# Solved: 0xc0000005 Application failed to initialize properly



## johnisnot1337

When i start up my computer (WinXP SP2), after i get the welcome screen i receive the error msgs "Application Failed to initialize properly (0xc0000005)" which pops up about 2-3 times. then my deskop top background image loads but nothing else. All my icons that where on the desktop are gone, i have no task bar at the bottom and no time, just the background desktop image. if i press Atl+Ctr+Del, i get the windows task manager. from there i can run most of my programs, however if I try to open some things such as add/remove programs, I get rundll32 error with the same "Application Failed to initialize properly (0xc0000005)".

This is the Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:57 PM, on 27/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adlib\Express\AdlibFMR.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BM97ce4bcc] Rundll32.exe "C:\WINDOWS\system32\eyolghyh.dll",s
O4 - HKLM\..\Run: [94fd7850] rundll32.exe "C:\WINDOWS\system32\nijesput.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171493831625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171493927015
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0057FE4.dat
O23 - Service: Adlib Express Server - Adlib Software - C:\Program Files\Adlib\Express\adexps.exe
O23 - Service: Adlib FMR - Adlib eDocument Solutions - C:\Program Files\Adlib\Express\AdlibFMR.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 8987 bytes

PLEASE HELP


----------



## cybertech

Download *FixIEDef.exe* by ShadowPuterDude to your Desktop.

Double-click FixIEDef.exe:









That will open the About FixIEDef screen. Click *OK* to continue:









Next, press the *Scan!* button:









FixIEDef needs to run as Administrator to perform correctly. This message simply confirms it was able to run with admin privileges. Click *OK* to continue:









Wait for the scan to finish. It shouldn't take very long:


















*WARNING*: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.

After the !!! All Finished !!! message is displayed, click *Exit*:









Post the *FixIEDef log* file, located on the Desktop along with the contents of a fresh DSS main.txt.
_Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

See: http://www.beyondlogic.org/consulting/proc...processutil.htm_


----------



## johnisnot1337

OK, here is the *FixIEDef log*

********************************************************************************
* *
* FixIEDef Log *
* Version 1.4.16.4411 *
*  *
********************************************************************************

Created at 15:19:30 on Saturday, June 07, 2008

Time Zone : (GMT+10:00) Canberra, Melbourne, Sydney

Operating System : Microsoft Windows XP Home Edition
Service Pack Level: Service Pack 2
System Langauge : English (United States)
Processor : X86
Boot State : Normal boot

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

C:\WINDOWS\system32\__c00AE262.dat

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================

All Done 

ShadowPuterDude

Safe Surfing!!!


----------



## johnisnot1337

I am going to start another thread now because I took too long to reply and "volunteers in that forum specifically look for threads with no replies."


----------



## johnisnot1337

When i start up my computer (WinXP SP2), after i get the welcome screen i receive the error msgs "Application Failed to initialize properly (0xc0000005)" which pops up about 2-3 times. then my deskop top background image loads but nothing else. All my icons that where on the desktop are gone, i have no task bar at the bottom and no time, just the background desktop image. if i press Atl+Ctr+Del, i get the windows task manager. from there i can run most of my programs, however if I try to open some things such as add/remove programs, I get rundll32 error with the same "Application Failed to initialize properly (0xc0000005)". Spybot s&d shows that I have a trojan win32.bho.df and Virtumonde

This is the Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:47:27 PM, on 7/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Adlib\Express\AdlibFMR.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {838B9116-E836-423F-A3CD-99B47A97D0FD} - C:\WINDOWS\system32\iifdawXn.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] "C:\Program Files\Brother\ControlCenter2\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Camera Detector] "C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE" -autorun
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [Desktop Service Centre] "C:\Program Files\OptusNet DSL Internet\DSC.exe"
O4 - HKLM\..\Run: [SBCSTray] "C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [WinButler] C:\Documents and Settings\Owner\Application Data\WinButler\WinButler.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171493831625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171493927015
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00AE262.dat
O23 - Service: Adlib Express Server - Adlib Software - C:\Program Files\Adlib\Express\adexps.exe
O23 - Service: Adlib FMR - Adlib eDocument Solutions - C:\Program Files\Adlib\Express\AdlibFMR.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9770 bytes

I was also told supply this *FixIEDef log

*********************************************************************************
* *
* FixIEDef Log *
* Version 1.4.16.4411 *
* *
********************************************************************************

Created at 15:19:30 on Saturday, June 07, 2008

Time Zone : (GMT+10:00) Canberra, Melbourne, Sydney

Operating System : Microsoft Windows XP Home Edition
Service Pack Level: Service Pack 2
System Langauge : English (United States)
Processor : X86
Boot State : Normal boot

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

C:\WINDOWS\system32\__c00AE262.dat

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================


----------



## cybertech

I don't understand why you started a new thread. I *am *helping you. I found your thread by looking for threads with no replies.

Am I missing something?


----------



## johnisnot1337

Im really sorry, I took like 10 days to reply to you here so I thought you would think I left. Then because this thread had been replied to I wouldnt be helped by anyone else. Since youre a mod maybe you could delete/lock my newer one? I do appreciate your help and will keep on this thread


----------



## cybertech

*Run HJT again and put a check in the following:*

O2 - BHO: (no name) - {838B9116-E836-423F-A3CD-99B47A97D0FD} - C:\WINDOWS\system32\iifdawXn.dll (file missing)
O4 - HKCU\..\Run: [WinButler] C:\Documents and Settings\Owner\Application Data\WinButler\WinButler.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00AE262.dat

*Close all applications and browser windows before you click "fix checked".*

Please visit *this webpage* for instructions for downloading and running ComboFix.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.


----------



## johnisnot1337

Everytime I run combofix, counterspy warns me about a trojan downloader and backdoor activating and quarantines them. After running it I tried to send the logs here but my internet no longer works on my infected computer (though I am using the same connection right now on a different computer) then I received an auto-update for something when it decided to reboot, meaning I lost the original combofix log. In my counterspy quarantine now are multiples of backdoor.unidentified.gen and trojandownloader.win32.agent.aww

I am no longer receiving the 0xc00... error when booting or trying to access run etc. but now my internet does not work even though I am sending this over the same connection from a different computer.

Here is a hijackthis log followed by a second combofix log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:31 PM, on 9/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adlib\Express\AdlibFMR.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] "C:\Program Files\Brother\ControlCenter2\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Camera Detector] "C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE" -autorun
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [Desktop Service Centre] "C:\Program Files\OptusNet DSL Internet\DSC.exe"
O4 - HKLM\..\Run: [SBCSTray] "C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171493831625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171493927015
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O23 - Service: Adlib Express Server - Adlib Software - C:\Program Files\Adlib\Express\adexps.exe
O23 - Service: Adlib FMR - Adlib eDocument Solutions - C:\Program Files\Adlib\Express\AdlibFMR.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9303 bytes

ComboFix 08-06-08.5 - Owner 2008-06-09 15:47:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.470 [GMT 10:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\CSC.2.1.946.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\ENCounterSpyConsumer.2.5.1032.0.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\ENCounterSpyConsumer.2.5.1040.0.exe
C:\WINDOWS\system32\__c00AE262.dat

.
((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-06 16:54 . 2008-06-06 16:54 d--------	C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Webroot
2008-06-02 14:34 . 2008-06-06 17:38 d-a------	C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-06-02 14:33 . 2008-06-02 14:33 d--------	C:\Program Files\Webroot
2008-06-02 14:33 . 2008-06-07 13:37 d--------	C:\Documents and Settings\Owner\Application Data\PC Tools
2008-06-02 14:33 . 2008-06-02 14:33 d--------	C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Webroot
2008-06-02 14:33 . 2008-06-02 14:33 d--------	C:\Documents and Settings\All Users.WINDOWS\Application Data\Webroot
2008-06-02 14:32 . 2008-06-06 18:31 d--------	C:\Program Files\SpywareBlaster
2008-06-02 14:32 . 2008-06-02 14:32 d--------	C:\Program Files\Lavasoft
2008-06-02 14:32 . 2008-06-02 14:32 d--------	C:\Documents and Settings\Owner\Application Data\Webroot
2008-06-02 14:32 . 2008-06-02 14:32	164	--a------	C:\install.dat
2008-06-02 14:29 . 2008-06-06 21:34 d--------	C:\Temp
2008-06-02 14:29 . 2008-06-02 14:29 d--------	C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx
2008-06-02 14:19 . 2008-06-02 14:19 d--------	C:\WINDOWS\system32\GroupPolicy
2008-06-02 14:19 . 2008-06-07 15:42 d--------	C:\Program Files\Hitman Pro
2008-05-28 22:40 . 2008-05-28 22:36	691,545	--a------	C:\WINDOWS\unins000.exe
2008-05-28 22:40 . 2008-05-28 22:40	2,547	--a------	C:\WINDOWS\unins000.dat
2008-05-28 20:39 . 2008-05-28 20:39 d--------	C:\Documents and Settings\Administrator.HOME
2008-05-27 18:12 . 2008-05-27 18:12 d--------	C:\Program Files\Trend Micro
2008-05-26 11:54 . 2008-05-26 11:54 d--------	C:\Documents and Settings\All Users.WINDOWS\Application Data\FLEXnet
2008-05-26 11:41 . 2008-05-26 11:41 d--------	C:\Program Files\Bonjour
2008-05-26 11:33 . 2008-05-26 11:33 d--------	C:\Program Files\Common Files\Macrovision Shared
2008-05-25 21:52 . 2008-05-25 21:52 d--------	C:\Program Files\Sun
2008-05-23 18:34 . 2008-05-23 18:34	58	--a------	C:\WINDOWS\CTACD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-09 02:41	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Azureus
2008-06-08 10:45	---------	d-----w	C:\Documents and Settings\All Users.WINDOWS\Application Data\DVD Shrink
2008-06-08 04:13	---------	d-----w	C:\Documents and Settings\Owner\Application Data\eBookPro6
2008-06-06 11:31	---------	d-----w	C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-06-03 06:33	---------	d-----w	C:\Program Files\Apple Software Update
2008-06-03 02:18	---------	d-----w	C:\Program Files\Dad's Music
2008-05-30 05:00	68,608	----a-w	C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-28 12:42	---------	d-----w	C:\Program Files\Spybot - Search & Destroy
2008-05-28 05:28	---------	d-----w	C:\Program Files\Dad's Pics
2008-05-26 01:41	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-05-25 11:52	---------	d-----w	C:\Program Files\Java
2008-05-24 02:43	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Vso
2008-05-06 05:59	---------	d-----w	C:\Program Files\Safari
2008-04-17 03:08	---------	d-----w	C:\Program Files\Azureus
2007-02-23 03:39	81,920	----a-w	C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2007-02-23 03:39	47,360	----a-w	C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2007-01-04 01:03	32,848	----a-w	C:\Documents and Settings\Steve\Application Data\GDIPFONTCACHEV1.DAT
2006-10-16 01:27	81,920	----a-w	C:\Documents and Settings\Steve\Application Data\ezpinst.exe
2006-10-16 01:27	47,360	----a-w	C:\Documents and Settings\Steve\Application Data\pcouffin.sys
2005-06-09 06:53	4,423,630	----a-w	C:\Program Files\EvolutionX.zip
2005-06-09 06:40	38,361,469	----a-w	C:\Program Files\EmulatorPack.zip
2005-06-09 06:26	859,395	----a-w	C:\Program Files\Xbox.exe
2005-06-09 06:25	14,167,081	----a-w	C:\Program Files\bonus.exe
2005-06-09 06:20	1,097,117	----a-w	C:\Program Files\dvdwpro.exe
2004-10-01 05:00	40,960	----a-w	C:\Program Files\Uninstall_CDS.exe
2007-02-21 07:08	56	--sh--r	C:\WINDOWS\system32\4D2072CDAD.sys
2007-02-21 07:08	1,682	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24 1694208]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25 1961984]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-02-18 20:58 206184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-02 09:22 577536 C:\WINDOWS\soundman.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-25 20:01 1397760]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 22:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-04-29 01:47 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 22:00 33280 C:\WINDOWS\system32\rundll32.exe]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 19:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 00:00 28672]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2001-12-20 00:00 28672]
"SetDefPrt"="C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 17:02 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-07-19 11:36 933888]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-14 04:29 35328]
"Camera Detector"="C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.exe" [2002-12-09 14:35 208896]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25 6731312]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 22:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2003-03-31 22:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2003-03-31 22:00 455168]
"Desktop Service Centre"="C:\Program Files\OptusNet DSL Internet\DSC.exe" [2005-11-30 12:21 2919831]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-12-21 14:30 698864]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45 36040]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"BM97ce4bcc"=Rundll32.exe "C:\WINDOWS\system32\wdakbeks.dll",s
"94fd7850"=rundll32.exe "C:\WINDOWS\system32\hpjoqgup.dll",b

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:MP3-Xtreme TCP port 6346
"6346:UDP"= 6346:UDP:MP3-Xtreme UDP port 6346

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-03-18 08:21]
R2 Adlib FMR;Adlib FMR;C:\Program Files\Adlib\Express\AdlibFMR.exe [2005-07-26 16:20]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 11:50]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 Adlib Express Server;Adlib Express Server;C:\Program Files\Adlib\Express\adexps.exe [2007-03-16 09:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b83ff1f9-d734-11db-b10d-001617bb0954}]
\Shell\AutoRun\command - G:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf26157e-c15d-11db-b101-001617bb0954}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb71e73c-e1dc-11dc-b173-001617bb0954}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 11:45:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4???J???\'2???A~??A~J???????\???\???????????U?A~??A~\???\?????????`[email protected]?\???\??????sJ???\??????s\[email protected]'[email protected]'[email protected]?x???`|?w\[email protected]

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2008-06-09 15:52:15
ComboFix-quarantined-files.txt 2008-06-09 05:52:11
ComboFix2.txt 2008-06-09 03:39:27

Pre-Run: 51,260,125,184 bytes free
Post-Run: 51,247,185,920 bytes free

157	--- E O F ---	2008-06-09 04:01:12


----------



## johnisnot1337

Internet is now working - I opened IE (I usually use Mozilla Firefox) and it updated my settings.
I also ran a counterspy scan and it picked up a backdoor Bifrost which I quarantined


----------



## cybertech

johnisnot1337 said:


> Everytime I run combofix, counterspy warns me about a trojan downloader and backdoor activating and quarantines them.


I guess you missed this in the instructions.

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix and make sure you are disconnected from the Internet *after downloading the program and before scanning*.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Open Notepad and copy and paste the text in the quote box below into it:


> KILLALL::
> File::
> C:\WINDOWS\system32\wdakbeks.dll
> C:\WINDOWS\system32\hpjoqgup.dll
> Registry::
> [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
> "BM97ce4bcc"=-
> "94fd7850"=-


Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Please perform a scan with *Kaspersky Webscan Online Virus Scanner*

1. Read the Requirements and Privacy statement, then select "*Accept*". 
2. A new window will appear promting you to install an ActiveX component from Kaspersky - "*Do you want to install this software*?". 
3. Click "*Yes*" or select "*Install*" to download the ActiveX controls that allows ActiveScan to run. 
4. When the download is complete it will say ready, click "*Next*". 
5. Click "*Scan Settings*" and check the option to use the *Extended Database* if available otherwise Standard). 
6. Click "*Scan Options*" and select both "*Scan Archives*" and "*Scan Mail Bases*". 
7. Click "*OK*". 
8. Under "*Select a target to scan*", click on "*My Computer*". 
9. When the scan is complete choose to save the results as "*Save as Text*" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for _Free Online Virus Scanner_. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps *here* and reboot afterwards if your system does not reboot automatically or it will show '_Kaspersky Online Scanner license key was not found!_


----------



## johnisnot1337

When combofix finished, it tried to reboot but the screen froze whilst windows was shutting down. I manually shut it off and back on and combofix automatically come on and gave me the log.

Here it is.

ComboFix 08-06-08.5 - Owner 2008-06-10 1:25:45.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.716 [GMT 10:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\hpjoqgup.dll
C:\WINDOWS\system32\wdakbeks.dll
.
/wow section - STAGE 41
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.

((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-06 16:54 . 2008-06-06 16:54 d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Webroot
2008-06-02 14:34 . 2008-06-06 17:38 d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-06-02 14:33 . 2008-06-02 14:33 d-------- C:\Program Files\Webroot
2008-06-02 14:33 . 2008-06-07 13:37 d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-06-02 14:33 . 2008-06-02 14:33 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Webroot
2008-06-02 14:33 . 2008-06-02 14:33 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Webroot
2008-06-02 14:32 . 2008-06-06 18:31 d-------- C:\Program Files\SpywareBlaster
2008-06-02 14:32 . 2008-06-02 14:32 d-------- C:\Program Files\Lavasoft
2008-06-02 14:32 . 2008-06-02 14:32 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-06-02 14:32 . 2008-06-02 14:32 164 --a------ C:\install.dat
2008-06-02 14:29 . 2008-06-06 21:34 d-------- C:\Temp
2008-06-02 14:29 . 2008-06-02 14:29 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx
2008-06-02 14:19 . 2008-06-02 14:19 d-------- C:\WINDOWS\system32\GroupPolicy
2008-06-02 14:19 . 2008-06-10 01:21 d-------- C:\Program Files\Hitman Pro
2008-05-28 22:40 . 2008-05-28 22:36 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-28 22:40 . 2008-05-28 22:40 2,547 --a------ C:\WINDOWS\unins000.dat
2008-05-28 20:39 . 2008-05-28 20:39 d-------- C:\Documents and Settings\Administrator.HOME
2008-05-27 18:12 . 2008-05-27 18:12 d-------- C:\Program Files\Trend Micro
2008-05-26 11:54 . 2008-05-26 11:54 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\FLEXnet
2008-05-26 11:41 . 2008-05-26 11:41 d-------- C:\Program Files\Bonjour
2008-05-26 11:33 . 2008-05-26 11:33 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-25 21:52 . 2008-05-25 21:52 d-------- C:\Program Files\Sun
2008-05-23 18:34 . 2008-05-23 18:34 58 --a------ C:\WINDOWS\CTACD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-09 02:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-06-08 10:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\DVD Shrink
2008-06-08 04:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\eBookPro6
2008-06-06 11:31 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-06-03 06:33 --------- d-----w C:\Program Files\Apple Software Update
2008-06-03 02:18 --------- d-----w C:\Program Files\Dad's Music
2008-05-30 05:00 68,608 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-28 12:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-28 05:28 --------- d-----w C:\Program Files\Dad's Pics
2008-05-26 01:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-25 11:52 --------- d-----w C:\Program Files\Java
2008-05-24 02:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-05-06 05:59 --------- d-----w C:\Program Files\Safari
2008-04-17 03:08 --------- d-----w C:\Program Files\Azureus
2007-02-23 03:39 81,920 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2007-02-23 03:39 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2007-01-04 01:03 32,848 ----a-w C:\Documents and Settings\Steve\Application Data\GDIPFONTCACHEV1.DAT
2006-10-16 01:27 81,920 ----a-w C:\Documents and Settings\Steve\Application Data\ezpinst.exe
2006-10-16 01:27 47,360 ----a-w C:\Documents and Settings\Steve\Application Data\pcouffin.sys
2005-06-09 06:53 4,423,630 ----a-w C:\Program Files\EvolutionX.zip
2005-06-09 06:40 38,361,469 ----a-w C:\Program Files\EmulatorPack.zip
2005-06-09 06:26 859,395 ----a-w C:\Program Files\Xbox.exe
2005-06-09 06:25 14,167,081 ----a-w C:\Program Files\bonus.exe
2005-06-09 06:20 1,097,117 ----a-w C:\Program Files\dvdwpro.exe
2004-10-01 05:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2007-02-21 07:08 56 --sh--r C:\WINDOWS\system32\4D2072CDAD.sys
2007-02-21 07:08 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24 1694208]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25 1961984]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-02-18 20:58 206184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-02 09:22 577536 C:\WINDOWS\soundman.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-25 20:01 1397760]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 22:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-04-29 01:47 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 22:00 33280 C:\WINDOWS\system32\rundll32.exe]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 19:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 00:00 28672]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2001-12-20 00:00 28672]
"SetDefPrt"="C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 17:02 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-07-19 11:36 933888]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-14 04:29 35328]
"Camera Detector"="C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.exe" [2002-12-09 14:35 208896]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25 6731312]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 22:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2003-03-31 22:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2003-03-31 22:00 455168]
"Desktop Service Centre"="C:\Program Files\OptusNet DSL Internet\DSC.exe" [2005-11-30 12:21 2919831]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-12-21 14:30 698864]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45 36040]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:MP3-Xtreme TCP port 6346
"6346:UDP"= 6346:UDP:MP3-Xtreme UDP port 6346

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-03-18 08:21]
R2 Adlib FMR;Adlib FMR;C:\Program Files\Adlib\Express\AdlibFMR.exe [2005-07-26 16:20]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 11:50]
S3 Adlib Express Server;Adlib Express Server;C:\Program Files\Adlib\Express\adexps.exe [2007-03-16 09:45]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b83ff1f9-d734-11db-b10d-001617bb0954}]
\Shell\AutoRun\command - G:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb71e73c-e1dc-11dc-b173-001617bb0954}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 11:45:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 01:46:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4???????\'2???A~??A~????????\???\???????????U?A~??A~\???\[email protected]?\???\??????s????\??????s\[email protected]'[email protected]'[email protected]?x???`|?w\[email protected]

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-10 1:51:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-09 15:51:20
ComboFix2.txt 2008-06-09 05:52:16
ComboFix3.txt 2008-06-09 03:39:27

Pre-Run: 51,173,982,208 bytes free
Post-Run: 51,157,889,024 bytes free

177 --- E O F --- 2008-06-09 04:01:12


----------



## johnisnot1337

I dont think I ran the correct Kaspersky scan as your provided steps didnt fit - it never prompted me about activeX. I clicked on the first scan button "kaspersky online scanner" from your link. 

Anyway, here is the Kaspersky log.




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, June 10, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 09, 2008 15:49:47
Records in database: 843951
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 95919
Threat name: 6
Infected objects: 10
Suspicious objects: 0
Duration of the scan: 01:29:26


File name / Threat name / Threats count
C:\Documents and Settings\Owner\Desktop\Uni ****\setup.exe Infected: Trojan-Downloader.Win32.Zlob.mek 1
C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\CT Gosford support.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{9A3736FF-766E-4FAB-8B19-20DDC4322727}\Microsoft\Outlook Express\Inbox.dbx Infected: Net-Worm.Win32.Mytob.bi 2
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i 1
C:\Program Files\MSN Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ljJBtSKa.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nhpfvrvw.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wdakbeks.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\__c00AE262.dat.vir Infected: Trojan.Win32.Monder.gen 1

The selected area was scanned.


----------



## cybertech

C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{9A3736FF-766E-4FAB-8B19-20DDC4322727}\Microsoft\Outlook Express\Inbox.dbx

You need to manually remove the infected object from the inbox. Delete it and empty the Outlook express trash.

Please *download* the *OTMoveIt2 by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt2.exe* to run it. (*Note:* If you are running on Vista, right-click on the file and choose *Run As Administrator*).
*Copy the lines in the quote box below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):

*You need to fix the Uni**** if you put those asterisks in there.*



> C:\Documents and Settings\Owner\Desktop\Uni ****\setup.exe
> C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
> C:\Program Files\MSN Messenger\msimg32.dll



 Return to OTMoveIt2, right click in the *Paste Custom List Of Files/Patterns To Move* window (under the yellow bar) and choose *Paste*.

Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar) to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTMoveIt2*
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.* In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter **.log* and press the Enter key, navigate to the *C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please post your hijackthis log again and let me know if you are still having problems.


----------



## johnisnot1337

I have never used Outlook Express so the inbox is completely *empty. * 
I tried using Windows Explorer to navigate to the item but I can go no further than _C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{9A3736FF-766E-4FAB-8B19-20DDC4322727}\
_as the last folder is empty. I do have hidden folders visible.

I have not experienced any obvious problems or the 0xc000... error since I first ran Combofix

*OTMoveit2 log*

C:\Documents and Settings\Owner\Desktop\Uni stuff\setup.exe moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll NOT unregistered.
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\MSN Messenger\msimg32.dll
C:\Program Files\MSN Messenger\msimg32.dll NOT unregistered.
C:\Program Files\MSN Messenger\msimg32.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06112008_170637

*Hijackthis log

*Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:18:51 PM, on 11/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adlib\Express\AdlibFMR.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] "C:\Program Files\Brother\ControlCenter2\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Camera Detector] "C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE" -autorun
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [Desktop Service Centre] "C:\Program Files\OptusNet DSL Internet\DSC.exe"
O4 - HKLM\..\Run: [SBCSTray] "C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171493831625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171493927015
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O23 - Service: Adlib Express Server - Adlib Software - C:\Program Files\Adlib\Express\adexps.exe
O23 - Service: Adlib FMR - Adlib eDocument Solutions - C:\Program Files\Adlib\Express\AdlibFMR.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9141 bytes


----------



## cybertech

*Follow these steps to uninstall Combofix and tools used in the removal of malware*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Search for *Inbox.dbx * and delete that if you don't use OE.

I don't see any anti-virus software running. 
Load *AVG* it's free.

Your Java is out of date. Use Secunia software inspector & update checker and remove all old versions from add/remove programs.

How is it running now? Any problems?


----------



## johnisnot1337

I searched for Inbox.dbx and there were 10 results, all were "last modified 10 june" a few minutes apart. I deleted all of them.
I uninstalled combofix through run as you asked and while doing this Counterspy warned me about a trojan downloader and backdoor activating, just like when I ran ComboFix before disabling all active protection. Was I supposed to disable it again?
I already had AVG installed but a file was missing. I must have accidentally deleted or quarantined part of it. I deleted it and reinstalled it.

I noticed Winbutler is in my add/remove programs list. I thought I deleted it.


----------



## cybertech

Disabling just keeps you from getting the warning about a file being read by Counterspy. It should not have affected the deletion.

Winbutler in add/remove programs will likely not remove anything since we deleted it but you could try. If nothing happens you have to edit the registry to remove it from add/remove programs list but it's harmless to leave it.


----------



## johnisnot1337

Well it seems like my computer is free of malware now. 

Anything else I should do?


----------



## cybertech

You can and *should* remove all of the tools I requested you to download and/or folders associated with them now. It is pointless to keep these tools around as they are updated so frequently that the tools can be outdated within a few days, sometimes within just hours.

*OTMoveIt2 by OldTimer* has a *CleanUp!* option you can use to remove most of the fixes and associated files and folders. 

Make sure you have an Internet Connection. 
Double-click *OTMoveIt2.exe* to run it. 
Click on the *CleanUp!* button 
A list of tool components used in the Cleanup of malware will be downloaded. 
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so. 
Click Yes to beging the Cleanup process and remove these components, including this application. 
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose *Yes.* 

It's a good idea to Flush your System Restore after removing malware: 
Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405

Now you should Clean up your PC

Here are some additional links for you to check out to help you with your computer security.

How did I get infected in the first place. *by Tony Klein*

Good free tools and advice on how to tighten your security settings.

Security Help Tools


----------



## johnisnot1337

Thank you for all your time!!! Ill make a donation to the site


----------



## cybertech

You're welcome and thanks for your support!


----------

