrobat 6\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Acrobat 6\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Acrobat 6\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\AVG9\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Elf%20Bowling%207%2017%20-%20The%20Last%20Insult/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Elf%20Bowling%207%2017%20-%20The%20Last%20Insult/Images/armhelper.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{00D5BE73-FD50-40A8-B647-CD3AB4AF0079}: NameServer = 93.188.164.57,93.188.166.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.57,93.188.166.67
O17 - HKLM\System\CS1\Services\Tcpip\..\{00D5BE73-FD50-40A8-B647-CD3AB4AF0079}: NameServer = 93.188.164.57,93.188.166.67
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.57,93.188.166.67
O17 - HKLM\System\CS2\Services\Tcpip\..\{00D5BE73-FD50-40A8-B647-CD3AB4AF0079}: NameServer = 93.188.164.57,93.188.166.67
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.57,93.188.166.67
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: APC-Host - Anyplace Control Software - C:\Anyplace Control\apc_host.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\AVG9\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Nero7Ultra\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SeaPort - Unknown owner - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8368 bytes


Uninstall list:

Ad-Aware
Ad-Aware
Adobe Acrobat 6.0.1 Professional
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
Adobe Shockwave Player 11
AnswerWorks Runtime
Anyplace Control 4.14_Full
Apple Application Support
ATI Display Driver
AVG 9.0
Big Fish Games Client
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 3.0
Canon MP560 series MP Drivers
Canon MP560 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Choice Guard
Clooz
Compatibility Pack for the 2007 Office system
Corel Applications
EasyCleaner
email-Upwords
Family Tree Maker 2009
Family Tree Maker Version 16
Haunted Manor Lord of Mirrors Collectors Edition 1.00
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
HP Image Zone Express
HP Imaging Device Functions 5.3
HP Product Assistant
HP PSC & OfficeJet 5.3.B
HP Solution Center & Imaging Support Tools 5.3
HP Update
Java(TM) 6 Update 13
Java(TM) 6 Update 3
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Edition 2003
Microsoft Primary Interoperability Assemblies 2005
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft WSE 3.0
Mozilla Firefox (3.6)
Mozilla Thunderbird (2.0.0.24)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB927977)
Nero 7 Ultra Edition
Personal Phonebook Plus! 2.0
PowerDVD
Print Artist 22 Platinum
QualXServ Service Agreement
QuickTime
Registry Defragmentation
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
TextBridge Pro 11.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
VC 9.0 Runtime
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VR-1 Game Launcher
Weather Pulse 2.2.4.4
WebEx Support Manager for Internet Explorer
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
WinZip
WinZip 12.0
ZIP RAR ACE Password Recovery
ZoneAlarm
GrannyGrump
Regular Member
 
Posts: 19
Joined: March 29th, 2010, 12:11 am

Re: Firefox AND IE hijacked.

Unread postby km2357 » April 2nd, 2010, 2:28 pm

Step # 1: Remove Hijackthis Entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

    O17 - HKLM\System\CCS\Services\Tcpip\..\{00D5BE73-FD50-40A8-B647-CD3AB4AF0079}: NameServer = 93.188.164.57,93.188.166.67

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.57,93.188.166.67

    O17 - HKLM\System\CS1\Services\Tcpip\..\{00D5BE73-FD50-40A8-B647-CD3AB4AF0079}: NameServer = 93.188.164.57,93.188.166.67

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.57,93.188.166.67

    O17 - HKLM\System\CS2\Services\Tcpip\..\{00D5BE73-FD50-40A8-B647-CD3AB4AF0079}: NameServer = 93.188.164.57,93.188.166.67

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.57,93.188.166.67


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.


Step # 2 Download and run DDS

Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.


Step # 3: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click No.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


In your next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log

Use multiple posts if you can't fit everything into one post.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Firefox AND IE hijacked.

Unread postby GrannyGrump » April 2nd, 2010, 7:16 pm

DDS log and Attach.zip


DDS (Ver_10-03-17.01) - NTFSx86
Run by Lori at 13:49:22.04 on Fri 04/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2629 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\AVG9\avgchsvx.exe
C:\AVG9\avgrsx.exe
svchost.exe
C:\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Anyplace Control\apc_host.exe
C:\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\AVG9\avgnsx.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\AVG9\avgtray.exe
C:\ZoneAlarm\zlclient.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Thunderbird\thunderbird.exe
C:\Documents and Settings\Lori\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\acrobat 6\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\avg9\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\acrobat 6\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\acrobat 6\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\acrobat 6\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [AVG9_TRAY] c:\avg9\avgtray.exe
mRun: [ZoneAlarm Client] "c:\zonealarm\zlclient.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: E&xport to Microsoft Excel - c:\micros~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\micros~1\office11\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Elf%20Bowling%207%2017%20-%20The%20Last%20Insult/Images/stg_drm.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Elf%20Bowling%207%2017%20-%20The%20Last%20Insult/Images/armhelper.ocx
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\avg9\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lori\applic~1\mozilla\firefox\profiles\cmstxy32.default\
FF - prefs.js: browser.search.selectedEngine - AltaVista
FF - prefs.js: browser.startup.homepage - loricase.com
FF - plugin: c:\documents and settings\lori\application data\mozilla\firefox\profiles\cmstxy32.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - plugin: c:\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\firefox 3-6\plugins\npnul32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\quicktime\plugins\npqtplugin6.dll
FF - plugin: c:\quicktime\plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
c:\firefox3point6\greprefs\all.js - pref("ui.use_native_colors", true);
c:\firefox3point6\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\firefox3point6\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\firefox3point6\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\firefox3point6\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\firefox3point6\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\firefox3point6\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\firefox3point6\greprefs\all.js - pref("svg.smil.enabled", false);
c:\firefox3point6\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.debug", false);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\firefox3point6\greprefs\all.js - pref("html5.enable", false);
c:\firefox3point6\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\firefox3point6\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\firefox3point6\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\firefox3point6\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\firefox3point6\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\firefox3point6\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\firefox3point6\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\firefox3point6\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\firefox3point6\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\firefox3point6\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\firefox3point6\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2008-10-13 184848]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-11-18 52872]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-18 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-18 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-18 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-18 242696]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-11-18 353672]
R2 APC-Host;APC-Host;c:\anyplace control\apc_host.exe [2010-3-18 498688]
R2 avg9wd;AVG WatchDog;c:\avg9\avgwdsvc.exe [2010-3-12 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-8-14 992256]
S0 cerc6;cerc6; [x]
S2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [2008-4-13 14336]

============== File Associations ===============

txtfile=c:\notebook3\notebook.exe %1

=============== Created Last 30 ================

2010-04-02 13:40:12 299120 ----a-w- C:\isaac-malin-marriage-record.jpg
2010-04-02 13:31:44 1277656 ----a-w- C:\isaac-malin-constable-pa-1710.jpg
2010-04-02 03:10:16 70807 ----a-w- C:\max-yawn-pattison.jpg
2010-04-01 21:38:51 116528 ----a-w- C:\Mollyowlettes-ringtone.mp3
2010-04-01 21:38:41 156652 ----a-w- C:\Molly-ringtone.mp3
2010-04-01 21:38:30 221853 ----a-w- C:\Max-ringtone.mp3
2010-03-31 18:51:45 98752 ----a-w- C:\owlets.jpg
2010-03-31 18:49:05 102899 ----a-w- C:\max-molly.jpg
2010-03-31 03:39:12 0 d-----w- c:\docume~1\lori\applic~1\HSA
2010-03-31 02:35:14 0 d-----w- c:\docume~1\lori\applic~1\Windows Live Writer
2010-03-31 00:06:11 332641 ----a-w- C:\MollyYoga.jpg
2010-03-31 00:05:39 153673 ----a-w- C:\wesley-owlet2.jpg
2010-03-30 14:26:00 32249 ----a-w- C:\eliza-lott-2.jpg
2010-03-30 14:25:51 27883 ----a-w- C:\eliza-lott.jpg
2010-03-30 14:25:41 32180 ----a-w- C:\mary-lott.jpg
2010-03-30 14:25:32 17874 ----a-w- C:\ann-lott.jpg
2010-03-30 14:24:47 27024 ----a-w- C:\martha-lemen-tomlinson.jpg
2010-03-30 14:24:29 31579 ----a-w- C:\mary-lemen.jpg
2010-03-30 14:24:15 32836 ----a-w- C:\gabriel-lemen.jpg
2010-03-30 14:09:17 89211 ----a-w- C:\jeffcrthouse_01.jpg
2010-03-29 21:57:17 0 d-----w- C:\Hidden Identity
2010-03-29 21:08:09 91470 ----a-w- C:\food!.jpg
2010-03-29 21:03:32 101516 ----a-w- C:\who's-there.jpg
2010-03-29 16:57:40 103270 ----a-w- C:\molly-and-4.jpg
2010-03-29 16:57:24 96498 ----a-w- C:\molly2.jpg
2010-03-29 16:57:08 95612 ----a-w- C:\molly3.jpg
2010-03-29 16:56:52 95612 ----a-w- C:\Image1.jpg
2010-03-29 11:39:25 0 d-----w- c:\docume~1\lori\applic~1\Malwarebytes
2010-03-29 11:39:24 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 11:39:22 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 11:39:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-29 11:37:52 0 d-----w- C:\Malwarebytes.1.32
2010-03-29 11:30:42 68273 ----a-w- C:\win-net-security-error.jpg
2010-03-29 04:47:55 6509608 ----a-w- C:\RUBotted.exe
2010-03-29 04:45:15 0 d-----w- C:\TMRBLog
2010-03-29 04:45:09 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-29 04:45:09 0 d-----w- C:\log
2010-03-29 04:44:12 1074232 ----a-w- C:\RootkitBuster_2.80.1077.zip
2010-03-29 04:39:15 0 d-----w- C:\TrendMicro
2010-03-29 04:34:13 71963 ----a-w- C:\crack-me-up.gif
2010-03-29 04:30:59 1840232 ----a-w- C:\HousecallLauncher.exe
2010-03-29 03:44:50 66396 ----a-w- C:\4-owlets.jpg
2010-03-28 20:13:22 107015 ----a-w- C:\wesley-owlet.jpg
2010-03-28 19:21:05 0 d-----w- C:\Firefox3point6
2010-03-28 18:53:28 4592 ----a-w- C:\b4-firefox-removal.reg
2010-03-28 16:32:16 108862 ----a-w- C:\AustinM.jpg
2010-03-28 15:18:49 0 d-----w- c:\docume~1\alluse~1\applic~1\AlawarWrapper
2010-03-28 15:12:29 0 d-----w- C:\Joan Jade
2010-03-28 15:11:11 0 d-----w- C:\Joan.Jade.and.the.Gates.of.Xibalba.v1.0.0.0-TE
2010-03-28 14:38:11 0 d-----w- C:\Defrag Registry
2010-03-28 02:10:30 223891 ----a-w- C:\egg-pip.jpg
2010-03-27 03:44:25 0 d-----w- C:\Gates
2010-03-27 00:53:42 144100482 ----a-w- C:\C.W.Pro.2010.v10.0.5.163.Multilingual.Incl.Keymaker-CORE.rar
2010-03-26 23:27:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Gogii
2010-03-26 22:08:23 0 d-----w- C:\Haunted Manor Lord of Mirrors
2010-03-26 18:54:09 56337 ----a-w- C:\kb-acct.jpg
2010-03-26 17:45:06 224706 ----a-w- C:\flat-stanley.jpg
2010-03-26 17:20:54 66672 ----a-w- C:\h-w-secondary-ins.pdf
2010-03-26 17:13:22 15772 ----a-w- C:\cd-2-burn-3-26.roxio
2010-03-26 16:01:48 16384 ----a-w- C:\wayne-invest-payment.xls
2010-03-26 14:35:57 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-26 14:34:12 0 d-----w- C:\Firefox 3-6-2(2)
2010-03-25 13:06:11 153584 ----a-w- C:\max-pattison.jpg
2010-03-25 05:47:53 52432 ----a-w- C:\mcghee.jpg
2010-03-24 23:05:05 0 d-----w- c:\docume~1\lori\applic~1\Jetdogs Studios
2010-03-24 22:17:37 1811456 ----a-w- c:\windows\NetworkCfg.exe
2010-03-24 19:50:40 15015 ----a-w- C:\Just_Checking_v3.15_by_FFF.zip
2010-03-24 16:20:08 0 dc----w- c:\docume~1\alluse~1\applic~1\{35ACA973-70F0-495F-9092-74A130711865}
2010-03-24 14:17:41 44736 ----a-w- C:\anyplace-control-info.jpg
2010-03-24 14:12:43 0 d-----w- c:\documents and settings\all users\Anyplace Control 4
2010-03-24 14:06:39 0 d-----w- C:\Anyplace Control
2010-03-23 23:57:37 0 d-----w- c:\docume~1\lori\applic~1\Artifex Mundi
2010-03-23 16:09:59 295616 ----a-w- C:\Molly-FamilyMonday.jpg
2010-03-23 00:43:06 9855 ----a-w- C:\giant-caterpiller.jpg
2010-03-22 21:03:50 0 d-----w- c:\docume~1\alluse~1\applic~1\HiddenSecretsNightmare
2010-03-22 03:48:27 0 d-----w- C:\BadCopy_Pro_v4.10__Jufsoft_Build_1215
2010-03-22 01:23:00 2584093 ----a-w- C:\Weather Forecaster.zip
2010-03-21 15:24:49 23906 ----a-w- C:\frogsmiley.gif
2010-03-21 03:58:12 0 d-----w- C:\Viewsat
2010-03-20 19:15:55 97364760 ----a-w- C:\Ad-AwareInstaller.exe
2010-03-19 22:15:18 1916670 ----a-w- C:\brains.gif
2010-03-19 13:26:35 0 d-----w- c:\docume~1\lori\applic~1\EBookSys
2010-03-19 01:19:23 66710 ----a-w- C:\spring-is-coming.gif
2010-03-18 14:22:09 6876688 ----a-w- C:\Thunderbird Setup 2.0.0.24.exe
2010-03-18 13:47:13 9009352 ----a-w- C:\Thunderbird Setup 3.0.3.exe
2010-03-18 02:08:46 12764 ----a-w- C:\check-your-eggs.jpg
2010-03-17 03:35:31 0 d-----w- c:\docume~1\lori\applic~1\AzuazGames
2010-03-17 03:10:05 1960 ----a-w- C:\wells-fargo-refinance-fax-3-10.wpd
2010-03-16 15:15:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Nevosoft
2010-03-16 04:37:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Big Fish Games
2010-03-15 21:39:12 0 d-----w- c:\docume~1\lori\applic~1\Silverback Productions
2010-03-15 17:19:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Vampireville
2010-03-14 22:48:00 0 d-----w- c:\docume~1\lori\applic~1\QB9
2010-03-14 19:31:53 38904 ----a-w- C:\winver.jpg
2010-03-14 17:37:13 0 d-----w- c:\docume~1\lori\applic~1\Frogwares
2010-03-14 15:23:43 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-14 04:20:20 0 d-----w- c:\docume~1\lori\applic~1\DarkParablesBriarRose_BFG
2010-03-14 02:17:51 0 d-----w- c:\docume~1\lori\applic~1\DarkParablesRose_BFG_Survey
2010-03-13 15:56:34 11629915 ----a-w- C:\Shozam_download.exe
2010-03-13 15:22:59 0 d-----w- C:\Applets
2010-03-13 13:38:22 0 d-----w- C:\Firefox 3-6
2010-03-13 13:37:37 194086 ----a-w- C:\trojan.jpg
2010-03-12 22:22:03 0 d-----w- c:\docume~1\lori\applic~1\Artogon
2010-03-12 19:14:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-11 20:50:49 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-03-11 20:50:33 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-03-11 20:50:33 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-03-11 20:50:33 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-11 20:50:33 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-03-11 20:50:33 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-03-11 20:50:33 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-03-11 20:49:38 0 dc-h--w- c:\windows\ie8
2010-03-11 19:06:27 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-03-11 19:05:27 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-03-11 19:05:26 2189184 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-03-11 19:05:26 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-03-11 19:05:13 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-03-11 16:56:04 28288 -c--a-w- c:\windows\system32\dllcache\xjis.nls
2010-03-11 16:56:00 156672 -c--a-w- c:\windows\system32\dllcache\winzm.ime
2010-03-11 16:54:56 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll
2010-03-11 16:53:09 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-03-11 16:53:04 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-03-11 16:53:04 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-03-11 16:53:04 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-03-11 16:53:04 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-03-11 16:53:04 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-03-11 11:36:50 0 d-----w- c:\windows\Dell
2010-03-05 18:36:16 0 d-sh--w- C:\$RECYCLE.BIN

==================== Find3M ====================

2010-03-12 19:14:08 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-12 19:13:46 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-12 19:13:45 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-03-11 16:52:12 23444 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-27 15:48:41 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-14 21:59:51 4592 ----a-w- C:\reg-b4-acrobat8.reg

============= FINISH: 13:49:51.95 ===============


GMER.exe, after about 3 hours scanning, caused Windows XP sp3 to shut itself down. Do I try it again? And also, do I scan both drives, or just C drive?
You do not have the required permissions to view the files attached to this post.
GrannyGrump
Regular Member
 
Posts: 19
Joined: March 29th, 2010, 12:11 am

Re: Firefox AND IE hijacked.

Unread postby km2357 » April 2nd, 2010, 8:40 pm

Please do not attach any logs I ask for, just post them normally from now on. Only attach them if requested to do so.

Since GMER shut down on you, let's try another rootkit scanner in its place:


Step # 1 Download and run SysProt

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items only:
      Process
      Kernel Modes
      SSDT
      Kernel Hooks
      Hidden Files
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Firefox AND IE hijacked.

Unread postby GrannyGrump » April 2nd, 2010, 9:09 pm

km2357 wrote:Please do not attach any logs I ask for, just post them normally from now on. Only attach them if requested to do so.


Sorry, the text for attach.txt said to zip and attach the file, so I did.

Will get back to you with the next file soon.
GrannyGrump
Regular Member
 
Posts: 19
Joined: March 29th, 2010, 12:11 am

Re: Firefox AND IE hijacked.

Unread postby GrannyGrump » April 2nd, 2010, 9:54 pm

Sysprot ran, results in text file:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 624
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 700
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 732
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 776
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 788
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 964
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 980
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1060
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1156
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1312
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1412
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PID: 1460
Hidden: No
Window Visible: No

Name: C:\AVG9\avgchsvx.exe
PID: 1512
Hidden: No
Window Visible: No

Name: C:\AVG9\avgrsx.exe
PID: 1520
Hidden: No
Window Visible: No

Name: C:\AVG9\avgcsrvx.exe
PID: 1628
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1968
Hidden: No
Window Visible: No

Name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PID: 440
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 512
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1096
Hidden: No
Window Visible: No

Name: C:\Anyplace Control\apc_host.exe
PID: 1132
Hidden: No
Window Visible: No

Name: C:\AVG9\avgwdsvc.exe
PID: 1208
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 1256
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\HPZipm12.exe
PID: 1196
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1384
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
PID: 2136
Hidden: No
Window Visible: No

Name: C:\AVG9\avgnsx.exe
PID: 2236
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\unsecapp.exe
PID: 3432
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 3536
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 3592
Hidden: No
Window Visible: No

Name: C:\AVG9\avgtray.exe
PID: 3820
Hidden: No
Window Visible: No

Name: C:\ZoneAlarm\zlclient.exe
PID: 3868
Hidden: No
Window Visible: No

Name: C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PID: 3876
Hidden: No
Window Visible: No

Name: C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
PID: 3924
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 3964
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
PID: 3992
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
PID: 1508
Hidden: No
Window Visible: No

Name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PID: 976
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wuauclt.exe
PID: 3948
Hidden: No
Window Visible: No

Name: C:\Sysprot\SysProt\SysProt.exe
PID: 1788
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Sysprot\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: BA1F8000
Module End: BA203000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: BA5A8000
Module End: BA5AA000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: BA4B8000
Module End: BA4BB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: B9F79000
Module End: B9FA7000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: BA5AA000
Module End: BA5AC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: B9F68000
Module End: B9F79000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: BA0A8000
Module End: BA0B2000
Hidden: No

Module Name: \WINDOWS\System32\Drivers\SCSIPORT.SYS
Service Name: ---
Module Base: B9E5D000
Module End: B9E75000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: BA670000
Module End: BA671000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: BA328000
Module End: BA32F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: BA0B8000
Module End: BA0C3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: B9E3E000
Module End: B9E5D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: BA5AC000
Module End: BA5AE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: B9E18000
Module End: B9E3E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: BA330000
Module End: BA335000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: BA0C8000
Module End: BA0D5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: B9E00000
Module End: B9E18000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ahcix86.sys
Service Name: ahcix86
Module Base: B9DBD000
Module End: B9E00000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: BA0D8000
Module End: BA0E1000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: BA0E8000
Module End: BA0F5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltMgr.sys
Service Name: FltMgr
Module Base: B9D9D000
Module End: B9DBD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: B9D8B000
Module End: B9D9D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Lbd.sys
Service Name: Lbd
Module Base: BA0F8000
Module End: BA107000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: BA108000
Module End: BA111000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: B9D74000
Module End: B9D8B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: B9CE7000
Module End: B9D74000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: B9CBA000
Module End: B9CE7000
Hidden: No

Module Name: srescan.sys
Service Name: srescan
Module Base: B9CA6000
Module End: B9CBA000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: B9C8C000
Module End: B9CA6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\avgrkx86.sys
Service Name: AvgRkx86
Module Base: BA118000
Module End: BA124000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\processr.sys
Service Name: Processor
Module Base: BA268000
Module End: BA271000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: B7712000
Module End: B7C44000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: B76FE000
Module End: B7712000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: B76D6000
Module End: B76FE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
Service Name: RTLE8023xp
Module Base: B76B9000
Module End: B76D6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: BA278000
Module End: BA288000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: BA288000
Module End: BA297000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: B7696000
Module End: B76B9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: BA298000
Module End: BA2A3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: BA3D8000
Module End: BA3DD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: B7672000
Module End: B7696000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: BA3E0000
Module End: BA3E8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: BA799000
Module End: BA79A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: BA2A8000
Module End: BA2B5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: BA578000
Module End: BA57B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: B765B000
Module End: B7672000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: BA2B8000
Module End: BA2C3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: BA2C8000
Module End: BA2D4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: BA3E8000
Module End: BA3ED000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: B764A000
Module End: B765B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: BA2D8000
Module End: BA2E1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: BA3F0000
Module End: BA3F5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: BA3F8000
Module End: BA3FD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: B75F2000
Module End: B7622000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: BA2E8000
Module End: BA2F2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: BA400000
Module End: BA406000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: BA408000
Module End: BA40E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: BA5BE000
Module End: BA5C0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: B7594000
Module End: B75F2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: BA594000
Module End: BA598000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viahduaa.sys
Service Name: VIAHdAudAddService
Module Base: B74A1000
Module End: B7594000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: B747D000
Module End: B74A1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: BA2F8000
Module End: BA307000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\monfilt.sys
Service Name: monfilt
Module Base: B7329000
Module End: B747D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: BA308000
Module End: BA312000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\AtiHdmi.sys
Service Name: AtiHdmiService
Module Base: AB124000
Module End: AB13F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: BA158000
Module End: BA167000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: BA5C6000
Module End: BA5C8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Service Name: i2omgmt
Module Base: B7C50000
Module End: B7C53000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: BA5CC000
Module End: BA5CE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: BA6D5000
Module End: BA6D6000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: BA5CE000
Module End: BA5D0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: BA428000
Module End: BA42F000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: BA430000
Module End: BA436000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: BA5D0000
Module End: BA5D2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: BA5D2000
Module End: BA5D4000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: BA438000
Module End: BA43D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: BA440000
Module End: BA448000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: B7C48000
Module End: B7C4B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: AB0F1000
Module End: AB104000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: AB098000
Module End: AB0F1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgtdix.sys
Service Name: AvgTdiX
Module Base: AB036000
Module End: AB070000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: AB010000
Module End: AB036000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: BA178000
Module End: BA181000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: hidusb
Module Base: BA554000
Module End: BA557000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: BA188000
Module End: BA191000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Service Name: USBSTOR
Module Base: BA450000
Module End: BA457000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: AAFE8000
Module End: AB010000
Hidden: No

Module Name: C:\WINDOWS\System32\vsdatant.sys
Service Name: vsdatant
Module Base: AAF7D000
Module End: AAFE8000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: AAF5B000
Module End: AAF7D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: BA198000
Module End: BA1A1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: AAF30000
Module End: AAF5B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: AAEC0000
Module End: AAF30000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: BA1A8000
Module End: BA1B3000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Service Name: AvgMfx86
Module Base: BA458000
Module End: BA45E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys
Service Name: AvgLdx86
Module Base: AAE8C000
Module End: AAEC0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: BA56C000
Module End: BA56F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\sfloppy.sys
Service Name: Sfloppy
Module Base: B763E000
Module End: B7641000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: B7636000
Module End: B763A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: BA1E8000
Module End: BA1F8000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: AAE24000
Module End: AAE3C000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA610000
Module End: BA612000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: AB070000
Module End: AB073000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: BA480000
Module End: BA485000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: BA6A0000
Module End: BA6A1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: A8717000
Module End: A871B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\pnarp.sys
Service Name: pnarp
Module Base: BA380000
Module End: BA385000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\purendis.sys
Service Name: purendis
Module Base: BA388000
Module End: BA38D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: A833F000
Module End: A8363000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: A819A000
Module End: A81AF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: B7299000
Module End: B72A8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: A7EF7000
Module End: A7F24000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: A7DB0000
Module End: A7E07000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: A7987000
Module End: A79C8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: A75C4000
Module End: A75EF000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwConnectPort
Address: AAF9EFC0
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateFile
Address: AAF9BC80
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateKey
Address: AAFB6170
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreatePort
Address: AAF9F580
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcess
Address: AAFB3900
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcessEx
Address: AAFB3B10
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateSection
Address: AAFB7B10
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateWaitablePort
Address: AAF9F670
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteFile
Address: AAF9C210
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteKey
Address: AAFB69F0
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteValueKey
Address: AAFB67A0
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDuplicateObject
Address: AAFB3280
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwLoadKey
Address: AAFB6F10
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwLoadKey2
Address: AAFB6F90
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenFile
Address: AAF9C070
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenProcess
Address: AAFB5180
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenThread
Address: AAFB4F40
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRenameKey
Address: AAFB76F0
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwReplaceKey
Address: AAFB7150
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRequestWaitReplyPort
Address: AAF9EBE0
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRestoreKey
Address: AAFB7540
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSecureConnectPort
Address: AAF9F190
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetInformationFile
Address: AAF9C440
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetValueKey
Address: AAFB64E0
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSystemDebugControl
Address: AAFB4200
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwTerminateProcess
Address: AAFB4080
Driver Base: AAF7D000
Driver End: AAFE8000
Driver Name: \SystemRoot\System32\vsdatant.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\Chkdsk
Status: Access denied

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}
Status: Access denied
GrannyGrump
Regular Member
 
Posts: 19
Joined: March 29th, 2010, 12:11 am

Re: Firefox AND IE hijacked.

Unread postby km2357 » April 3rd, 2010, 1:01 pm

Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Firefox AND IE hijacked.

Unread postby GrannyGrump » April 3rd, 2010, 4:19 pm

km2357 wrote:Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.



ComboFix couldn't connect to Microsoft to install the recovery console, so after an hour I stopped it.

Should I manually install the Console, then run ComboFix again?

(I wouldn't swear positively, but I think what you have had me do prior to this fixed the problem with the browsers, because now when I go to sites that previously were redirecting to really odd sites no longer redirect. But I am still getting a message from Windows Security that I need to install some sort of online tool when I go to some sites...such as tinyurl.com and find-a-grave.com)
GrannyGrump
Regular Member
 
Posts: 19
Joined: March 29th, 2010, 12:11 am

Re: Firefox AND IE hijacked.

Unread postby km2357 » April 4th, 2010, 1:21 pm

ComboFix couldn't connect to Microsoft to install the recovery console, so after an hour I stopped it.

Should I manually install the Console, then run ComboFix again?


We'll do just that. :)

Go to Microsoft's website => http://support.microsoft.com/kb/310994

At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop. If you are using Windows XP Service Pack 3 (SP3), then select the Service Pack 2 download. If you are using Windows XP Media Center, then you should select the Windows XP Pro Service Pack 2 download. If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information.

Click on the Start button.

Click on the Run menu option.

In the Open: field type the following: sysdm.cpl and then click on the OK button.

A screen will appear showing information about your installation. Under the System: category you should see your Windows version and the installed Service Pack.

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click and drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'Yes'.

Image

Please post the ComboFix Log in your next post/reply.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Firefox AND IE hijacked.

Unread postby GrannyGrump » April 4th, 2010, 6:46 pm

I downloaded the file for SP2 as instructed since I have SP3, and dropped it on ComboFix. All that happened was a blue box with a flashing cursor in it, so after 15 minutes I stopped it.

What am I doing wrong???

ComboFix couldn't connect to Microsoft to install the recovery console, so after an hour I stopped it.

Should I manually install the Console, then run ComboFix again?


We'll do just that. :)

Go to Microsoft's website => http://support.microsoft.com/kb/310994

At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop. If you are using Windows XP Service Pack 3 (SP3), then select the Service Pack 2 download. If you are using Windows XP Media Center, then you should select the Windows XP Pro Service Pack 2 download. If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information.

Click on the Start button.

Click on the Run menu option.

In the Open: field type the following: sysdm.cpl and then click on the OK button.

A screen will appear showing information about your installation. Under the System: category you should see your Windows version and the installed Service Pack.

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click and drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'Yes'.

Image

Please post the ComboFix Log in your next post/reply.
GrannyGrump
Regular Member
 
Posts: 19
Joined: March 29th, 2010, 12:11 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 57 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware