Tweaks.com Forum / Windows & System Security / HiJack This Logs / Persistent Spyware pop-ups (Virus Heat et.al) / Latest Posts

RE: Persistent Spyware pop-ups (Virus Heat et.al)

RichieUK — Wed, 14 May 2008 01:48:29 GMT

You're most welcome:)

RE: Persistent Spyware pop-ups (Virus Heat et.al)

antral917 — Wed, 14 May 2008 00:08:27 GMT

PC is running smoothly now. Thank you very much for the help RichieUK, God bless.:)

RE: Persistent Spyware pop-ups (Virus Heat et.al)

RichieUK — Mon, 12 May 2008 04:02:51 GMT

Your log is clean:),please do the following:

Click on Start/Run,copy and paste [b]ComboFix /u[/b] into the 'Open:' space,then press Ok.
This will uninstall Combofix,delete its related folders and files,reset your clock settings,hide file extensions,hide the system/hidden files and resets System Restore.

[IMG]http://img.photobucket.com/albums/v624/29wood/comu.gif[/IMG]

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

[b][color="blue"]Simple and easy ways to keep your computer safe and secure on the Internet[/color][/b]:
[url]http://www.bleepingcomputer.com/tutorials/tutorial82.html[/url]

[b][color="blue"]How to prevent Malware[/color][/b]:
[url]http://users.telenet.be/bluepatchy/miekiemoes/prevention.html[/url]

[B][color="blue"]So how did I get infected in the first place[/color][/B]:
[URL]http://forums.spybot.info/showthread.php?t=279[/URL]

[B][color="blue"]Malware Cleanup Programs and Preventative Procedures[/color][/B]:
[URL]http://russelltexas.com/malware/allclear.htm[/URL]

[b][color="blue"]Hardening Windows Security - Part 1[/color][/b]:
[url]http://www.malwarehelp.org/Malware-Prevention-Hardening-Windows-Security1.html[/url]

[b][color="blue"]Hardening Windows Security - Part 2[/color][/b]:
[url]http://www.malwarehelp.org/malware-prevention-hardening-windows-security2.html[/url]

RE: Persistent Spyware pop-ups (Virus Heat et.al)

antral917 — Mon, 12 May 2008 03:40:55 GMT

Did as per instruction, detected 3 threats although Avira also detected two trojans while Super AntiSpyware was scanning (I deleted them:unsure:)... after rebooting, PC is running fine... no threats detected so far.

Here's the report you requested:

Super AntiSpyware Scan Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/12/2008 at 04:03 PM

Application Version : 4.0.1154

Core Rules Database Version : 3458
Trace Rules Database Version: 1449

Scan type : Complete Scan
Total Scan Time : 01:27:18

Memory items scanned : 329
Memory threats detected : 0
Registry items scanned : 3742
Registry threats detected : 0
File items scanned : 9302
File threats detected : 3

Rogue.VirusHeat
C:\SYSTEM VOLUME INFORMATION\_RESTORE{61551398-1387-45C8-B816-B8193A5D57EE}\RP86\A0076031.EXE

Unclassified.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{61551398-1387-45C8-B816-B8193A5D57EE}\RP90\A0076147.DLL

Adware.Vundo-Variant/H
C:\SYSTEM VOLUME INFORMATION\_RESTORE{61551398-1387-45C8-B816-B8193A5D57EE}\RP90\A0076148.DLL

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:07 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

--
End of file - 4793 bytes

RE: Persistent Spyware pop-ups (Virus Heat et.al)

RichieUK — Sat, 10 May 2008 02:37:09 GMT

Your version of [b]Sun Java[/b] is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of [b][url=http://java.sun.com/javase/downloads/index.jsp][color="blue"]Java Runtime Environment (JRE)[/color][/url][/b]
2. Scroll down to where it says '[b]Java Runtime Environment (JRE) 6u6[/b]'.
3. Click the "Download" button to the right.
4. Select the Platform and Language for your download,then check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download [b]'Windows Offline Installation, Multi-language - jre-6u6-windows-i586-p.exe'[/b] [15.21 MB] and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on [b]jre-6u6-windows-i586-p.exe[/b] to install the newest version.

Download [b]ATF Cleaner[/b] by [b]Atribune[/b]:
[url]http://www.atribune.org/ccount/click.php?id=1[/url]
[b]Do not run it just yet.[/b]

Download\install [b]'SuperAntiSpyware Free Version Home Users'[/b] from here:
[URL]http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE[/URL]

Launch SuperAntiSpyware and click on 'Check for updates'.
If you encounter any error messages while downloading the updates,manually download them from [B][URL=http://www.superantispyware.com/definitions.html][COLOR="BLUE"]Here[/COLOR][/URL][/B].
Once the updates have been installed,[b]exit[/b] SuperAntiSpyware.
[b]Do not run it just yet.[/b]

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
[b]R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com[/b]
Exit Hijackthis.

[b]Now double-click ATF-Cleaner.exe to run the program.[/b]
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.
If you use [b]Firefox[/b] browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
[b][color="blue"]NOTE:[/color][/b]
[color="blue"]If you would like to keep your saved passwords,please click [b]'No'[/b] at the prompt.[/color]
If you use [b]Opera[/b] browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
[b][color="blue"]NOTE:[/color][/b]
[color="blue"]If you would like to keep your saved passwords,please click [b]'No'[/b] at the prompt.[/color]
Click 'Exit' on the Main menu to close the program.

[b]Now Start SuperAntiSpyware.[/b]
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
[b]Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.[/b]

RE: Persistent Spyware pop-ups (Virus Heat et.al)

antral917 — Sat, 10 May 2008 02:10:02 GMT

ComboFix Report:

ComboFix 08-05-07.1 - user 2008-05-10 14:06:32.2 - NTFSx86
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\WINDOWS\BM73f6d938.xml
C:\WINDOWS\system32\ssqPihIc.VIR
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url
C:\Documents and Settings\user\Favorites\Online Security Test.url
C:\WINDOWS\BM73f6d938.xml
C:\WINDOWS\system32\ssqPihIc.VIR

.
((((((((((((((((((((((((( Files Created from 2008-04-10 to 2008-05-10 )))))))))))))))))))))))))))))))
.

2008-05-09 13:35 . 2008-05-09 13:35 <DIR> d-------- C:\Program Files\Avira
2008-05-09 13:35 . 2008-05-09 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-07 14:17 . 2008-05-07 14:17 50,688 --a------ C:\ATF-Cleaner.exe
2008-05-04 03:13 . 2008-05-07 18:42 <DIR> d-------- C:\WINDOWS\system32\527631
2008-04-27 22:29 . 2004-08-04 20:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-27 05:32 . 2008-04-27 22:56 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-27 05:32 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-26 21:33 . 2008-05-07 23:04 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-26 21:31 . 2008-05-09 19:07 <DIR> d-------- C:\WINDOWS\system32\717305
2008-04-21 02:38 . 2008-04-21 02:38 <DIR> d-------- C:\WINDOWS\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 15:12 --------- d-----w C:\Program Files\Yahoo!
2008-04-25 12:58 --------- d-----w C:\Documents and Settings\user\Application Data\mIRC
2008-04-25 12:57 --------- d-----w C:\Program Files\mIRC
2008-03-30 18:05 --------- d-----w C:\Program Files\Java
2008-03-30 17:41 --------- d-----w C:\Program Files\Common Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
1999-12-31 17:09 1,491,592 ----a-w C:\Program Files\install_flash_player.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\527631 ----

---- Directory of C:\WINDOWS\system32\717305 ----

((((((((((((((((((((((((((((( snapshot@2008-05-09_19.59.48.74 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-09 11:46:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 1999-12-31 16:01:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-12-31 22:29 962560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="C:\Program Files\PCI Audio Applications\Mixer.exe" [2000-09-14 04:02 1077248]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-24 07:04 1544192]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-20 10:19 49152]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-09 09:35 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-13 08:50 33792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-10 02:50 155648]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-10 14:12:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-10 14:18:03
ComboFix-quarantined-files.txt 2008-05-10 06:17:23
ComboFix2.txt 2008-05-09 12:01:57

Pre-Run: 11,822,874,624 bytes free
Post-Run: 11,815,497,728 bytes free

93 --- E O F --- 1999-12-31 16:16:43

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:38 PM, on 5/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

--
End of file - 4660 bytes

RE: Persistent Spyware pop-ups (Virus Heat et.al)

RichieUK — Fri, 09 May 2008 07:28:20 GMT

Copy and paste ALL the following text in the code box below into [b]Notepad[/b].
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: [b]CFScript[/b] to your desktop.
[quote]File::
C:\WINDOWS\BM73f6d938.xml
C:\WINDOWS\system32\ssqPihIc.VIR
DirLook::
C:\WINDOWS\system32\527631
C:\WINDOWS\system32\717305
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F8E8CCB-55D2-440C-BFB5-4B3180BA7A5C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"70c5eaa4"=-
[/quote]
Now drag then drop the [b]CFScript[/b] file onto [b]ComboFix.exe[/b] as seen in the image below.

[img]http://img.photobucket.com/albums/v624/29wood/CFScript.gif[/img]

This will start ComboFix again.
After reboot, (in case it asks to reboot), [b]post the contents of Combofix.txt in your next reply along with a new HijackThis log.[/b]

RE: Persistent Spyware pop-ups (Virus Heat et.al)

antral917 — Fri, 09 May 2008 07:16:29 GMT

FixWareout Log:

Username "user" - 01/01/2000 2:13:07 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdivz.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.113.118 85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{4062C091-BA42-4D76-9356-89C52D2CE5B3}
"nameserver"="85.255.113.118,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{67296F48-A252-434E-A81D-076EAA5DBA54}
"nameserver"="85.255.113.118,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{802FB6B8-DC90-4084-A720-5FB4EEFCE2AF}
"nameserver"="85.255.113.118,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F230753C-F5C4-42B1-882D-F152132F52FE}
"nameserver"="85.255.113.118,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{67296F48-A252-434E-A81D-076EAA5DBA54}
"DhcpNameServer"="85.255.113.118,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{802FB6B8-DC90-4084-A720-5FB4EEFCE2AF}
"DhcpNameServer"="85.255.113.118,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F230753C-F5C4-42B1-882D-F152132F52FE}
"DhcpNameServer"="85.255.113.118,85.255.112.101" <Value cleared.

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdivz.ren 60416 06/13/2007

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="C:\\Program Files\\PCI Audio Applications\\Mixer.exe /startup"
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"70c5eaa4"="rundll32.exe \"C:\\WINDOWS\\system32\\vxndfcos.dll\",b"
"BM73f6d938"="Rundll32.exe \"C:\\WINDOWS\\system32\\mnrecgwh.dll\",s"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Avira AntiVir PE Report:

Avira AntiVir Personal
Report file date: Friday, May 09, 2008 13:50

Scanning for 1165085 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: USER-BF5756DC9B

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 03:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 02:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 02:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 02:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 04:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 07:08:58
ANTIVIR2.VDF : 7.0.3.62 337408 Bytes 3/21/2008 13:12:34
ANTIVIR3.VDF : 7.0.3.68 57856 Bytes 3/25/2008 02:27:50
Engineversion : 8.1.0.28
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 03:58:21
AESCRIPT.DLL : 8.1.0.19 229754 Bytes 4/7/2008 09:34:44
AESCN.DLL : 8.1.0.12 115060 Bytes 4/7/2008 09:34:44
AERDL.DLL : 8.1.0.19 418164 Bytes 4/7/2008 09:34:44
AEPACK.DLL : 8.1.1.0 364918 Bytes 3/18/2008 05:20:42
AEOFFICE.DLL : 8.1.0.15 192889 Bytes 4/7/2008 09:34:44
AEHEUR.DLL : 8.1.0.15 1147253 Bytes 4/7/2008 09:34:44
AEHELP.DLL : 8.1.0.11 115061 Bytes 4/7/2008 09:34:43
AEGEN.DLL : 8.1.0.15 299379 Bytes 4/7/2008 09:34:43
AEEMU.DLL : 8.1.0.5 430450 Bytes 4/7/2008 09:34:43
AECORE.DLL : 8.1.0.25 168309 Bytes 4/8/2008 03:58:32
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/23/2008 11:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 04:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 07:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/23/2008 11:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 02:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 02:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 11:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/23/2008 11:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 06:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 08:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 06:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, E:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, May 09, 2008 13:50

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'Ares.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'WZCSLDR2.exe' - '1' Module(s) have been scanned
Scan process 'AirGCFG.exe' - '1' Module(s) have been scanned
Scan process 'Mixer.exe' - '1' Module(s) have been scanned
Scan process 'WgaTray.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
28 processes with 28 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan the registry.
C:\WINDOWS\system32\xaqwbqpd.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\bwuffbrv.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '4898e77b.qua'!

The registry was scanned ( '25' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\12UD83P2\yaypalassamosvala[1]
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '489ce801.qua'!
C:\System Volume Information\_restore{61551398-1387-45C8-B816-B8193A5D57EE}\RP86\A0076036.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '4853fbe3.qua'!
C:\System Volume Information\_restore{61551398-1387-45C8-B816-B8193A5D57EE}\RP87\A0076053.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '4853fbf9.qua'!
C:\System Volume Information\_restore{61551398-1387-45C8-B816-B8193A5D57EE}\RP89\A0076092.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '4853fc10.qua'!
C:\System Volume Information\_restore{61551398-1387-45C8-B816-B8193A5D57EE}\RP89\A0076093.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '4853fc19.qua'!
C:\WINDOWS\system32\bueyydnr.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48890940.qua'!
C:\WINDOWS\system32\bwehxbyr.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48890954.qua'!
C:\WINDOWS\system32\fjnppfut.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48920e19.qua'!
C:\WINDOWS\system32\fthhiatn.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488c1c2d.qua'!
C:\WINDOWS\system32\kvamvicm.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48851c63.qua'!
C:\WINDOWS\system32\mnrecgwh.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48961c73.qua'!
C:\WINDOWS\system32\nndetcmm.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48881cd6.qua'!
C:\WINDOWS\system32\ojphqisl.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48941cf0.qua'!
C:\WINDOWS\system32\ojtppkwa.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48981cf2.qua'!
C:\WINDOWS\system32\ssqPihIc.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING]
C:\WINDOWS\system32\svcaggmj.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48871d5b.qua'!
C:\WINDOWS\system32\vxndfcos.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING]
C:\WINDOWS\system32\xaqwbqpd.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING]
Begin scan in 'E:\'

End of the scan: Friday, May 09, 2008 17:52
Used time: 4:04:25 min

The scan has been done completely.

2001 Scanning directories
142707 Files were scanned
20 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
16 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
142687 Files not concerned
607 Archives were scanned
6 Warnings
16 Notes

ComboFix Report:

ComboFix 08-05-07.1 - user 2008-05-09 18:49:51.1 - NTFSx86
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\NetProject
C:\Program Files\NetProject\Thumbs.db
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\717305\717305.dll
C:\WINDOWS\system32\cIhiPqss.ini
C:\WINDOWS\system32\cIhiPqss.ini2
C:\WINDOWS\system32\dpqbwqax.ini
C:\WINDOWS\system32\dshnxwwg.ini
C:\WINDOWS\system32\efechrcn.ini
C:\WINDOWS\system32\kyxiwngi.ini
C:\WINDOWS\system32\lsiqhpjo.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\socfdnxv.ini
C:\WINDOWS\system32\ssqQiifG.dll
C:\WINDOWS\system32\vounokkx.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-09 13:35 . 2008-05-09 13:35 <DIR> d-------- C:\Program Files\Avira
2008-05-09 13:35 . 2008-05-09 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-07 14:17 . 2008-05-07 14:17 50,688 --a------ C:\ATF-Cleaner.exe
2008-05-04 03:25 . 2008-05-09 13:04 109,816 --a------ C:\WINDOWS\BM73f6d938.xml
2008-05-04 03:19 . 2008-05-04 03:19 281,600 --a------ C:\WINDOWS\system32\ssqPihIc.VIR
2008-05-04 03:13 . 2008-05-07 18:42 <DIR> d-------- C:\WINDOWS\system32\527631
2008-04-27 22:29 . 2004-08-04 20:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-27 05:32 . 2008-04-27 22:56 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-27 05:32 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-26 21:33 . 2008-05-07 23:04 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-26 21:31 . 2008-05-09 19:07 <DIR> d-------- C:\WINDOWS\system32\717305
2008-04-21 02:38 . 2008-04-21 02:38 <DIR> d-------- C:\WINDOWS\Sun

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F8E8CCB-55D2-440C-BFB5-4B3180BA7A5C}]
C:\WINDOWS\system32\ssqPihIc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-12-31 22:29 962560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="C:\Program Files\PCI Audio Applications\Mixer.exe" [2000-09-14 04:02 1077248]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-24 07:04 1544192]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-20 10:19 49152]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-09 09:35 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-13 08:50 33792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-10 02:50 155648]
"70c5eaa4"="C:\WINDOWS\system32\xaqwbqpd.dll" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 19:52:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
.
**************************************************************************
.
Completion time: 2008-05-09 20:01:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-09 12:01:17

Pre-Run: 11,857,731,584 bytes free
Post-Run: 11,832,512,512 bytes free

101 --- E O F --- 1999-12-31 16:16:43

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:18 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
O2 - BHO: (no name) - {1F8E8CCB-55D2-440C-BFB5-4B3180BA7A5C} - C:\WINDOWS\system32\ssqPihIc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - (no file)
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [70c5eaa4] rundll32.exe "C:\WINDOWS\system32\xaqwbqpd.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

--
End of file - 4839 bytes

RE: Persistent Spyware pop-ups (Virus Heat et.al)

RichieUK — Thu, 08 May 2008 02:23:46 GMT

Welcome:)

Please download [b][color="red"]FixWareout[/color][/b]:
[url]http://downloads.subratam.org/Fixwareout.exe[/url]

Save it to your desktop and run it.
Click Next,then Install,then make sure "[b]Run fixit[/b]" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; [b]please do so[/b].
Your system may take longer than usual to load,this is normal.

When your system reboots,follow the prompts.
Afterwards, HijackThis will launch,if it doesn't,launch it manually.
Please click Scan, and checkmark the following items:

[b]O17 - HKLM\System\CCS\Services\Tcpip\..\{4062C091-BA42-4D76-9356-89C52D2CE5B3}: NameServer = 85.255.113.118,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{67296F48-A252-434E-A81D-076EAA5DBA54}: NameServer = 85.255.113.118,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{802FB6B8-DC90-4084-A720-5FB4EEFCE2AF}: NameServer = 85.255.113.118,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{F230753C-F5C4-42B1-882D-F152132F52FE}: NameServer = 85.255.113.118,85.255.112.101
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.118 85.255.112.101
O17 - HKLM\System\CS1\Services\Tcpip\..\{4062C091-BA42-4D76-9356-89C52D2CE5B3}: NameServer = 85.255.113.118,85.255.112.101
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.118 85.255.112.101
O17 - HKLM\System\CS2\Services\Tcpip\..\{4062C091-BA42-4D76-9356-89C52D2CE5B3}: NameServer = 85.255.113.118,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.118 85.255.112.101[/b]

Click 'Fix Checked'.
Close HijackThis,and click OK to proceed.
At the end of the fix you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt into your next reply.

[b]Please Note[/b]:
Only do the following if you have connection problems after performing the above steps:
Go to Start>Control Panel,and choose 'Network Connections'.
Then right click on your default connection,usually 'Local Area Connection' or 'Dial-up Connection' if you are using Dial-up,then left click on 'Properties'.
Double-click on the 'Internet Protocol (TCP/IP)' item and select the radio button that says: 'Obtain DNS servers Automatically'.
Click OK twice,restart your computer.

It appears you've no virus protection installed,which is somewhat suicidal.
Please download/install [b]Avira AntiVir Personal - FREE Antivirus[/b]:
[url]http://www.free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html[/url]
Perform a full scan with Avira and allow it to delete everything it detects.
[b]Restart your pc when you've done.[/b]
After restart,open Avira Antivirus and select "Reports".
Then double click the report from the full scan you have just completed.
Click the "Report File" button,then [b]copy and paste the report into your next reply[/b].

Download [b][url=http://download.bleepingcomputer.com/sUBs/ComboFix.exe][color="blue"]Combofix[/color][/url][/b] by [b]sUBs[/b] and save to your desktop.
Alternative Combofix download link [b][url=http://subs.geekstogo.com/ComboFix.exe][color="blue"]HERE[/color][/url][/b].
[color="red"][b][u]Note[/u][/b]
It is important that it is saved directly to your desktop[/color]

Now close any open browsers.
Double click on Combofix.exe and follow the prompts.
When it's finished it will produce a log.
[b]Post the entire contents of C:\ComboFix.txt into your next reply[/b].
[color="red"][b][u]Note[/u][/b]
Do not mouseclick combofix's window or do anything else on your pc while it's running.
That may cause the program/system to freeze/hang. [/color]
Do NOT post the ComboFix-quarantined-files.txt unless I ask.
[b][color="RED"][U]Note[/U][/color][/b]
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

[b]Also post a new Hijackthis log please[/b].

Persistent Spyware pop-ups (Virus Heat et.al)

antral917 — Thu, 08 May 2008 00:46:22 GMT

I have the same problem as KingNet's, and although I got rid of the shield icon ( via AVG AS 7.5), pop-ups still appear instructing me to download an anti-spyware software, scanning for spywares and directing my browser to another website. this happens everytime I open Internet Explorer.

Here is the HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:19 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BM73f6d938] Rundll32.exe "C:\WINDOWS\system32\escicoyi.dll",s
O4 - HKLM\..\Run: [70c5eaa4] rundll32.exe "C:\WINDOWS\system32\ignwixyk.dll",b
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4062C091-BA42-4D76-9356-89C52D2CE5B3}: NameServer = 85.255.113.118,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{67296F48-A252-434E-A81D-076EAA5DBA54}: NameServer = 85.255.113.118,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{802FB6B8-DC90-4084-A720-5FB4EEFCE2AF}: NameServer = 85.255.113.118,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\..\{F230753C-F5C4-42B1-882D-F152132F52FE}: NameServer = 85.255.113.118,85.255.112.101
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.118 85.255.112.101
O17 - HKLM\System\CS1\Services\Tcpip\..\{4062C091-BA42-4D76-9356-89C52D2CE5B3}: NameServer = 85.255.113.118,85.255.112.101
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.118 85.255.112.101
O17 - HKLM\System\CS2\Services\Tcpip\..\{4062C091-BA42-4D76-9356-89C52D2CE5B3}: NameServer = 85.255.113.118,85.255.112.101
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.118 85.255.112.101
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

--
End of file - 5689 bytes