Avast Internet Mail Shield - acting weird

[Flashfire]

  C:\Program Files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
  Start Menu Scanning
  Explorer : C:\WINDOWS\explorer.exe
  Explorer : C:\Documents and Settings\Lee\Start Menu\C Drive.lnk
  Explorer : C:\Documents and Settings\Lee\Start Menu\D Drive.lnk
  Explorer : C:\Documents and Settings\Lee\Start Menu\Lee's Files.lnk
  SynchronizationManager : C:\WINDOWS\system32\mobsync.exe
  SynchronizationManager : C:\Documents and Settings\Lee\Start Menu\Programs\Accessories\Synchronize.lnk
  Ccleaner : C:\Program Files\CCleaner\ccleaner.exe
  Ccleaner : C:\Documents and Settings\Lee\Start Menu\Programs\CCleaner\CCleaner.lnk
  WinRAR : C:\Program Files\WinRAR\WinRAR.exe
  WinRAR : C:\Documents and Settings\Lee\Start Menu\Programs\WinRAR\WinRAR.lnk
  Explorer : C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications\Network Connections.lnk
  Explorer : C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk
  Roboform : C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
  Roboform : C:\Documents and Settings\All Users\Start Menu\Programs\AI RoboForm\New Version Check.lnk
  Roboform : C:\Documents and Settings\All Users\Start Menu\Programs\AI RoboForm\TaskBar Icon.lnk
  Avast : C:\Program Files\Alwil Software\Avast4\ashAvast.exe
  Avast : C:\Documents and Settings\All Users\Start Menu\Programs\avast! Antivirus\avast! Antivirus.lnk
  Spyware Terminator : C:\Program Files\Spyware Terminator\SpywareTerminator.exe
  Spyware Terminator : C:\Documents and Settings\All Users\Start Menu\Programs\Spyware Terminator\Spyware Terminator.lnk
  Spyware Terminator : C:\Program Files\Spyware Terminator\unins000.exe
  Spyware Terminator : C:\Documents and Settings\All Users\Start Menu\Programs\Spyware Terminator\Uninstall Spyware Terminator.lnk
  SygateAgentFirewall : C:\Program Files\Sygate\SPF\Smc.exe
  SygateAgentFirewall : C:\Documents and Settings\All Users\Start Menu\Programs\Sygate Personal Firewall\Sygate Personal Firewall.lnk
  WinFastSchedule : C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
  WinFastSchedule : C:\Documents and Settings\All Users\Start Menu\Programs\WinFast Entertainment Center\WinFast Wizard.lnk
  WinRAR : C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR\WinRAR.lnk
  Desktop Scanning
  Favorites Scanning
  Cookies Scanning
  Registry Scanning
  MSDXM : HKCR\CLSID\{8E718888-423F-11D2-876E-00A0C9082467}
  MSDXM : C:\WINDOWS\system32\msdxm.ocx
  Spybot S&D : HKCR\CLSID\{53707962-6F74-2D53-2644-206D7942484F}
  Spybot S&D : C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
  Files Scanning
  Google Toolbar : C:\Program Files\GOOGLE\COMMON\GOOGLE UPDATER\GOOGLEUPDATERSERVICE.EXE
  Spyware Terminator : C:\Program Files\Spyware Terminator\Spywareterminatorshield.exe
  Spyware Terminator : C:\Program Files\Spyware Terminator\Spywareterminator.exe
  Spyware Terminator : C:\Program Files\Spyware Terminator\sptcontmenu.dll
  Spyware Terminator : C:\Program Files\Spyware Terminator\unins000.exe
  Spyware Terminator : C:\Documents and Settings\All Users\Start Menu\..\Application Data\Spyware Terminator\sp_rsdel.exe
  Spyware Terminator : C:\Documents and Settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
  AVG7_Control Center : C:\WINDOWS\system32\MSVCR71.dll
  AVG7_Control Center : C:\WINDOWS\system32\MSVCP71.dll
 

[Lisandro]

I know its infected, its just a matter of what and how to get rid of it.

General cleaning procedures...

1) Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3).

2) Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4) It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

5) If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

6) After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

7) Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

[Flashfire]

Logfile of HijackThis v1.99.1
Scan saved at 10:31:09 PM, on 23/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tpg.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.tpg.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bri-pow-pr4.tpgi.com.au:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.1;192.168.1.1;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DCDC28C5-831C-43EA-9C02-78872CCCA409} (VPlayer Control) - http://thesecret.tv/movie/player/vivid_ocx.jpeg
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

[Flashfire]

I know its infected, its just a matter of what and how to get rid of it.

General cleaning procedures...

1) Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3).

Done

2) Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

Done, several times in fact.

3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

Done, I posted the log

4) It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

Done and yeah admittedly I goofed, I deleted the files.

5) If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

Will certainly do that, its the only thing I have not yet done...

6) After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

I was already running Spywareblaster, which is one of the annoying aspects of this. It seems whatever has happened, slipped through and from what I can gather it was in a so called clean file, which I scanned when I downloaded it.

7) Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

Will do. Now onto the next step. Thank you for your time and patience.

[mauserme]

Don't forget to run ComboFix when you get a chance.  Instructions are on page 1.

[Flashfire]

No problem, glad we could help.

I noticed on one of the actions you chose delete, deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

You also have dealt with a number of infected files in the system folders prevention is better than cure. You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

Cookies for the most part aren't a problem, you should periodically clear your browser cache and cookies, so much so in the Settings of AVG-AS I have tracking cookies unchecked, as I have the firefox CookieSafe extension. With that I have a greater control over cookies anyway.

Thanks for your advice, I read that forum and quite frankly I didnt really understand it as such, I am the only person who uses my computer, my partner has her own computer and the laptop is a shared computer between us, but mostly used by me. Are you saying that I should create new profiles on the desktop and laptop with limited administration rights? Or have I missed the point?

[Flashfire]

Don't forget to run ComboFix when you get a chance.  Instructions are on page 1.

Combofix has been run. As well as DrFixit or some such thing, seems whatever is happening with my computer has defeated all the known fixes I have tried so far, my c: drive has almost been filled up with anti spyware, anti virus, anti malware you name it, I have downloaded it and run it.... I think I am really going to have to format this thing and hopefully that will solve the whole darned problem for once and for all.

[mauserme]

ComboFix does fix many things, but it also lists files recenty created and reg loading points (in the log) that can be a usefull diagnostic.  So even if it didn't solve the problem it may give us the information we need to solve it manually.

Back in a while ...

[DavidR]

Thanks for your advice, I read that forum and quite frankly I didnt really understand it as such, I am the only person who uses my computer, my partner has her own computer and the laptop is a shared computer between us, but mostly used by me. Are you saying that I should create new profiles on the desktop and laptop with limited administration rights? Or have I missed the point?

You have missed the point slightly in that the idea of dropmyrights is that you continue to use your normal account with admin privileges, but create shortcuts for your applications that connect to the internet (typically your browser/s, email client, P2P if used, etc.). This shortcut, first runs dropmyrights, which calls the program you want to run with restricted rights, you remain an administrator, but the program doesn't inherit your privileges by default because of your privileges.

There is link on the page (where my signature dropmyrights points) to Microsoft with much more information and pictures, my short post about DMR is just how to make it a bit easier to create the shortcuts, etc.

[Lisandro]

P2P if used

emule has an internal emule_secure feature that creates and uses a common (non-admin) account.
Just to let you know (if you don't know already)

[Flashfire]

Ok just ran Combofix and the only thing it came up with was this source file error: C:\WINDOWS\System32\Xyob48.sys
computer rebooted and so far so good. I have now loaded the Comodo firewall and its up and running, but seems to want me to allow/deny everything thats going on. Trouble is as I said I am an amateur and have no idea of what to allow and what not do. It popped up a window about avast mail server or something suchlike and I don't know whether to allow it or not. However I have noted that the internet shield has not sent out any emails for the past 10 minutes, fingers crossed.


Also scanned with the FSL program and no rootkits found....onto Securia.

[mauserme]

Ok just ran Combofix...

Well, I don't mean to make a pest of myself but could you please post the ComboFix log.  A second set of eyes will often see things that might have been overlooked 

The fact that the email provider wants unexpected internet access probably means the infection continues but is now being blocked by the firewall.

[Flashfire]

"Lee" - 2007-06-24 15:26:13 - ComboFix 07-06-23 - Service Pack 2  NTFS 


(((((((((((((((((((((((((   Files Created from 2007-05-24 to 2007-06-24  )))))))))))))))))))))))))))))))


2007-06-24 15:12   <DIR>   d--------   C:\Program Files\WinZip Companion for Outlook
2007-06-24 01:26   <DIR>   d--------   C:\DOCUME~1\Games\APPLIC~1\Comodo
2007-06-24 01:21   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-06-24 01:01   <DIR>   d--------   C:\WINDOWS\LastGood
2007-06-24 00:03   <DIR>   d--------   C:\DOCUME~1\Lee\APPLIC~1\Comodo
2007-06-24 00:03   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-06-23 23:14   <DIR>   d--------   C:\Program Files\Comodo
2007-06-23 22:10   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-06-23 20:52   <DIR>   d--------   C:\DOCUME~1\Lee\DoctorWeb
2007-06-21 22:49   <DIR>   d--------   C:\DOCUME~1\Games\APPLIC~1\SUPERAntiSpyware.com
2007-06-21 16:57   <DIR>   d--------   C:\DOCUME~1\Lee\.housecall6.6
2007-06-21 14:57   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2007-06-21 14:57   <DIR>   d--------   C:\DOCUME~1\Lee\APPLIC~1\SUPERAntiSpyware.com
2007-06-21 14:57   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-21 09:57   <DIR>   d--------   C:\Program Files\Windows Live Safety Center
2007-06-20 12:44   <DIR>   d--------   C:\DOCUME~1\Lee\APPLIC~1\Apple Computer
2007-06-17 08:40   <DIR>   d--------   C:\Program Files\TPG Usage Meter
2007-06-16 20:37   <DIR>   d---s----   C:\DOCUME~1\Games\UserData
2007-06-16 20:36   <DIR>   d--------   C:\Program Files\EA GAMES
2007-06-16 15:26   <DIR>   d--------   C:\Program Files\TheSimsResource
2007-06-15 19:37   <DIR>   d--------   C:\divx
2007-06-15 16:05   <DIR>   d--------   C:\Program Files\LizardTech
2007-06-15 10:56   420,240   --a------   C:\WINDOWS\system32\mpg4c32.dll
2007-06-15 10:56   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ulead Systems
2007-06-15 10:55   49,152   ---------   C:\WINDOWS\system32\TempDel.EXE
2007-06-15 10:55   <DIR>   d--------   C:\WINDOWS\system32\WinFast
2007-06-15 10:55   <DIR>   d--------   C:\Program Files\WinFast
2007-06-13 13:02   <DIR>   d--------   C:\Program Files\Google
2007-06-13 12:58   <DIR>   d--------   C:\Program Files\MSN Messenger
2007-06-13 12:57   <DIR>   d--------   C:\WINDOWS\Downloaded Installations
2007-06-12 20:43   <DIR>   d--------   C:\Program Files\Azureus
2007-06-12 18:48   <DIR>   d--------   C:\Program Files\eMule
2007-06-12 12:51   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-06-12 11:30   <DIR>   d--------   C:\WINDOWS\speech
2007-06-12 11:29   <DIR>   d--------   C:\WINDOWS\lhsp
2007-06-11 12:14   <DIR>   d--------   C:\Downloads
2007-06-10 13:48   75,776   --a------   C:\WINDOWS\ST6UNST.EXE
2007-06-10 13:48   249,856   ---------   C:\WINDOWS\Setup1.exe
2007-06-10 11:11   <DIR>   d--------   C:\DOCUME~1\Lee\Shared
2007-06-10 11:11   <DIR>   d--------   C:\DOCUME~1\Lee\Incomplete
2007-06-10 11:10   <DIR>   d--------   C:\Program Files\LimeWire
2007-06-10 08:24   <DIR>   d--------   C:\Program Files\Virtual Hypnotist
2007-06-09 23:12   <DIR>   d--------   C:\Program Files\MSXML 4.0
2007-06-09 20:47   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-09 19:10   11,254   --a------   C:\WINDOWS\system32\locate.com
2007-06-09 18:27   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-09 16:53   <DIR>   d--------   C:\DOCUME~1\Games\APPLIC~1\HP
2007-06-09 16:50   <DIR>   d--------   C:\DOCUME~1\Games\APPLIC~1\Tenebril
2007-06-09 14:51   <DIR>   d--------   C:\DOCUME~1\Lee\APPLIC~1\Tenebril
2007-06-09 14:44   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril
2007-06-09 14:43   180,224   --a-s----   C:\WINDOWS\system32\archlib.dll
2007-06-09 14:43   <DIR>   d--------   C:\WINDOWS\system32\tenarchlib
2007-06-09 14:17   <DIR>   d--------   C:\Program Files\CCleaner
2007-06-09 14:00   <DIR>   d--------   C:\HijackThis
2007-06-08 20:40   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2007-06-08 16:35   <DIR>   d--------   C:\Program Files\Windows Media Connect 2
2007-06-08 16:32   <DIR>   d--------   C:\WINDOWS\system32\drivers\UMDF
2007-06-08 15:49   43,176   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-08 15:49   26,888   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-08 15:49   23,416   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-08 15:49   <DIR>   d--------   C:\Program Files\Lavasoft
2007-06-08 15:49   <DIR>   d--------   C:\DOCUME~1\Lee\APPLIC~1\Lavasoft
2007-06-08 15:48   95,872   --a------   C:\WINDOWS\system32\AvastSS.scr
2007-06-08 15:48   94,552   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-08 15:48   85,952   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-08 15:48   745,600   --a------   C:\WINDOWS\system32\aswBoot.exe
2007-06-08 15:48   <DIR>   d--------   C:\Program Files\Alwil Software
2007-06-08 12:01   109   --ahs----   C:\WINDOWS\system32\2225991166.dat
2007-06-08 11:52   <DIR>   d--------   C:\Program Files\QuickTime
2007-06-08 11:52   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-06-08 11:51   <DIR>   d--------   C:\WINDOWS\vbSkinner
2007-06-08 09:53   <DIR>   d--------   C:\DOCUME~1\Lee\APPLIC~1\HP
2007-06-08 09:52   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-06-08 09:16   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic
2007-06-08 09:15   <DIR>   d--------   C:\Program Files\Common Files\HP
2007-06-08 09:13   <DIR>   d--------   C:\Program Files\Hewlett-Packard
2007-06-08 09:12   <DIR>   d--------   C:\Program Files\Common Files\Hewlett-Packard
2007-06-08 09:11   827,392   -ra------   C:\WINDOWS\system32\hpotiop2.dll
2007-06-08 09:11   77,824   -ra------   C:\WINDOWS\system32\HPZIDS01.dll
2007-06-08 09:11   659,456   -ra------   C:\WINDOWS\system32\hpowiax2.dll
2007-06-08 09:11   6,784   --a------   C:\WINDOWS\system32\drivers\serscan.sys
2007-06-08 09:11   38,400   --a------   C:\WINDOWS\system32\hpz3l054.dll
2007-06-08 09:11   254,026   -ra------   C:\WINDOWS\system32\hpovst09.dll
2007-06-08 09:10   94,208   --a------   C:\WINDOWS\system32\HPZipt12.dll
2007-06-08 09:10   69,632   --a------   C:\WINDOWS\system32\HPZipm12.exe
2007-06-08 09:10   65,536   --a------   C:\WINDOWS\system32\HPZinw12.exe
2007-06-08 09:10   57,344   --a------   C:\WINDOWS\system32\HPZisn12.dll
2007-06-08 09:10   282,680   --a------   C:\WINDOWS\system32\HPZidr12.dll
2007-06-08 09:10   204,800   --a------   C:\WINDOWS\system32\HPZipr12.dll
2007-06-08 09:10   <DIR>   d--------   C:\TEMP
2007-06-08 09:08   <DIR>   d--------   C:\Program Files\HP
2007-06-08 09:06   25,856   --a------   C:\WINDOWS\system32\drivers\usbprint.sys
2007-06-08 09:05   117,079   --a------   C:\WINDOWS\hpoins11.dat
2007-06-05 19:41   221,184   --a------   C:\WINDOWS\system32\wmpns.dll
2007-06-05 18:16   <DIR>   d--------   C:\WINDOWS\system32\PreInstall
2007-06-04 23:59   <DIR>   d--------   C:\WINDOWS\system32\SoftwareDistribution
2007-06-04 15:18   9,344   --a------   C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17   8,320   --a------   C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14   6,272   --a------   C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-04 14:35   129,784   ---------   C:\WINDOWS\system32\pxafs.dll


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-12 10:56:17   359,808   ----a-w   C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-04-26 23:41:54   282,624   ----a-w   C:\qttask.exe
2007-04-25 14:21:15   144,896   ----a-w   C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:29   3,596,288   ----a-w   C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:18   200,704   ----a-w   C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18   1,044,480   ----a-w   C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34   73,728   ----a-w   C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34   196,608   ----a-w   C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33   53,248   ----a-w   C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31   593,920   ----a-w   C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31   57,344   ----a-w   C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31   344,064   ----a-w   C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31   294,912   ----a-w   C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31   294,912   ----a-w   C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47   12,288   ----a-w   C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46   124,472   ----a-w   C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:12:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-16 12:45:28   92,504   ----a-w   C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20   43,352   ----a-w   C:\WINDOWS\system32\wups2.dll
2007-04-13 05:19:52   7,680   ----a-w   C:\WINDOWS\system32\lsdelete.exe

[Flashfire]

((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 18:48 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-05-01 01:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-06-24 00:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-06-08 08:19]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPG Usage Meter]
C:\Program Files\TPG Usage Meter\TPG Usage Meter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc   p2psvc p2pimsvc p2pgasvc PNRPSvc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost  - netsvcs
NtmlSvc


Contents of the 'Scheduled Tasks' folder
2007-06-22 07:15:00  C:\WINDOWS\tasks\1-Click Maintenance.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-24 15:27:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-24 15:28:18
C:\ComboFix-quarantined-files.txt ... 2007-06-24 15:28
C:\ComboFix2.txt ... 2007-06-24 00:25

   --- E O F ---

[Flashfire]

Logfile of HijackThis v1.99.1
Scan saved at 3:53:00 PM, on 24/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tpg.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.tpg.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bri-pow-pr4.tpgi.com.au:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.1;192.168.1.1;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {DCDC28C5-831C-43EA-9C02-78872CCCA409} (VPlayer Control) - http://thesecret.tv/movie/player/vivid_ocx.jpeg
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe