We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Help removing source of Win32:Rootkit-gen
Options
neosi
Posts: 1,678 Forumite
Hi
Im normally pretty good at removing nasties from my machine but over the past week ive been getting a warning from Avast that it has removed the below
Win32:Rootkit-gen [Rtk]
Original file name : driver.dll
Original Folder : K:\Documents and Settings\XXXX\Local Settings\Temp
Ive run Avast as a boot scan, didn't find anything. Have also run Malwarebytes, SuperAntiSpayware, TDSSkiller, also tried for the first time HitmanPro all of which find nothing.
Avst does move the file to the vault but when I reopen IE even after resetting router and ccleaner, it reappears so is attacking my machine each time IE is opened.
Any help much appreciated.. below is a scan of hijackthis
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:08:40, on 27/09/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
K:\WINDOWS\System32\smss.exe
K:\WINDOWS\system32\winlogon.exe
K:\WINDOWS\system32\services.exe
K:\WINDOWS\system32\lsass.exe
K:\WINDOWS\system32\svchost.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\system32\svchost.exe
K:\Program Files\Alwil Software\Avast5\AvastSvc.exe
K:\WINDOWS\Explorer.EXE
K:\WINDOWS\Mixer.exe
K:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
K:\Program Files\NetWorx\networx.exe
K:\Program Files\SpeedFan\speedfan.exe
K:\WINDOWS\system32\spoolsv.exe
K:\Program Files\Hotspot Shield\bin\openvpnas.exe
K:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
K:\Program Files\Hotspot Shield\bin\hsswd.exe
K:\WINDOWS\system32\nvsvc32.exe
K:\WINDOWS\system32\svchost.exe
K:\Program Files\Internet Explorer\iexplore.exe
K:\Program Files\Internet Explorer\iexplore.exe
K:\Program Files\Outlook Express\msimn.exe
K:\Program Files\Internet Explorer\iexplore.exe
K:\WINDOWS\system32\msiexec.exe
K:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
O1 - Hosts: 82.192.86.132 oron.com www.oron.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - K:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - K:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: FCTBPos00Pos - {B7C2F0D8-2209-4693-A15D-5A537211D48B} - K:\Program Files\Nectar Search Toolbar\Toolbar.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - K:\Program Files\Hotspot Shield\HssIE\HssIE.dll
O3 - Toolbar: Nectar Search Toolbar - {8020143D-5926-4394-A04D-DD0B649DA121} - K:\Program Files\Nectar Search Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE K:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "K:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE K:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "K:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [avast5] K:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [OutpostMonitor] "K:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "K:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [NetWorx] "K:\Program Files\NetWorx\networx.exe" /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Google Update] "K:\Documents and Settings\XXXXX\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: speedfan.lnk = K:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Microsoft Office.lnk = K:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://K:\PROGRA~1\MICROS~4\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - K:\Program Files\Agnitum\Outpost Firewall Pro\ie_bar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - K:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - K:\WINDOWS\bdoscandel.exe
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - K:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - K:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - K:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - K:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - K:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183136061164
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - K:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - K:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - K:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - K:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - K:\WINDOWS\system32\browseui.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - K:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - K:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! Antivirus - AVAST Software - K:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Hotspot Shield Service (hshld) - Unknown owner - K:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - K:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - K:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - K:\Program Files\Hotspot Shield\bin\hsswd.exe
O23 - Service: iPod Service - Apple Inc. - K:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - K:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia - K:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 9588 bytes
Im normally pretty good at removing nasties from my machine but over the past week ive been getting a warning from Avast that it has removed the below
Win32:Rootkit-gen [Rtk]
Original file name : driver.dll
Original Folder : K:\Documents and Settings\XXXX\Local Settings\Temp
Ive run Avast as a boot scan, didn't find anything. Have also run Malwarebytes, SuperAntiSpayware, TDSSkiller, also tried for the first time HitmanPro all of which find nothing.
Avst does move the file to the vault but when I reopen IE even after resetting router and ccleaner, it reappears so is attacking my machine each time IE is opened.
Any help much appreciated.. below is a scan of hijackthis
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:08:40, on 27/09/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
K:\WINDOWS\System32\smss.exe
K:\WINDOWS\system32\winlogon.exe
K:\WINDOWS\system32\services.exe
K:\WINDOWS\system32\lsass.exe
K:\WINDOWS\system32\svchost.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\system32\svchost.exe
K:\Program Files\Alwil Software\Avast5\AvastSvc.exe
K:\WINDOWS\Explorer.EXE
K:\WINDOWS\Mixer.exe
K:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
K:\Program Files\NetWorx\networx.exe
K:\Program Files\SpeedFan\speedfan.exe
K:\WINDOWS\system32\spoolsv.exe
K:\Program Files\Hotspot Shield\bin\openvpnas.exe
K:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
K:\Program Files\Hotspot Shield\bin\hsswd.exe
K:\WINDOWS\system32\nvsvc32.exe
K:\WINDOWS\system32\svchost.exe
K:\Program Files\Internet Explorer\iexplore.exe
K:\Program Files\Internet Explorer\iexplore.exe
K:\Program Files\Outlook Express\msimn.exe
K:\Program Files\Internet Explorer\iexplore.exe
K:\WINDOWS\system32\msiexec.exe
K:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
O1 - Hosts: 82.192.86.132 oron.com www.oron.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - K:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - K:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: FCTBPos00Pos - {B7C2F0D8-2209-4693-A15D-5A537211D48B} - K:\Program Files\Nectar Search Toolbar\Toolbar.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - K:\Program Files\Hotspot Shield\HssIE\HssIE.dll
O3 - Toolbar: Nectar Search Toolbar - {8020143D-5926-4394-A04D-DD0B649DA121} - K:\Program Files\Nectar Search Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE K:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "K:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE K:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "K:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [avast5] K:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [OutpostMonitor] "K:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "K:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [NetWorx] "K:\Program Files\NetWorx\networx.exe" /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Google Update] "K:\Documents and Settings\XXXXX\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: speedfan.lnk = K:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Microsoft Office.lnk = K:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://K:\PROGRA~1\MICROS~4\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - K:\Program Files\Agnitum\Outpost Firewall Pro\ie_bar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - K:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - K:\WINDOWS\bdoscandel.exe
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - K:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - K:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - K:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - K:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - K:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183136061164
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - K:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - K:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - K:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - K:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - K:\WINDOWS\system32\browseui.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - K:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - K:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! Antivirus - AVAST Software - K:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Hotspot Shield Service (hshld) - Unknown owner - K:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - K:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - K:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - K:\Program Files\Hotspot Shield\bin\hsswd.exe
O23 - Service: iPod Service - Apple Inc. - K:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - K:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia - K:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 9588 bytes
[SIZE=-1]Who's the more foolish: the fool, or the fool who follows him?[/SIZE]
OBI-WAN KENOBI
:beer: :A :beer:
0
Comments
-
Download this and save it to your desktop.
http://public.avast.com/~gmerek/aswMBR.exe
When you've downloaded it...- Double click aswMBR.exe to run it (XP), or right click & choose "Run as Administrator" (Vista, Win7)
- Click No to the prompt to download Avast! virus definitions.
- Click the Scan button.
- When the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
- Click OK when prompted. aswMBR.txt & MBR.dat will be appear on your desktop.
- Click EXIT.
- Copy & paste the contents of aswMBR.txt here.
0 -
also, you've got a proxy hiding in there,
O1 - Hosts: 82.192.86.132 oron.com https://www.oron.com
run hostsXpert, and restore the microsoft hosts file......Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple
0 -
Nothing amiss there.
Download DDS from the link below and save it to your desktop:
Link
After you've downloaded it and saved it to your desktop:- Double click DDS to run it.
- When it's finished, DDS will open two logs:
- DDS.txt
- Attach.txt
Copy & paste the contents of just DDS.txt for now and post it here (you may need to split the log over separate posts)0 -
A couple of minor things & what looks like a problem with firefox.
Can you post the attach.txt log now.0 -
Do you have a copy of the offending file (Driver.dll) in the Virus Chest?
Download GooredFix and save it to your Desktop.
http://jpshortstuff.247fixes.com/GooredFix.exe
- Ensure all Firefox windows are closed.
- Double-click Goored.exe to run it.
- When prompted to run the scan, click Yes. GooredFix will check for infections
- When it's finished, a log will open. Post the contents of that log in your next reply
0 -
That worked. You had a Google redirection infection that was affecting Firefox (Which needs updating if you use it)
I want you to extract the file from the virus chest, save it to your Desktop, & then upload it to VirusTotal.
How to extract the file->
http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501#idt_06
go to VirusTotal and upload the driver.dll file you extracted to your desktop.
Click Browse... & the Choose a file to upload dialogue box will open.
Browse to the file on your desktop, highlight it & and click open
Click Send File. If you get a message saying: File already submitted, click Reanalyze
When it's finished, highlight, copy & then post the link to the report in the address bar back here.0 -
Make sure you delete that file if you still have it on your desktop.would i be correct in saying when i opened IE it was still trying to redirect
No, that wouldn't have an effect on IE. Do you still get that file appearing or are things ok now?
Update & run a quick scan with MBAM & post the log.
Hope things go ok at the Hossie.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards