intermittant web pages opening (http://www.limewireextreme.com/3.html)

Viruses and worms
1

recently I have had internet explorer trying to open limewire pages unexpectantly, I have never downloaded limewire (intentionally) and have blocked them via web shield. I have run the avast thorough scan, the avast virus/worm application, spybot, spyware doctor all with no infections found. I have scanned all files and folders without finding anything and have checked the registry and deleted all references to limewire I could find after disabling the restore function, but it is still happening, can anyone help, thanks.

2

I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.
3

Thanks for the advice, I ran each of the programs in the steps you advised with Superantispyware identifying 5 Trojan.Downloader-Gen files which I quarantined, none of the other programs identified any issues. the following is the log from the runscanner program.

4

001 Running processes

c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe (Apple, Inc.)

  • c:\windows\system32\alg.exe (Microsoft Corporation)
  • c:\program files\alwil software\avast4\ashserv.exe (ALWIL Software)
  • c:\program files\alwil software\avast4\aswupdsv.exe (ALWIL Software)
  • c:\program files\alwil software\avast4\ashmaisv.exe (ALWIL Software)
  • c:\progra~1\alwils~1\avast4\ashdisp.exe (ALWIL Software)
  • c:\program files\alwil software\avast4\ashwebsv.exe (ALWIL Software)
  • c:\program files\avg anti-spyware 7.5\guard.exe (GRISOFT s.r.o.)
  • c:\windows\system32\csrss.exe (Microsoft Corporation)
  • c:\progra~1\crawler\toolbar\ctoolbar.exe (Crawler.com)
  • c:\windows\system32\ctfmon.exe (Microsoft Corporation)
    c:\program files\lexmark 2500 series\lxddamon.exe (Lexmark)
  • c:\windows\system32\svchost.exe (Microsoft Corporation)
  • c:\windows\system32\svchost.exe (Microsoft Corporation)
  • c:\windows\system32\svchost.exe (Microsoft Corporation)
  • c:\windows\system32\svchost.exe (Microsoft Corporation)
  • c:\windows\system32\svchost.exe (Microsoft Corporation)
  • c:\windows\system32\svchost.exe (Microsoft Corporation)
  • c:\program files\internet explorer\iexplore.exe (Microsoft Corporation)
  • c:\ipod\bin\ipodservice.exe (Apple Inc.)
  • c:\itunes\ituneshelper.exe (Apple Inc.)
  • c:\program files\java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
  • c:\windows\system32\lsass.exe (Microsoft Corporation)
    c:\program files\common files\ahead\lib\nmbgmonitor.exe (Nero AG)
  • c:\windows\system32\nvsvc32.exe (NVIDIA Corporation)
    c:\cyberlink\powerdvd\pdvdserv.exe (Cyberlink Corp.)
  • c:\windows\system32\lxddcoms.exe
  • c:\windows\system32\rundll32.exe (Microsoft Corporation)
  • c:\windows\system32\rundll32.exe (Microsoft Corporation)
  • c:\documents and settings\michael\desktop\virus programs\runscanner.exe (Runscanner.net)
    c:\domplayer\wakeservice.exe (WakeNet)
  • c:\windows\system32\services.exe (Microsoft Corporation)
    c:\program files\analog devices\soundmax\smagent.exe (Analog Devices, Inc.)
  • c:\windows\system32\spoolsv.exe (Microsoft Corporation)
    c:\program files\spyware terminator\spywareterminatorshield.exe (Crawler.com)
    c:\program files\spyware terminator\sp_rsser.exe (Crawler.com)
    c:\program files\superantispyware\superantispyware.exe (SUPERAntiSpyware.com)
    c:\windows\system32\uaservice7.exe
  • c:\windows\explorer.exe (Microsoft Corporation)
    c:\windows\system32\wgatray.exe (Microsoft Corporation)
  • c:\windows\system32\winlogon.exe (Microsoft Corporation)
  • c:\windows\system32\smss.exe (Microsoft Corporation)
  • c:\windows\system32\wscntfy.exe (Microsoft Corporation)

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)

  • c:\progra~1\alwils~1\avast4\ashdisp.exe (ALWIL Software)
    c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe (HP)
  • c:\itunes\ituneshelper.exe (Apple Inc.)
    c:\program files\lexmark 2500 series\lxddamon.exe (Lexmark)
  • c:\program files\lexmark 2500 series\lxddmon.exe
    c:\program files\common files\ahead\lib\nerocheck.exe (Nero AG)
    C:\WINDOWS\system32\nwiz.exe
    c:\program files\quicktime\qttask.exe (Apple Inc.)
    c:\cyberlink\powerdvd\pdvdserv.exe (Cyberlink Corp.)
    c:\program files\spyware terminator\spywareterminatorshield.exe (Crawler.com)

003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)

c:\program files\common files\ahead\lib\nmbgmonitor.exe (Nero AG)
c:\domplayer\wakeservice.exe (WakeNet)
c:\program files\superantispyware\superantispyware.exe (SUPERAntiSpyware.com)

008 Default user \Software\Microsoft\Windows\CurrentVersion\Run (+subkeys)

  • c:\picasa2\picasamediadetector.exe

009 System user\Software\Microsoft\Windows\CurrentVersion\Run (+subkeys)

  • c:\picasa2\picasamediadetector.exe

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)

c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe (Apple Mobile Device)
c:\ares\chatserver.exe (Ares Chatroom server)

  • c:\program files\alwil software\avast4\ashserv.exe (avast! Antivirus)
  • c:\program files\alwil software\avast4\aswupdsv.exe (avast! iAVS4 Control Service)
  • c:\program files\alwil software\avast4\ashmaisv.exe (avast! Mail Scanner)
  • c:\program files\alwil software\avast4\ashwebsv.exe (avast! Web Scanner)
    c:\program files\common files\installshield\driver\1050\intel 32\idrivert.exe (InstallDriver Table Manager)
  • c:\ipod\bin\ipodservice.exe (iPod Service)
  • c:\windows\system32\lxddcoms.exe (lxdd_device)
  • c:\spyware doctor\svcntaux.exe (PC Tools Auxiliary Service)
  • c:\spyware doctor\swdsvc.exe (PC Tools Security Service)
    c:\windows\system32\uaservice7.exe (SecuROM User Access Service (V7))
    c:\program files\analog devices\soundmax\smagent.exe (SoundMAX Agent Service)
    c:\program files\spyware terminator\sp_rsser.exe (Spyware Terminator Realtime Shield Service)
  • c:\program files\common files\symantec shared\ccsvchst.exe (Symantec Lic NetConnect service)

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)

  • c:\windows\system32\drivers\aswrdr.sys (aswRdr)
  • c:\windows\system32\drivers\aavmker4.sys (avast! Asynchronous Virus Monitor)
  • c:\windows\system32\drivers\aswtdi.sys (avast! Network Shield Support)
  • c:\windows\system32\drivers\aswmon2.sys (avast! Standard Shield Support)
  • c:\windows\system32\drivers\changer.sys (Changer)
  • c:\windows\system32\drivers\ikfilesec.sys (File Security Driver)
  • c:\windows\system32\drivers\i2omgmt.sys (i2omgmt)
  • c:\windows\system32\drivers\lbrtfdc.sys (lbrtfdc)
    C:\WINDOWS\system32\drivers\pfc.sys (Padus ASPI Shell)
  • c:\windows\system32\drivers\pcidump.sys (PCIDump)
  • c:\windows\system32\drivers\pdcomp.sys (PDCOMP)
  • c:\windows\system32\drivers\pdframe.sys (PDFRAME)
  • c:\windows\system32\drivers\pdreli.sys (PDRELI)
  • c:\windows\system32\drivers\pdrframe.sys (PDRFRAME)
  • c:\windows\system32\drivers\qcusbser.sys (Qualcomm USB Device for Legacy Serial Communication)
    c:\program files\superantispyware\sasdifsv.sys (SASDIFSV)
    c:\program files\superantispyware\sasenum.sys (SASENUM)
    c:\program files\superantispyware\saskutil.sys (SASKUTIL)
    C:\WINDOWS\system32\drivers\secdrv.sys (Secdrv)
    C:\WINDOWS\system32\drivers\sptd.sys (sptd)
    c:\windows\system32\drivers\sp_rsdrv2.sys (Spyware Terminator Driver 2)
  • C:\WINDOWS\system32\drivers\iksysflt.sys (System Filter Driver)
  • C:\WINDOWS\system32\drivers\iksyssec.sys (System Security Driver)
  • c:\windows\system32\drivers\tbhsd.sys (Tunebite High-Speed Dubbing)
  • c:\windows\system32\drivers\vaxscsi.sys (vaxscsi)
  • c:\windows\system32\drivers\wdica.sys (WDICA)
5

030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter

C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}

031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler

c:\progra~1\crawler\toolbar\ctbr.dll (Crawler.com) {4D25FB7A-8902-4291-960E-9ADA051CFBBF}

035 HKLM-HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components

c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}

041 HKLM-HKCU\Software\Microsoft\Internet Explorer\Toolbar

c:\progra~1\crawler\toolbar\ctbr.dll (Crawler.com) {4B3803EA-5230-4DC3-A7FC-33638F3D3542}
c:\program files\lexmark toolbar\toolband.dll {1017A80C-6F09-4548-A84D-EDD6AC9525F0}

045 HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

c:\progra~1\crawler\toolbar\ctbr.dll (Crawler.com) {4B3803EA-5230-4DC3-A7FC-33638F3D3542}
c:\program files\lexmark toolbar\toolband.dll {1017A80C-6F09-4548-A84D-EDD6AC9525F0}

047 Trusted zones

Zone: au.f317.mail.yahoo.com : *.au.f317.mail.yahoo.com
Zone: au.mail.yahoo.com : *.au.mail.yahoo.com
Zone: au.mg1.mail.yahoo.com : *.au.mg1.mail.yahoo.com
Zone: au.rd.yahoo.com : *.au.rd.yahoo.com
Zone: au.yahoo.com : http://au.yahoo.com
Zone: login.yahoo.com : https://login.yahoo.com
Zone: login.yahoo.com : *.login.yahoo.com

050 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

c:\dvd region+css free\dvdshell.dll (Fengtao Software) {93994DE8-8239-4655-B1D1-5F4E91300429}
c:\program files\superantispyware\sasseh.dll (SuperAdBlocker.com) {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

c:\progra~1\crawler\toolbar\ctbr.dll (Crawler.com) {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
c:\program files\lexmark toolbar\toolband.dll {1017A80C-6F09-4548-A84D-EDD6AC9525F0}

061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

  • c:\program files\alwil software\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
    c:\windows\system32\nvshell.dll {1CDB2949-8F65-4355-8456-263E7C208A5D}
    c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A47}
    c:\windows\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
  • c:\itunes\itunesminiplayer.dll (Apple Inc.) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}
    c:\program files\common files\ahead\lib\nerodigitalext.dll (Nero AG) {B327765E-D724-4347-8B16-78AE18552FC3}
    c:\program files\common files\ahead\lib\nerodigitalext.dll (Nero AG) {7F1CF152-04F8-453A-B34C-E609530A9DC8}
    c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A48}
    c:\windows\system32\dfshim.dll (Microsoft Corporation) {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}
    c:\windows\system32\dfshim.dll (Microsoft Corporation) {e82a2d71-5b2f-43a0-97b8-81be15854de8}
    c:\program files\spyware terminator\sptcontmenu.dll (Crawler.com) {BD88A479-9623-4897-8546-BC62B9628F44}
  • blank {7C9D5882-CB4A-4090-96C8-430BFE8B795B}
    c:\program files\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
    c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}
    c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79305-84BE-11CE-9641-444553540000}
    c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79306-84BE-11CE-9641-444553540000}
    c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79307-84BE-11CE-9641-444553540000}

062 HKLM-HKCU\Software\Classes\Folder\Shellex\ColumnHandlers

c:\program files\common files\ahead\lib\nerodigitalext.dll (Nero AG) {7D4D6379-F301-4311-BEBA-E26EB0561882}

067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

c:\program files\superantispyware\saswinlo.dll (SUPERAntiSpyware.com)
C:\WINDOWS\system32\wgalogon.dll (Microsoft Corporation)

  • wrlogonntf.dll

069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

C:\WINDOWS\system32\cnmlm3y.dll (CANON INC.)
C:\WINDOWS\system32\hpzsnt08.dll (HP)
C:\WINDOWS\system32\mdimon.dll (Microsoft Corporation)

100 Internet Explorer settings

ProxyOverride HKCU : 192.168.1.1
SearchUrl HKCU : http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
ShellNext HKCU : http://update.microsoft.com/microsoftupdate
Start Page HKCU : http://search.yahoo.com/?ei=UTF-8

104 HKLM\Software\Microsoft\Code Store Database\Distribution Units

c:\windows\system32\legitcheckcontrol.dll (Microsoft Corporation) {17492023-C23A-453E-A040-C7C580BBF700}

  • c:\windows\downloaded program files\sysreqlab2.dll (Husdawg, LLC) {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE}

105 HKCU\Software\Microsoft\Internet Explorer\MenuExt

Crawler Search : tbr:iemenu
E&xport to Microsoft Excel : res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

173 HKCR*\shellex\ContextMenuHandlers

  • c:\program files\alwil software\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
    c:\program files\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
    c:\program files\spyware terminator\sptcontmenu.dll (Crawler.com) {BD88A479-9623-4897-8546-BC62B9628F44}
    c:\progra~1\winzip\wzshlstb.dll (WinZip Computing, Inc.) {E0D79304-84BE-11CE-9641-444553540000}
    c:\program files\nero\nero 7\nero backitup\nbshell.dll (Nero AG)
    c:\program files\superantispyware\sasctxmn.dll (SUPERAntiSpyware.com) SUPERAntiSpyware Context Menu
6

You can submit the Runscanner log for automatic analysis. Sorry, I’m not an expert on cleaning.