# Solved: Please help..ive tried everything i know



## jca716 (May 28, 2005)

I got a virus the other night called W32.Trats!inf...it is a nast little thign that just shut my nortons completly down...i reinstalled the new Nortons Antivirus....I then did live update and scan...It removed the virus(or so it said)...after reboot the damn thing is still their..i tried everything...all the spyware programs..and i followed Symtec's removal procedures but that didnt work either...now i keeep getting attacked by a new virus...Trojin.Vundo....I used the removal tool to rid myself of this from Symtec's site,but damn it its back again..i knwo enough to know this thing is spreading and spreading fast.....i want to avoid wipeing the drive clean and starting over because i dont really want to loose all my pics videos and iso games(dont ask my CD burner is out as well,but thats another story)...Please ...please ...please help me someone..i despertatly need assistance from a PRO of all PROS.........The only thing that boggles the mind is why I paid so much for Nortons when the thing dosent work to do what i bought it for....P.S.I know nothing about the registry or editing it for that matter but i did go their and look for the files that Symtec told me to edit,but those files were not their to delete...please help me...please


----------



## PCcruncher (Oct 24, 2007)

I would download hijack this and post the log in the hijack area for those that are qualified to help with these issues.


----------



## jca716 (May 28, 2005)

do you meand post the log here(hijack area??)on this thread?and is the program you recomended free to download..i just cant pay for anymore virus programs...every hour the threat spreads more on my PC as well...here this is what i got right now.....this is under the security risks catagory

Category: Security risks
Date Time,Feature,Risk Name,Result,Item Type,Virus Definition Version,Product Version,User Name,Computer Name,Details
12/28/2007 10:51:51 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\WINDOWS\system32\awvvw.dll,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198900307,Action taken: Blocked"
12/28/2007 10:51:50 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\PN878HUD\css4[1],Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198900307,Action taken: Blocked"
12/28/2007 9:51:40 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\PN878HUD\css4[1],Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198896697,Action taken: Blocked"
12/28/2007 9:51:40 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\WINDOWS\system32\pmkhi.dll,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198896697,Action taken: Blocked"
12/28/2007 8:51:50 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\PN878HUD\css4[1],Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198893107,Action taken: Blocked"
12/28/2007 8:51:50 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\WINDOWS\system32\pmnlk.dll,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198893107,Action taken: Blocked"
12/28/2007 7:51:33 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\WBRI3B6S\css4[1],Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198889492,Action taken: Blocked"
12/28/2007 7:51:33 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\WINDOWS\system32\ddabx.dll,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198889492,Action taken: Blocked"
12/28/2007 6:51:38 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\WINDOWS\system32\pmnlm.dll,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198885894,Action taken: Blocked"
12/28/2007 6:51:38 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\IX2U36WS\css4[1],Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198885894,Action taken: Blocked"
12/28/2007 5:51:29 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\NC5ZL1JI\css4[1],Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198882288,Action taken: Blocked"
12/28/2007 5:51:29 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\WINDOWS\system32\pmkhg.dll,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198882288,Action taken: Blocked"
12/28/2007 4:51:23 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\NC5ZL1JI\css4[1],Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198878682,Action taken: Blocked"
12/28/2007 4:51:23 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\WINDOWS\system32\vtuts.dll,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198878682,Action taken: Blocked"
12/28/2007 3:51:30 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\WINDOWS\system32\pmnlk.dll,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198875088,Action taken: Blocked"
12/28/2007 3:51:30 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\NC5ZL1JI\css4[1],Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198875088,Action taken: Blocked"
12/28/2007 2:51:37 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\3KH1C64D\css4[1],Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198871495,Action taken: Blocked"
12/28/2007 2:51:37 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\WINDOWS\system32\vtsqp.dll,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198871495,Action taken: Blocked"
12/28/2007 1:52:47 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\WINDOWS\system32\ddcyv.dll,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198867951,Action taken: Blocked"
12/28/2007 1:52:47 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\IX2U36WS\css4[1],Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198867951,Action taken: Blocked"
12/28/2007 1:29:24 PM,Auto-Protect,Trojan.Vundo,Fully removed,File,2007.12.28.003,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\WINDOWS\system32\ddaba.dll,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198866375,Action taken: Fully removed"
12/28/2007 8:50:06 AM,Virus scanner,Tracking Cookie,Fully removed,File,2007.12.27.025,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: ,Risk category: Cookie,Overall Risk Impact: Low,Performance: 0,Privacy: 1198836254,Action taken: Fully removed"
12/27/2007 9:54:52 PM,Auto-Protect,W32.Trats!inf,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\WINDOWS\system32\ddaba.exe,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Action taken: Blocked"
12/27/2007 8:37:18 PM,Auto-Protect,W32.Trats!inf,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\WINDOWS\system32\ddaba.exe,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Action taken: Blocked"
12/27/2007 8:11:47 PM,Auto-Protect,Trojan.Vundo,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\SHQJCXIR\gamadril20071203[1],Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198804299,Action taken: Blocked"
12/27/2007 2:27:35 AM,Auto-Protect,W32.Trats!inf,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\WINDOWS\system32\ddaba.exe,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Action taken: Blocked"
12/27/2007 2:27:34 AM,Auto-Protect,W32.Trats!inf,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\TMP6.tmp,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Action taken: Blocked"
12/27/2007 12:16:25 AM,Auto-Protect,W32.Trats!inf,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\WINDOWS\system32\ddaba.exe,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Action taken: Blocked"
12/27/2007 12:05:10 AM,Auto-Protect,W32.Trats!inf,Blocked,File,N/A,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\WINDOWS\system32\ddaba.exe,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Action taken: Blocked"
12/26/2007 11:58:41 PM,Virus scanner,W32.Trats!inf,Fully removed,File,2007.12.26.003,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: ,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198727179,Action taken: Fully removed"
12/26/2007 11:58:40 PM,Virus scanner,Tracking Cookie,Fully removed,File,2007.12.26.003,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: ,Risk category: Cookie,Overall Risk Impact: Low,Performance: 0,Privacy: 1198727009,Action taken: Fully removed"
12/26/2007 10:39:38 PM,Auto-Protect,W32.Trats!inf,Removal not attempted,File,2007.12.26.003,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\Program Files\Messenger\msmsgs.exe,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198726761,Action taken: Removal not attempted"
12/26/2007 9:59:22 PM,Auto-Protect,W32.Trats!inf,Fully removed,File,2007.12.26.003,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\WINDOWS\system32\ddaba.exe,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198724341,Action taken: Fully removed"
12/26/2007 9:59:20 PM,Auto-Protect,W32.Trats!inf,Fully removed,File,2007.12.26.003,14.3.0.8,SYSTEM,PAPA_FREDDIE,"Source: C:\Program Files\Messenger\msmsgs.exe,Risk category: Virus,Overall Risk Impact: High,Performance: 1,Privacy: 1198724318,Action taken: Fully removed"

but their not gone..i tried to run the removal tool for the Vundo.trojin and it shut that down and gave me some kind of error message as well


----------



## jca716 (May 28, 2005)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:36 AM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D} - C:\WINDOWS\system32\pmnonop.dll
O2 - BHO: {77e5fccc-5817-e959-5564-e0969f7e0b0b} - {b0b0e7f9-690e-4655-959e-7185cccf5e77} - C:\WINDOWS\system32\pudgnrxq.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [009b376f] rundll32.exe "C:\WINDOWS\system32\armdnyrw.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [SystemTray Monitor] SysTraymon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151094774265
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O20 - Winlogon Notify: pmnonop - C:\WINDOWS\SYSTEM32\pmnonop.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7638 bytes


----------



## jca716 (May 28, 2005)

im about to try it now..ill let you know and yes i have a partitioned drive as well..i hope this works...Question...when i delete a registry exactly how do i do this..i know regedit in the run window but after that im a little lost i ll try to figure it out..thanks so much dude ill let ya know though


----------



## jca716 (May 28, 2005)

ive tried it all and its still their......went through the registry and none of the entries that i was told to remove are their...and now a Trojin.Vondu is popping up as blocked every hour on the hour...this is worse than i though ti know it...


----------



## Blackmirror (Dec 5, 2006)

Hello may i intervene and ask that no one gives any advice please
i have reported this to a member of the security team to take a look


----------



## Cookiegal (Aug 27, 2003)

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix and make sure you are disconnected from the Internet *after downloading the program and before scanning*.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *ComboFix* and save it to your desktop.

***Note: In the event you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running ComboFix.

 WARNING: *IF you have not already done so ComboFix will disconnect your machine from the Internet when it starts. *
*Please do not re-connect your machine back to the Internet until ComboFix has completely finished.*
If there is no Internet connection when Combofix has completely finished then restart your computer to restore the connection.

Double-click on *combofix.exe* and follow the prompts. When finished, it will produce a report for you. Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.

***Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall***


----------



## Cookiegal (Aug 27, 2003)

I've also edited your first post. Please be careful of your language.


----------



## Cookiegal (Aug 27, 2003)

PCcruncher said:


> I would download hijack this and post the log in the hijack area for those that are qualified to help with these issues.


Please do not advise users to start a new thread as it creates more work for the moderators. We prefer that the logs be posted here and then the thread can be moved, if necessary.


----------



## Cookiegal (Aug 27, 2003)

*codejockey *and *astro3ron*,

Please refer to the rules concerning malware removal.

http://www.techguy.org/rules.html

*Log Analysis/Malware Removal* - In order to ensure that advice given to users is consistent and of the highest quality, those who wish to assist with security related matters must first graduate from one of the malware boot camp training universities or be approved by the administration as already being qualified. Those authorized to help with malware issues have a gold shield







next to their name and authorized malware removal trainees have a blue shield next to their







next to their names. Anyone wishing to participate in a training program should contact a Moderator for more information.

Please refrain from replying to security related matters on this forum until you have presented evidence to one of the moderators or admins here that proves you to be qualified to do so. If you are not yet qualified and interested in being trained, we will be glad to help you get enrolled at one of the free online training facilities. Just PM me or one of the other moderators that work Security and we'll point you in the right direction.

Thanks in advance for your cooperation.


----------



## jca716 (May 28, 2005)

im about to try to attempt to try your method now...i will also remember to be more respectful in the futurwe and i will rereview the forum rules as well..ill let you know how it [email protected]


----------



## Cookiegal (Aug 27, 2003)

:up:


----------



## jca716 (May 28, 2005)

ComboFix 08-01-03.4 - Compaq_Owner 2008-01-02 20:18:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.56 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\svchost.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\abadd.ini
C:\WINDOWS\system32\abadd.ini2
C:\WINDOWS\system32\plugin1.dat
C:\WINDOWS\system32\pmnonop.dll
C:\WINDOWS\system32\SysPr.prx
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-02 20:15 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-12-30 19:26 . 2007-12-30 19:26 d--------	C:\Program Files\LimeWire
2007-12-30 18:58 . 2007-12-30 19:34 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\PrevxCSI
2007-12-30 18:58 . 2007-12-30 22:41 d--------	C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 15:53 . 2007-12-30 15:52	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-30 15:51 . 2007-12-30 16:10 d--------	C:\Documents and Settings\Compaq_Owner\.housecall6.6
2007-12-30 11:12 . 2007-07-30 19:19	207,736	--a------	C:\WINDOWS\system32\muweb.dll
2007-12-29 23:33 . 2004-08-04 00:56	116,224	--a------	C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-12-29 23:33 . 2001-08-17 22:37	27,648	--a------	C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-12-29 23:33 . 2001-08-17 22:36	23,040	--a------	C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-12-29 23:33 . 2001-08-17 22:36	17,408	--a------	C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-12-29 23:31 . 2001-08-17 13:28	701,386	--a------	C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-12-29 23:30 . 2001-08-17 13:28	794,654	--a------	C:\WINDOWS\system32\dllcache\usr1801.sys
2007-12-29 23:29 . 2001-08-17 22:36	216,064	--a------	C:\WINDOWS\system32\dllcache\um34scan.dll
2007-12-29 23:28 . 2004-08-04 07:00	571,392	--a------	C:\WINDOWS\system32\dllcache\tintlgnt.ime
2007-12-29 23:27 . 2001-08-17 14:56	172,768	--a------	C:\WINDOWS\system32\dllcache\t2r4disp.dll
2007-12-29 23:26 . 2001-08-17 12:18	285,760	--a------	C:\WINDOWS\system32\dllcache\stlnata.sys
2007-12-29 23:25 . 2001-08-17 13:51	61,824	--a------	C:\WINDOWS\system32\dllcache\speed.sys
2007-12-29 23:25 . 2001-08-17 22:36	24,660	--a------	C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-12-29 23:24 . 2001-08-17 22:36	106,584	--a------	C:\WINDOWS\system32\dllcache\spdports.dll
2007-12-29 23:24 . 2001-08-17 14:07	19,072	--a------	C:\WINDOWS\system32\dllcache\sparrow.sys
2007-12-29 23:22 . 2004-08-04 07:00	456,704	--a------	C:\WINDOWS\system32\dllcache\smtpsvc.dll
2007-12-29 23:21 . 2004-08-03 22:41	404,990	--a------	C:\WINDOWS\system32\dllcache\slntamr.sys
2007-12-29 23:20 . 2001-08-17 22:36	495,616	--a------	C:\WINDOWS\system32\dllcache\sblfx.dll
2007-12-29 23:19 . 2004-08-04 00:56	397,056	--a------	C:\WINDOWS\system32\dllcache\s3gnb.dll
2007-12-29 23:18 . 2001-08-17 13:28	899,146	--a------	C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2007-12-29 23:17 . 2004-08-04 07:00	482,304	--a------	C:\WINDOWS\system32\dllcache\pintlgnt.ime
2007-12-29 23:16 . 2004-08-04 00:56	259,328	--a------	C:\WINDOWS\system32\dllcache\perm3dd.dll
2007-12-29 23:15 . 2001-08-17 14:05	351,616	--a------	C:\WINDOWS\system32\dllcache\ovcodek2.sys
2007-12-29 23:14 . 2004-08-04 00:56	4,274,816	--a------	C:\WINDOWS\system32\dllcache\nv4_disp.dll
2007-12-29 23:13 . 2004-08-04 00:56	1,737,856	--a------	C:\WINDOWS\system32\dllcache\mtxparhd.dll
2007-12-29 23:12 . 2004-08-04 07:00	1,875,968	--a------	C:\WINDOWS\system32\dllcache\msir3jp.lex
2007-12-29 23:11 . 2001-08-17 12:50	320,384	--a------	C:\WINDOWS\system32\dllcache\mgaum.sys
2007-12-29 23:10 . 2001-08-17 13:28	802,683	--a------	C:\WINDOWS\system32\dllcache\ltsm.sys
2007-12-29 23:09 . 2004-08-04 07:00	1,158,818	--a------	C:\WINDOWS\system32\dllcache\korwbrkr.lex
2007-12-29 23:08 . 2004-08-04 00:56	152,576	--a------	C:\WINDOWS\system32\dllcache\irftp.exe
2007-12-29 23:07 . 2004-08-04 07:00	811,064	--a------	C:\WINDOWS\system32\dllcache\imjp81k.dll
2007-12-29 23:06 . 2001-08-17 22:36	372,824	--a------	C:\WINDOWS\system32\dllcache\iconf32.dll
2007-12-29 23:05 . 2004-08-04 07:00	13,463,552	--a------	C:\WINDOWS\system32\dllcache\hwxjpn.dll
2007-12-29 23:04 . 2001-08-17 13:28	542,879	--a------	C:\WINDOWS\system32\dllcache\hsf_msft.sys
2007-12-29 23:03 . 2001-08-17 22:36	126,976	--a------	C:\WINDOWS\system32\dllcache\hpgt34tk.dll
2007-12-29 23:02 . 2001-08-17 14:56	1,733,120	--a------	C:\WINDOWS\system32\dllcache\g400d.dll
2007-12-29 23:01 . 2001-08-17 12:14	444,416	--a------	C:\WINDOWS\system32\dllcache\fpcibase.sys
2007-12-29 23:00 . 2001-08-17 13:28	595,647	--a------	C:\WINDOWS\system32\dllcache\es56cvmp.sys
2007-12-29 22:59 . 2001-08-17 13:28	634,134	--a------	C:\WINDOWS\system32\dllcache\el656ct5.sys
2007-12-29 22:58 . 2001-08-17 12:14	952,007	--a------	C:\WINDOWS\system32\dllcache\diwan.sys
2007-12-29 22:57 . 2001-08-17 22:36	419,357	--a------	C:\WINDOWS\system32\dllcache\dgconfig.dll
2007-12-29 22:56 . 2004-08-04 07:00	1,677,824	--a------	C:\WINDOWS\system32\dllcache\chsbrkr.dll
2007-12-29 22:55 . 2001-08-17 13:28	871,388	--a------	C:\WINDOWS\system32\dllcache\bcmdm.sys
2007-12-29 22:54 . 2004-08-04 00:56	870,784	--a------	C:\WINDOWS\system32\dllcache\ati3d1ag.dll
2007-12-29 22:53 . 2001-08-17 13:28	762,780	--a------	C:\WINDOWS\system32\dllcache\3cwmcru.sys
2007-12-29 22:52 . 2004-05-13 00:39	876,653	--a------	C:\WINDOWS\system32\dllcache\fp4awel.dll
2007-12-29 02:49 . 2005-11-09 11:23 d--------	C:\Documents and Settings\Administrator\WINDOWS
2007-12-29 02:49 . 2005-11-09 11:46 d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-29 02:49 . 2005-11-09 11:25 d--------	C:\Documents and Settings\Administrator\Application Data\Intuit
2007-12-29 01:20 . 2007-12-29 01:20 d--------	C:\Program Files\Trend Micro
2007-12-28 09:20 . 2007-12-30 20:22 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\Move Networks
2007-12-27 22:23 . 2007-12-27 22:23 d--------	C:\Program Files\MSN Messenger
2007-12-27 20:11 . 2007-12-29 11:48	1,031,484	--ahs----	C:\WINDOWS\system32\wryndmra.ini
2007-12-27 00:09 . 2007-05-29 13:55	22,112	--a------	C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-12-27 00:09 . 2007-05-29 13:55	10,592	--a------	C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-12-27 00:09 . 2007-05-29 13:55	705	--a------	C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-12-26 21:31 . 2007-12-27 00:09 d--------	C:\Program Files\Norton AntiVirus
2007-12-26 21:29 . 2007-12-26 22:14	123,952	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-26 21:29 . 2007-12-26 22:14	60,800	--a------	C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-26 21:29 . 2007-12-26 22:14	10,740	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-26 21:29 . 2007-12-26 22:14	805	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-25 23:37 . 2007-12-25 23:37 d--------	C:\Program Files\EA GAMES
2007-12-25 23:17 . 2007-12-25 23:17 d--------	C:\Program Files\PowerISO
2007-12-17 20:23 . 2007-12-17 20:23 d--------	C:\Program Files\Common Files\SureThing Shared
2007-12-17 19:20 . 2007-12-17 19:20 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\WinBatch
2007-12-17 18:47 . 2003-06-12 23:25	7,062	--a------	C:\WINDOWS\system32\audiopid.vxd
2007-12-15 13:05 . 2007-09-24 23:31	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2007-12-15 13:04 . 2007-12-15 13:05 d--------	C:\Program Files\Java
2007-12-15 13:02 . 2007-12-15 13:02 d--------	C:\Program Files\Common Files\Java
2007-12-12 20:37 . 2007-12-12 20:37 d--------	C:\Program Files\uTorrent
2007-12-12 20:37 . 2008-01-02 17:52 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\uTorrent
2007-12-12 19:39 . 2006-04-20 06:51	359,808	--a------	C:\WINDOWS\system32\drivers\tcpip.sys.ORIGINAL
2007-12-12 19:38 . 2007-12-12 20:04 d--------	C:\Downloads
2007-12-10 20:33 . 2007-12-10 20:33 d--------	C:\Documents and Settings\All Users\Application Data\Ubisoft
2007-12-05 18:56 . 2007-12-05 18:56	151	--a------	C:\WINDOWS\PhotoSnapViewer.INI
2007-12-05 18:16 . 2007-12-05 18:16 d--------	C:\Program Files\Eidos Interactive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 21:12	---------	d-----w	C:\Program Files\DivX
2007-12-31 02:03	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-31 01:22	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2007-12-31 00:30	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-12-28 02:14	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-12-27 05:09	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-27 03:15	---------	d-----w	C:\Program Files\Symantec
2007-12-26 04:14	715,248	----a-w	C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 01:23	---------	d-----w	C:\Program Files\Sonic
2007-12-18 01:23	---------	d-----w	C:\Program Files\Common Files\Sonic Shared
2007-12-18 00:35	---------	d-----w	C:\Program Files\HP
2007-12-17 23:46	---------	d-----w	C:\Program Files\Creative
2007-12-17 06:27	1,960	----a-w	C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2007-12-04 19:27	485,888	--sh--w	C:\Program Files\Common Files\msdp.dll
2007-12-01 04:57	43,696	----a-w	C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 04:57	317,616	----a-w	C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 04:57	279,088	----a-w	C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 04:57	10,549	----a-w	C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 04:57	10,549	----a-w	C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 04:57	10,545	----a-w	C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 04:57	1,430	----a-w	C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 04:57	1,421	----a-w	C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 04:57	1,415	----a-w	C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-27 05:54	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Creative
2007-11-25 18:54	260,608	--sh--w	C:\Program Files\Common Files\mscd.exe
2007-11-17 06:25	---------	d-----w	C:\Program Files\Surreal
2007-11-13 10:25	20,480	----a-r	C:\WINDOWS\system32\drivers\secdrv.sys
2005-05-12 14:36	12,288	----a-w	C:\WINDOWS\Fonts\RandFont.dll
2006-07-30 17:16	205,918	--sha-w	C:\WINDOWS\system32\ggjlm.bak2
2006-07-31 14:45	214,206	--sha-w	C:\WINDOWS\system32\ggjlm.ini2
2006-08-09 16:27	2,516	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-13 10:23	733,184	--sha-r	C:\WINDOWS\system32\SysTraymon.exe
.

```
----a-w         1,694,208 2007-12-27 03:33:19  C:\Program Files\Messenger\msmsgs .exe
```
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}]
C:\WINDOWS\system32\pmnonop.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-02 19:25 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-07 17:39 771704]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 07:00 388608]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}"= C:\WINDOWS\system32\pmnonop.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnonop]
pmnonop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Pin.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Pin.lnk
backup=C:\WINDOWS\pss\Pin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-01-02 19:25	15360	--a------	C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-04-20 12:10	50792	--a------	C:\Program Files\Common Files\AOL\1150577478\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 14:18	241664	--a------	C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 16:24	54840	--a------	C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
2006-02-17 11:59	124520	--a------	C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-06 19:05	200704	--a------	C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 01:11	132496	--a------	C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray Monitor]
SysTraymon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" -boot

S3 ATIXPGAA;ATIXPGAA;C:\Program Files\PC-Doctor 5 for Windows\ATIXPGAA.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D51g62BC-4266-43f0-B6ED-9D76C4202C7E}]
C:\Program Files\Common Files\mscd.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-02 14:16:59 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Compaq_Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-02 20:32:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-02 20:40:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-03 01:40:23
.
2007-12-30 05:41:55	--- E O F ---

here is the entire log that you requested..My entire system is running like a new.You are so GREAT...it would be quite bold to say...I LOVE YOU...it seems that all is well in South Carolina tonight...I just want to say thank you sooooooooooooooo much..I also appreciate the knowledge that i will most definilty remember and take to the bank in the future...might I ask how one as yourself becomes so knowledgable of these types of problems?Well anyways I will check back later to see if you found anything in the log file that i should know [email protected]


----------



## jca716 (May 28, 2005)

well i thought all was good at least.i ran Spybot again and still it comes up ..Microsoft security center disabled ..so i guess it did not get it all...how can I be todally sure that it is completly fixed?


----------



## Cookiegal (Aug 27, 2003)

There is more to do but I'm tired and I'm signing off for the night so I'll post back with new instructions in the morning.


----------



## jca716 (May 28, 2005)

thankx so much ill be waiting to hear from you..hope you have a good day as [email protected]


----------



## Cookiegal (Aug 27, 2003)

Go to *Start* - *Search* - *All Files and Folders* and under *More advanced search options*. 
Make sure there is a check by *Search System Folders* and *Search hidden files and folders* and *Search system subfolders*.

Next click on *My Computer*. Go to *Tools* - *Folder Options*. Click on the View tab and make sure that *Show hidden files and folders* is checked. Also uncheck *Hide protected operating system files* and *Hide extensions for known file types*. Now click *Apply to all folders*. Click *Apply* then *OK*.

Now, go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

*C:\WINDOWS\system32\ctfmon.exe*

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\WINDOWS\system32\wryndmra.ini
C:\Program Files\Common Files\msdp.dll
C:\Program Files\Common Files\mscd.exe
C:\WINDOWS\system32\ggjlm.bak2
C:\WINDOWS\system32\ggjlm.ini2
C:\WINDOWS\system32\SysTraymon.exe
C:\WINDOWS\system32\pmnonop.dll

DirLook::
C:\Documents and Settings\Compaq_Owner\Application Data\WinBatch

RENV::
C:\Program Files\Messenger\msmsgs .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnonop]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## jca716 (May 28, 2005)

ComboFix 08-01-03.4 - Compaq_Owner 2008-01-03 16:33:19.2 - NTFSx86
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\Common Files\mscd.exe
C:\Program Files\Common Files\msdp.dll
C:\WINDOWS\system32\ggjlm.bak2
C:\WINDOWS\system32\ggjlm.ini2
C:\WINDOWS\system32\pmnonop.dll
C:\WINDOWS\system32\SysTraymon.exe
C:\WINDOWS\system32\wryndmra.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\mscd.exe
C:\Program Files\Common Files\msdp.dll
C:\WINDOWS\system32\ggjlm.bak2
C:\WINDOWS\system32\ggjlm.ini2
C:\WINDOWS\system32\SysTraymon.exe
C:\WINDOWS\system32\wryndmra.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-02 20:15 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-12-30 19:26 . 2007-12-30 19:26 d--------	C:\Program Files\LimeWire
2007-12-30 18:58 . 2007-12-30 19:34 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\PrevxCSI
2007-12-30 18:58 . 2007-12-30 22:41 d--------	C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 15:53 . 2007-12-30 15:52	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-30 15:51 . 2007-12-30 16:10 d--------	C:\Documents and Settings\Compaq_Owner\.housecall6.6
2007-12-30 11:12 . 2007-07-30 19:19	207,736	--a------	C:\WINDOWS\system32\muweb.dll
2007-12-29 23:33 . 2004-08-04 00:56	116,224	--a------	C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-12-29 23:33 . 2001-08-17 22:37	27,648	--a------	C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-12-29 23:33 . 2001-08-17 22:36	23,040	--a------	C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-12-29 23:33 . 2001-08-17 22:36	17,408	--a------	C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-12-29 23:31 . 2001-08-17 13:28	701,386	--a------	C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-12-29 23:30 . 2001-08-17 13:28	794,654	--a------	C:\WINDOWS\system32\dllcache\usr1801.sys
2007-12-29 23:29 . 2001-08-17 22:36	216,064	--a------	C:\WINDOWS\system32\dllcache\um34scan.dll
2007-12-29 23:28 . 2004-08-04 07:00	571,392	--a------	C:\WINDOWS\system32\dllcache\tintlgnt.ime
2007-12-29 23:27 . 2001-08-17 14:56	172,768	--a------	C:\WINDOWS\system32\dllcache\t2r4disp.dll
2007-12-29 23:26 . 2001-08-17 12:18	285,760	--a------	C:\WINDOWS\system32\dllcache\stlnata.sys
2007-12-29 23:25 . 2001-08-17 13:51	61,824	--a------	C:\WINDOWS\system32\dllcache\speed.sys
2007-12-29 23:25 . 2001-08-17 22:36	24,660	--a------	C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-12-29 23:24 . 2001-08-17 22:36	106,584	--a------	C:\WINDOWS\system32\dllcache\spdports.dll
2007-12-29 23:24 . 2001-08-17 14:07	19,072	--a------	C:\WINDOWS\system32\dllcache\sparrow.sys
2007-12-29 23:22 . 2004-08-04 07:00	456,704	--a------	C:\WINDOWS\system32\dllcache\smtpsvc.dll
2007-12-29 23:21 . 2004-08-03 22:41	404,990	--a------	C:\WINDOWS\system32\dllcache\slntamr.sys
2007-12-29 23:20 . 2001-08-17 22:36	495,616	--a------	C:\WINDOWS\system32\dllcache\sblfx.dll
2007-12-29 23:19 . 2004-08-04 00:56	397,056	--a------	C:\WINDOWS\system32\dllcache\s3gnb.dll
2007-12-29 23:18 . 2001-08-17 13:28	899,146	--a------	C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2007-12-29 23:17 . 2004-08-04 07:00	482,304	--a------	C:\WINDOWS\system32\dllcache\pintlgnt.ime
2007-12-29 23:16 . 2004-08-04 00:56	259,328	--a------	C:\WINDOWS\system32\dllcache\perm3dd.dll
2007-12-29 23:15 . 2001-08-17 14:05	351,616	--a------	C:\WINDOWS\system32\dllcache\ovcodek2.sys
2007-12-29 23:14 . 2004-08-04 00:56	4,274,816	--a------	C:\WINDOWS\system32\dllcache\nv4_disp.dll
2007-12-29 23:13 . 2004-08-04 00:56	1,737,856	--a------	C:\WINDOWS\system32\dllcache\mtxparhd.dll
2007-12-29 23:12 . 2004-08-04 07:00	1,875,968	--a------	C:\WINDOWS\system32\dllcache\msir3jp.lex
2007-12-29 23:11 . 2001-08-17 12:50	320,384	--a------	C:\WINDOWS\system32\dllcache\mgaum.sys
2007-12-29 23:10 . 2001-08-17 13:28	802,683	--a------	C:\WINDOWS\system32\dllcache\ltsm.sys
2007-12-29 23:09 . 2004-08-04 07:00	1,158,818	--a------	C:\WINDOWS\system32\dllcache\korwbrkr.lex
2007-12-29 23:08 . 2004-08-04 00:56	152,576	--a------	C:\WINDOWS\system32\dllcache\irftp.exe
2007-12-29 23:07 . 2004-08-04 07:00	811,064	--a------	C:\WINDOWS\system32\dllcache\imjp81k.dll
2007-12-29 23:06 . 2001-08-17 22:36	372,824	--a------	C:\WINDOWS\system32\dllcache\iconf32.dll
2007-12-29 23:05 . 2004-08-04 07:00	13,463,552	--a------	C:\WINDOWS\system32\dllcache\hwxjpn.dll
2007-12-29 23:04 . 2001-08-17 13:28	542,879	--a------	C:\WINDOWS\system32\dllcache\hsf_msft.sys
2007-12-29 23:03 . 2001-08-17 22:36	126,976	--a------	C:\WINDOWS\system32\dllcache\hpgt34tk.dll
2007-12-29 23:02 . 2001-08-17 14:56	1,733,120	--a------	C:\WINDOWS\system32\dllcache\g400d.dll
2007-12-29 23:01 . 2001-08-17 12:14	444,416	--a------	C:\WINDOWS\system32\dllcache\fpcibase.sys
2007-12-29 23:00 . 2001-08-17 13:28	595,647	--a------	C:\WINDOWS\system32\dllcache\es56cvmp.sys
2007-12-29 22:59 . 2001-08-17 13:28	634,134	--a------	C:\WINDOWS\system32\dllcache\el656ct5.sys
2007-12-29 22:58 . 2001-08-17 12:14	952,007	--a------	C:\WINDOWS\system32\dllcache\diwan.sys
2007-12-29 22:57 . 2001-08-17 22:36	419,357	--a------	C:\WINDOWS\system32\dllcache\dgconfig.dll
2007-12-29 22:56 . 2004-08-04 07:00	1,677,824	--a------	C:\WINDOWS\system32\dllcache\chsbrkr.dll
2007-12-29 22:55 . 2001-08-17 13:28	871,388	--a------	C:\WINDOWS\system32\dllcache\bcmdm.sys
2007-12-29 22:54 . 2004-08-04 00:56	870,784	--a------	C:\WINDOWS\system32\dllcache\ati3d1ag.dll
2007-12-29 22:53 . 2001-08-17 13:28	762,780	--a------	C:\WINDOWS\system32\dllcache\3cwmcru.sys
2007-12-29 22:52 . 2004-05-13 00:39	876,653	--a------	C:\WINDOWS\system32\dllcache\fp4awel.dll
2007-12-29 02:49 . 2005-11-09 11:23 d--------	C:\Documents and Settings\Administrator\WINDOWS
2007-12-29 02:49 . 2005-11-09 11:46 d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-29 02:49 . 2005-11-09 11:25 d--------	C:\Documents and Settings\Administrator\Application Data\Intuit
2007-12-29 01:20 . 2007-12-29 01:20 d--------	C:\Program Files\Trend Micro
2007-12-28 09:20 . 2007-12-30 20:22 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\Move Networks
2007-12-27 22:23 . 2007-12-27 22:23 d--------	C:\Program Files\MSN Messenger
2007-12-27 00:09 . 2007-05-29 13:55	22,112	--a------	C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-12-27 00:09 . 2007-05-29 13:55	10,592	--a------	C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-12-27 00:09 . 2007-05-29 13:55	705	--a------	C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-12-26 21:31 . 2007-12-27 00:09 d--------	C:\Program Files\Norton AntiVirus
2007-12-26 21:29 . 2007-12-26 22:14	123,952	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-26 21:29 . 2007-12-26 22:14	60,800	--a------	C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-26 21:29 . 2007-12-26 22:14	10,740	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-26 21:29 . 2007-12-26 22:14	805	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-25 23:37 . 2007-12-25 23:37 d--------	C:\Program Files\EA GAMES
2007-12-25 23:17 . 2007-12-25 23:17 d--------	C:\Program Files\PowerISO
2007-12-17 20:23 . 2007-12-17 20:23 d--------	C:\Program Files\Common Files\SureThing Shared
2007-12-17 19:20 . 2007-12-17 19:20 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\WinBatch
2007-12-17 18:47 . 2003-06-12 23:25	7,062	--a------	C:\WINDOWS\system32\audiopid.vxd
2007-12-15 13:05 . 2007-09-24 23:31	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2007-12-15 13:04 . 2007-12-15 13:05 d--------	C:\Program Files\Java
2007-12-15 13:02 . 2007-12-15 13:02 d--------	C:\Program Files\Common Files\Java
2007-12-12 20:37 . 2007-12-12 20:37 d--------	C:\Program Files\uTorrent
2007-12-12 20:37 . 2008-01-03 16:08 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\uTorrent
2007-12-12 19:39 . 2006-04-20 06:51	359,808	--a------	C:\WINDOWS\system32\drivers\tcpip.sys.ORIGINAL
2007-12-12 19:38 . 2007-12-12 20:04 d--------	C:\Downloads
2007-12-10 20:33 . 2007-12-10 20:33 d--------	C:\Documents and Settings\All Users\Application Data\Ubisoft
2007-12-05 18:56 . 2007-12-05 18:56	151	--a------	C:\WINDOWS\PhotoSnapViewer.INI
2007-12-05 18:16 . 2007-12-05 18:16 d--------	C:\Program Files\Eidos Interactive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 00:25	15,360	----a-w	C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-03 00:25	15,360	----a-w	C:\WINDOWS\system32\ctfmon.exe
2008-01-01 21:12	---------	d-----w	C:\Program Files\DivX
2007-12-31 02:03	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-31 01:22	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2007-12-31 00:30	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-12-28 02:14	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-12-27 05:09	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-27 03:15	---------	d-----w	C:\Program Files\Symantec
2007-12-26 04:14	715,248	----a-w	C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 01:23	---------	d-----w	C:\Program Files\Sonic
2007-12-18 01:23	---------	d-----w	C:\Program Files\Common Files\Sonic Shared
2007-12-18 00:35	---------	d-----w	C:\Program Files\HP
2007-12-17 23:46	---------	d-----w	C:\Program Files\Creative
2007-12-17 06:27	1,960	----a-w	C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2007-12-01 04:57	43,696	----a-w	C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 04:57	317,616	----a-w	C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 04:57	279,088	----a-w	C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 04:57	10,549	----a-w	C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 04:57	10,549	----a-w	C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 04:57	10,545	----a-w	C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 04:57	1,430	----a-w	C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 04:57	1,421	----a-w	C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 04:57	1,415	----a-w	C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-27 05:54	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Creative
2007-11-17 06:25	---------	d-----w	C:\Program Files\Surreal
2007-11-13 10:25	20,480	----a-r	C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 10:12	3,590,656	----a-w	C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-31 00:55	625,032	----a-w	C:\WINDOWS\system32\SymNeti.dll
2007-10-31 00:55	242,056	----a-w	C:\WINDOWS\system32\SymRedir.dll
2007-10-29 22:43	1,287,680	----a-w	C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43	1,287,680	----a-w	C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40	222,720	----a-w	C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40	222,720	----a-w	C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34	8,460,288	----a-w	C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-11 05:57	474,112	----a-w	C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 05:57	151,040	----a-w	C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 05:57	1,498,112	----a-w	C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 05:57	1,054,208	----a-w	C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 05:57	1,024,000	----a-w	C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 23:56	824,832	----a-w	C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56	232,960	----a-w	C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56	1,159,680	----a-w	C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55	671,232	----a-w	C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55	478,208	----a-w	C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55	44,544	----a-w	C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55	384,512	----a-w	C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55	27,648	----a-w	C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55	230,400	----a-w	C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55	214,528	----a-w	C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55	193,024	----a-w	C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55	153,088	----a-w	C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55	132,608	----a-w	C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55	124,928	----a-w	C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55	105,984	----a-w	C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55	102,400	----a-w	C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59	70,656	----a-w	C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59	625,152	----a-w	C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 05:46	161,792	----a-w	C:\WINDOWS\system32\dllcache\ieakui.dll
2005-05-12 14:36	12,288	----a-w	C:\WINDOWS\Fonts\RandFont.dll
2006-08-09 16:27	2,516	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

```
----a-w         1,694,208 2007-12-27 03:33:19  C:\Program Files\Messenger\msmsgs .exe
```
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Compaq_Owner\Application Data\WinBatch ----

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-02 19:25 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-07 17:39 771704]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 07:00 158208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Pin.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Pin.lnk
backup=C:\WINDOWS\pss\Pin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-01-02 19:25	15360	--a------	C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-04-20 12:10	50792	--a------	C:\Program Files\Common Files\AOL\1150577478\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 14:18	241664	--a------	C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 16:24	54840	--a------	C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
2006-02-17 11:59	124520	--a------	C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-06 19:05	200704	--a------	C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 01:11	132496	--a------	C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray Monitor]
SysTraymon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" -boot

S3 ATIXPGAA;ATIXPGAA;C:\Program Files\PC-Doctor 5 for Windows\ATIXPGAA.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D51g62BC-4266-43f0-B6ED-9D76C4202C7E}]
C:\Program Files\Common Files\mscd.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-03 04:56:06 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Compaq_Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 16:41:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 16:43:16
ComboFix-quarantined-files.txt 2008-01-03 21:43:12
ComboFix2.txt 2008-01-03 01:40:30
.
2007-12-30 05:41:55	--- E O F ---

HERES THE OTHER ONE.....

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan: 
Service 
Service load: 0% 100%

File: ctfmon.exe 
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database) 
MD5: 24232996a38c0b0cf151c2140ae29fc8 
Packers detected: - 
Bit9 reports: High threat detected (more info)

Scanner results 
Scan taken on 03 Jan 2008 21:23:34 (GMT) 
A-Squared Found nothing 
AntiVir Found nothing 
ArcaVir Found nothing 
Avast Found nothing 
AVG Antivirus Found nothing 
BitDefender Found nothing 
ClamAV Found nothing 
CPsecure Found nothing 
Dr.Web Found nothing 
F-Prot Antivirus Found nothing 
F-Secure Anti-Virus Found nothing 
Fortinet Found nothing 
Ikarus Found nothing 
Kaspersky Anti-Virus Found nothing 
NOD32 Found nothing 
Norman Virus Control Found nothing 
Panda Antivirus Found nothing 
Rising Antivirus Found nothing 
Sophos Antivirus Found nothing 
VirusBuster Found nothing 
VBA32 Found nothing

Below is what it said at bit9 reports:[email protected]

You searched for
MD5: 24232996a38c0b0cf151c2140ae29fc8

Your hash has been found in 53 Package(s).

AND HTE LAST ONE....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:15 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 4177 bytes


----------



## Cookiegal (Aug 27, 2003)

Download *RenV.exe* to your Desktop.

Double-Click on *RenV.exe*.

It shall produce a log, please post the log in your next reply.


----------



## jca716 (May 28, 2005)

```
Ran on Fri 01/04/2008 - 22:34:05.46

----a-w         1,694,208 2007-12-27 03:33:19  C:\Program Files\Messenger\msmsgs .exe

 Entries:                1  (1)
 Directories:            0  Files:             1
 Bytes:          1,694,208  Blocks:        3,309
```


----------



## Cookiegal (Aug 27, 2003)

Please remove the version of ComboFix that you currently have and redownload it:

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix and make sure you are disconnected from the Internet *after downloading the program and before scanning*.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *ComboFix* and save it to your desktop.

***Note: In the event you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running ComboFix.

 WARNING: *IF you have not already done so ComboFix will disconnect your machine from the Internet when it starts. *
*Please do not re-connect your machine back to the Internet until ComboFix has completely finished.*
If there is no Internet connection when Combofix has completely finished then restart your computer to restore the connection.

Double-click on *combofix.exe* and follow the prompts. When finished, it will produce a report for you. Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.

***Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall***


----------



## jca716 (May 28, 2005)

followed your instructions to the Tee...here are the results as followed....

ComboFix 08-01-06.4 - Compaq_Owner 2008-01-05 21:56:52.3 - NTFSx86
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-02 20:15 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-12-30 19:26 . 2007-12-30 19:26 d--------	C:\Program Files\LimeWire
2007-12-30 18:58 . 2007-12-30 19:34 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\PrevxCSI
2007-12-30 18:58 . 2007-12-30 22:41 d--------	C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 15:53 . 2007-12-30 15:52	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-30 15:51 . 2007-12-30 16:10 d--------	C:\Documents and Settings\Compaq_Owner\.housecall6.6
2007-12-30 11:12 . 2007-07-30 19:19	207,736	--a------	C:\WINDOWS\system32\muweb.dll
2007-12-29 23:33 . 2004-08-04 00:56	116,224	--a------	C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-12-29 23:33 . 2001-08-17 22:37	27,648	--a------	C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-12-29 23:33 . 2001-08-17 22:36	23,040	--a------	C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-12-29 23:33 . 2001-08-17 22:36	17,408	--a------	C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-12-29 23:31 . 2001-08-17 13:28	701,386	--a------	C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-12-29 23:30 . 2001-08-17 13:28	794,654	--a------	C:\WINDOWS\system32\dllcache\usr1801.sys
2007-12-29 23:29 . 2001-08-17 22:36	216,064	--a------	C:\WINDOWS\system32\dllcache\um34scan.dll
2007-12-29 23:28 . 2004-08-04 07:00	571,392	--a------	C:\WINDOWS\system32\dllcache\tintlgnt.ime
2007-12-29 23:27 . 2001-08-17 14:56	172,768	--a------	C:\WINDOWS\system32\dllcache\t2r4disp.dll
2007-12-29 23:26 . 2001-08-17 12:18	285,760	--a------	C:\WINDOWS\system32\dllcache\stlnata.sys
2007-12-29 23:25 . 2001-08-17 13:51	61,824	--a------	C:\WINDOWS\system32\dllcache\speed.sys
2007-12-29 23:25 . 2001-08-17 22:36	24,660	--a------	C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-12-29 23:24 . 2001-08-17 22:36	106,584	--a------	C:\WINDOWS\system32\dllcache\spdports.dll
2007-12-29 23:24 . 2001-08-17 14:07	19,072	--a------	C:\WINDOWS\system32\dllcache\sparrow.sys
2007-12-29 23:22 . 2004-08-04 07:00	456,704	--a------	C:\WINDOWS\system32\dllcache\smtpsvc.dll
2007-12-29 23:21 . 2004-08-03 22:41	404,990	--a------	C:\WINDOWS\system32\dllcache\slntamr.sys
2007-12-29 23:20 . 2001-08-17 22:36	495,616	--a------	C:\WINDOWS\system32\dllcache\sblfx.dll
2007-12-29 23:19 . 2004-08-04 00:56	397,056	--a------	C:\WINDOWS\system32\dllcache\s3gnb.dll
2007-12-29 23:18 . 2001-08-17 13:28	899,146	--a------	C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2007-12-29 23:17 . 2004-08-04 07:00	482,304	--a------	C:\WINDOWS\system32\dllcache\pintlgnt.ime
2007-12-29 23:16 . 2004-08-04 00:56	259,328	--a------	C:\WINDOWS\system32\dllcache\perm3dd.dll
2007-12-29 23:15 . 2001-08-17 14:05	351,616	--a------	C:\WINDOWS\system32\dllcache\ovcodek2.sys
2007-12-29 23:14 . 2004-08-04 00:56	4,274,816	--a------	C:\WINDOWS\system32\dllcache\nv4_disp.dll
2007-12-29 23:13 . 2004-08-04 00:56	1,737,856	--a------	C:\WINDOWS\system32\dllcache\mtxparhd.dll
2007-12-29 23:12 . 2004-08-04 07:00	1,875,968	--a------	C:\WINDOWS\system32\dllcache\msir3jp.lex
2007-12-29 23:11 . 2001-08-17 12:50	320,384	--a------	C:\WINDOWS\system32\dllcache\mgaum.sys
2007-12-29 23:10 . 2001-08-17 13:28	802,683	--a------	C:\WINDOWS\system32\dllcache\ltsm.sys
2007-12-29 23:09 . 2004-08-04 07:00	1,158,818	--a------	C:\WINDOWS\system32\dllcache\korwbrkr.lex
2007-12-29 23:08 . 2004-08-04 00:56	152,576	--a------	C:\WINDOWS\system32\dllcache\irftp.exe
2007-12-29 23:07 . 2004-08-04 07:00	811,064	--a------	C:\WINDOWS\system32\dllcache\imjp81k.dll
2007-12-29 23:06 . 2001-08-17 22:36	372,824	--a------	C:\WINDOWS\system32\dllcache\iconf32.dll
2007-12-29 23:05 . 2004-08-04 07:00	13,463,552	--a------	C:\WINDOWS\system32\dllcache\hwxjpn.dll
2007-12-29 23:04 . 2001-08-17 13:28	542,879	--a------	C:\WINDOWS\system32\dllcache\hsf_msft.sys
2007-12-29 23:03 . 2001-08-17 22:36	126,976	--a------	C:\WINDOWS\system32\dllcache\hpgt34tk.dll
2007-12-29 23:02 . 2001-08-17 14:56	1,733,120	--a------	C:\WINDOWS\system32\dllcache\g400d.dll
2007-12-29 23:01 . 2001-08-17 12:14	444,416	--a------	C:\WINDOWS\system32\dllcache\fpcibase.sys
2007-12-29 23:00 . 2001-08-17 13:28	595,647	--a------	C:\WINDOWS\system32\dllcache\es56cvmp.sys
2007-12-29 22:59 . 2001-08-17 13:28	634,134	--a------	C:\WINDOWS\system32\dllcache\el656ct5.sys
2007-12-29 22:58 . 2001-08-17 12:14	952,007	--a------	C:\WINDOWS\system32\dllcache\diwan.sys
2007-12-29 22:57 . 2001-08-17 22:36	419,357	--a------	C:\WINDOWS\system32\dllcache\dgconfig.dll
2007-12-29 22:56 . 2004-08-04 07:00	1,677,824	--a------	C:\WINDOWS\system32\dllcache\chsbrkr.dll
2007-12-29 22:55 . 2001-08-17 13:28	871,388	--a------	C:\WINDOWS\system32\dllcache\bcmdm.sys
2007-12-29 22:54 . 2004-08-04 00:56	870,784	--a------	C:\WINDOWS\system32\dllcache\ati3d1ag.dll
2007-12-29 22:53 . 2001-08-17 13:28	762,780	--a------	C:\WINDOWS\system32\dllcache\3cwmcru.sys
2007-12-29 22:52 . 2004-05-13 00:39	876,653	--a------	C:\WINDOWS\system32\dllcache\fp4awel.dll
2007-12-29 02:49 . 2005-11-09 11:23 d--------	C:\Documents and Settings\Administrator\WINDOWS
2007-12-29 02:49 . 2005-11-09 11:46 d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-29 02:49 . 2005-11-09 11:25 d--------	C:\Documents and Settings\Administrator\Application Data\Intuit
2007-12-29 01:20 . 2007-12-29 01:20 d--------	C:\Program Files\Trend Micro
2007-12-28 09:20 . 2007-12-30 20:22 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\Move Networks
2007-12-27 22:23 . 2007-12-27 22:23 d--------	C:\Program Files\MSN Messenger
2007-12-27 00:09 . 2007-05-29 13:55	22,112	--a------	C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-12-27 00:09 . 2007-05-29 13:55	10,592	--a------	C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-12-27 00:09 . 2007-05-29 13:55	705	--a------	C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-12-26 21:31 . 2007-12-27 00:09 d--------	C:\Program Files\Norton AntiVirus
2007-12-26 21:29 . 2007-12-26 22:14	123,952	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-26 21:29 . 2007-12-26 22:14	60,800	--a------	C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-26 21:29 . 2007-12-26 22:14	10,740	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-26 21:29 . 2007-12-26 22:14	805	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-25 23:37 . 2007-12-25 23:37 d--------	C:\Program Files\EA GAMES
2007-12-25 23:17 . 2007-12-25 23:17 d--------	C:\Program Files\PowerISO
2007-12-17 20:23 . 2007-12-17 20:23 d--------	C:\Program Files\Common Files\SureThing Shared
2007-12-17 19:20 . 2007-12-17 19:20 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\WinBatch
2007-12-17 18:47 . 2003-06-12 23:25	7,062	--a------	C:\WINDOWS\system32\audiopid.vxd
2007-12-15 13:05 . 2007-09-24 23:31	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2007-12-15 13:04 . 2007-12-15 13:05 d--------	C:\Program Files\Java
2007-12-15 13:02 . 2007-12-15 13:02 d--------	C:\Program Files\Common Files\Java
2007-12-12 20:37 . 2007-12-12 20:37 d--------	C:\Program Files\uTorrent
2007-12-12 20:37 . 2008-01-05 21:51 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\uTorrent
2007-12-12 19:39 . 2006-04-20 06:51	359,808	--a------	C:\WINDOWS\system32\drivers\tcpip.sys.ORIGINAL
2007-12-12 19:38 . 2007-12-12 20:04 d--------	C:\Downloads
2007-12-10 20:33 . 2007-12-10 20:33 d--------	C:\Documents and Settings\All Users\Application Data\Ubisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 02:52	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-01-01 21:12	---------	d-----w	C:\Program Files\DivX
2007-12-31 02:03	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-31 01:22	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2007-12-28 02:14	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-12-27 05:09	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-27 03:15	---------	d-----w	C:\Program Files\Symantec
2007-12-26 04:14	715,248	----a-w	C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 01:23	---------	d-----w	C:\Program Files\Sonic
2007-12-18 01:23	---------	d-----w	C:\Program Files\Common Files\Sonic Shared
2007-12-18 00:35	---------	d-----w	C:\Program Files\HP
2007-12-17 23:46	---------	d-----w	C:\Program Files\Creative
2007-12-17 06:27	1,960	----a-w	C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2007-12-05 23:16	---------	d-----w	C:\Program Files\Eidos Interactive
2007-12-01 04:57	43,696	----a-w	C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 04:57	317,616	----a-w	C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 04:57	279,088	----a-w	C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 04:57	10,549	----a-w	C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 04:57	10,549	----a-w	C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 04:57	10,545	----a-w	C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 04:57	1,430	----a-w	C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 04:57	1,421	----a-w	C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 04:57	1,415	----a-w	C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-27 05:54	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Creative
2007-11-17 06:25	---------	d-----w	C:\Program Files\Surreal
2007-11-13 10:25	20,480	----a-r	C:\WINDOWS\system32\drivers\secdrv.sys
2006-08-09 16:27	2,516	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-02 19:25 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-07 17:39 771704]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-11-09 10:38:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnonop]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" -boot

S3 ATIXPGAA;ATIXPGAA;C:\Program Files\PC-Doctor 5 for Windows\ATIXPGAA.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D51g62BC-4266-43f0-B6ED-9D76C4202C7E}]
C:\Program Files\Common Files\mscd.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-05 14:51:28 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Compaq_Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 22:01:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 22:02:41
ComboFix-quarantined-files.txt 2008-01-06 03:02:22
ComboFix2.txt 2008-01-03 21:43:17
ComboFix3.txt 2008-01-03 01:40:30
.
2007-12-30 05:41:55	--- E O F ---

------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:40 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - Winlogon Notify: pmnonop - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 4572 bytes

-----------------------------------------------------------------------------------------------------------------------

im still getting a message in the Windows security center in the CONTROL PANEL..that states as follows..."The securty service center is currently unavailable because the security center service has not started or was stopped.Please close this window ,and open tthe security center again."..I followed those instructions as well but to no avail was the security center restarted without this same [email protected]


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the quote box below into it:



> Registry::
> [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnonop]
> [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
> [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D51g62BC-4266-43f0-B6ED-9D76C4202C7E}]


Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Also, please do this:

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.

In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group click *SELECT ALL*
in the *Additional Scans* sections please press select *ALL* and make sure Non-Microsoft only is *UNCHECKED*.
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please post the resulting log here as an attachment.


----------



## jca716 (May 28, 2005)

ComboFix 08-01-09.2 - Compaq_Owner 2008-01-08 20:38:31.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.47 [GMT -5:00]Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-02 20:15 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-12-30 19:26 . 2007-12-30 19:26 d--------	C:\Program Files\LimeWire
2007-12-30 18:58 . 2007-12-30 19:34 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\PrevxCSI
2007-12-30 18:58 . 2007-12-30 22:41 d--------	C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 15:53 . 2007-12-30 15:52	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-30 15:51 . 2007-12-30 16:10 d--------	C:\Documents and Settings\Compaq_Owner\.housecall6.6
2007-12-30 11:12 . 2007-07-30 19:19	207,736	--a------	C:\WINDOWS\system32\muweb.dll
2007-12-29 23:33 . 2004-08-04 00:56	116,224	--a------	C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-12-29 23:33 . 2001-08-17 22:37	27,648	--a------	C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-12-29 23:33 . 2001-08-17 22:36	23,040	--a------	C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-12-29 23:33 . 2001-08-17 22:36	17,408	--a------	C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-12-29 23:31 . 2001-08-17 13:28	701,386	--a------	C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-12-29 23:30 . 2001-08-17 13:28	794,654	--a------	C:\WINDOWS\system32\dllcache\usr1801.sys
2007-12-29 23:29 . 2001-08-17 22:36	216,064	--a------	C:\WINDOWS\system32\dllcache\um34scan.dll
2007-12-29 23:28 . 2004-08-04 07:00	571,392	--a------	C:\WINDOWS\system32\dllcache\tintlgnt.ime
2007-12-29 23:27 . 2001-08-17 14:56	172,768	--a------	C:\WINDOWS\system32\dllcache\t2r4disp.dll
2007-12-29 23:26 . 2001-08-17 12:18	285,760	--a------	C:\WINDOWS\system32\dllcache\stlnata.sys
2007-12-29 23:25 . 2001-08-17 13:51	61,824	--a------	C:\WINDOWS\system32\dllcache\speed.sys
2007-12-29 23:25 . 2001-08-17 22:36	24,660	--a------	C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-12-29 23:24 . 2001-08-17 22:36	106,584	--a------	C:\WINDOWS\system32\dllcache\spdports.dll
2007-12-29 23:24 . 2001-08-17 14:07	19,072	--a------	C:\WINDOWS\system32\dllcache\sparrow.sys
2007-12-29 23:22 . 2004-08-04 07:00	456,704	--a------	C:\WINDOWS\system32\dllcache\smtpsvc.dll
2007-12-29 23:21 . 2004-08-03 22:41	404,990	--a------	C:\WINDOWS\system32\dllcache\slntamr.sys
2007-12-29 23:20 . 2001-08-17 22:36	495,616	--a------	C:\WINDOWS\system32\dllcache\sblfx.dll
2007-12-29 23:19 . 2004-08-04 00:56	397,056	--a------	C:\WINDOWS\system32\dllcache\s3gnb.dll
2007-12-29 23:18 . 2001-08-17 13:28	899,146	--a------	C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2007-12-29 23:17 . 2004-08-04 07:00	482,304	--a------	C:\WINDOWS\system32\dllcache\pintlgnt.ime
2007-12-29 23:16 . 2004-08-04 00:56	259,328	--a------	C:\WINDOWS\system32\dllcache\perm3dd.dll
2007-12-29 23:15 . 2001-08-17 14:05	351,616	--a------	C:\WINDOWS\system32\dllcache\ovcodek2.sys
2007-12-29 23:14 . 2004-08-04 00:56	4,274,816	--a------	C:\WINDOWS\system32\dllcache\nv4_disp.dll
2007-12-29 23:13 . 2004-08-04 00:56	1,737,856	--a------	C:\WINDOWS\system32\dllcache\mtxparhd.dll
2007-12-29 23:12 . 2004-08-04 07:00	1,875,968	--a------	C:\WINDOWS\system32\dllcache\msir3jp.lex
2007-12-29 23:11 . 2001-08-17 12:50	320,384	--a------	C:\WINDOWS\system32\dllcache\mgaum.sys
2007-12-29 23:10 . 2001-08-17 13:28	802,683	--a------	C:\WINDOWS\system32\dllcache\ltsm.sys
2007-12-29 23:09 . 2004-08-04 07:00	1,158,818	--a------	C:\WINDOWS\system32\dllcache\korwbrkr.lex
2007-12-29 23:08 . 2004-08-04 00:56	152,576	--a------	C:\WINDOWS\system32\dllcache\irftp.exe
2007-12-29 23:07 . 2004-08-04 07:00	811,064	--a------	C:\WINDOWS\system32\dllcache\imjp81k.dll
2007-12-29 23:06 . 2001-08-17 22:36	372,824	--a------	C:\WINDOWS\system32\dllcache\iconf32.dll
2007-12-29 23:05 . 2004-08-04 07:00	13,463,552	--a------	C:\WINDOWS\system32\dllcache\hwxjpn.dll
2007-12-29 23:04 . 2001-08-17 13:28	542,879	--a------	C:\WINDOWS\system32\dllcache\hsf_msft.sys
2007-12-29 23:03 . 2001-08-17 22:36	126,976	--a------	C:\WINDOWS\system32\dllcache\hpgt34tk.dll
2007-12-29 23:02 . 2001-08-17 14:56	1,733,120	--a------	C:\WINDOWS\system32\dllcache\g400d.dll
2007-12-29 23:01 . 2001-08-17 12:14	444,416	--a------	C:\WINDOWS\system32\dllcache\fpcibase.sys
2007-12-29 23:00 . 2001-08-17 13:28	595,647	--a------	C:\WINDOWS\system32\dllcache\es56cvmp.sys
2007-12-29 22:59 . 2001-08-17 13:28	634,134	--a------	C:\WINDOWS\system32\dllcache\el656ct5.sys
2007-12-29 22:58 . 2001-08-17 12:14	952,007	--a------	C:\WINDOWS\system32\dllcache\diwan.sys
2007-12-29 22:57 . 2001-08-17 22:36	419,357	--a------	C:\WINDOWS\system32\dllcache\dgconfig.dll
2007-12-29 22:56 . 2004-08-04 07:00	1,677,824	--a------	C:\WINDOWS\system32\dllcache\chsbrkr.dll
2007-12-29 22:55 . 2001-08-17 13:28	871,388	--a------	C:\WINDOWS\system32\dllcache\bcmdm.sys
2007-12-29 22:54 . 2004-08-04 00:56	870,784	--a------	C:\WINDOWS\system32\dllcache\ati3d1ag.dll
2007-12-29 22:53 . 2001-08-17 13:28	762,780	--a------	C:\WINDOWS\system32\dllcache\3cwmcru.sys
2007-12-29 22:52 . 2004-05-13 00:39	876,653	--a------	C:\WINDOWS\system32\dllcache\fp4awel.dll
2007-12-29 02:49 . 2005-11-09 11:23 d--------	C:\Documents and Settings\Administrator\WINDOWS
2007-12-29 02:49 . 2005-11-09 11:46 d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-29 02:49 . 2005-11-09 11:25 d--------	C:\Documents and Settings\Administrator\Application Data\Intuit
2007-12-29 01:20 . 2007-12-29 01:20 d--------	C:\Program Files\Trend Micro
2007-12-28 09:20 . 2007-12-30 20:22 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\Move Networks
2007-12-27 22:23 . 2007-12-27 22:23 d--------	C:\Program Files\MSN Messenger
2007-12-27 00:09 . 2007-05-29 13:55	22,112	--a------	C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-12-27 00:09 . 2007-05-29 13:55	10,592	--a------	C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-12-27 00:09 . 2007-05-29 13:55	705	--a------	C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-12-26 21:31 . 2007-12-27 00:09 d--------	C:\Program Files\Norton AntiVirus
2007-12-26 21:29 . 2007-12-26 22:14	123,952	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-26 21:29 . 2007-12-26 22:14	60,800	--a------	C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-26 21:29 . 2007-12-26 22:14	10,740	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-26 21:29 . 2007-12-26 22:14	805	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-25 23:37 . 2007-12-25 23:37 d--------	C:\Program Files\EA GAMES
2007-12-25 23:17 . 2007-12-25 23:17 d--------	C:\Program Files\PowerISO
2007-12-17 20:23 . 2007-12-17 20:23 d--------	C:\Program Files\Common Files\SureThing Shared
2007-12-17 19:20 . 2007-12-17 19:20 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\WinBatch
2007-12-17 18:47 . 2003-06-12 23:25	7,062	--a------	C:\WINDOWS\system32\audiopid.vxd
2007-12-15 13:05 . 2007-09-24 23:31	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2007-12-15 13:04 . 2007-12-15 13:05 d--------	C:\Program Files\Java
2007-12-15 13:02 . 2007-12-15 13:02 d--------	C:\Program Files\Common Files\Java
2007-12-12 20:37 . 2007-12-12 20:37 d--------	C:\Program Files\uTorrent
2007-12-12 20:37 . 2008-01-08 17:59 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\uTorrent
2007-12-12 19:39 . 2006-04-20 06:51	359,808	--a------	C:\WINDOWS\system32\drivers\tcpip.sys.ORIGINAL
2007-12-12 19:38 . 2007-12-12 20:04 d--------	C:\Downloads
2007-12-10 20:33 . 2007-12-10 20:33 d--------	C:\Documents and Settings\All Users\Application Data\Ubisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 03:05	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-01-01 21:12	---------	d-----w	C:\Program Files\DivX
2007-12-31 02:03	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-31 01:22	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2007-12-28 02:14	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-12-27 05:09	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-27 03:15	---------	d-----w	C:\Program Files\Symantec
2007-12-26 04:14	715,248	----a-w	C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 01:23	---------	d-----w	C:\Program Files\Sonic
2007-12-18 01:23	---------	d-----w	C:\Program Files\Common Files\Sonic Shared
2007-12-18 00:35	---------	d-----w	C:\Program Files\HP
2007-12-17 23:46	---------	d-----w	C:\Program Files\Creative
2007-12-17 06:27	1,960	----a-w	C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2007-12-05 23:16	---------	d-----w	C:\Program Files\Eidos Interactive
2007-12-01 04:57	43,696	----a-w	C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 04:57	317,616	----a-w	C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 04:57	279,088	----a-w	C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 04:57	10,549	----a-w	C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 04:57	10,549	----a-w	C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 04:57	10,545	----a-w	C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 04:57	1,430	----a-w	C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 04:57	1,421	----a-w	C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 04:57	1,415	----a-w	C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-27 05:54	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Creative
2007-11-17 06:25	---------	d-----w	C:\Program Files\Surreal
2007-11-13 10:25	20,480	----a-r	C:\WINDOWS\system32\drivers\secdrv.sys
2006-08-09 16:27	2,516	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

```
<pre>
----a-w         1,694,208 2007-12-27 03:33:19  C:\Program Files\Messenger\msmsgs .exe
</pre>
```
((((((((((((((((((((((((((((( [email protected]_20.35.27.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-09 01:27:46	1,417,216	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-09 01:38:16	1,417,216	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-09 01:27:46	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-09 01:38:16	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-09 01:27:46	1,417,216	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-09 01:38:16	1,417,216	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-09 01:27:46	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-09 01:38:16	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-09 01:27:47	7,999,488	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-09 01:38:18	7,999,488	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-09 01:27:47	307,200	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-09 01:38:18	307,200	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-02 19:25 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-07 17:39 771704]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-11-09 10:38:31]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" -boot

S3 ATIXPGAA;ATIXPGAA;C:\Program Files\PC-Doctor 5 for Windows\ATIXPGAA.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-07 11:00:48 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Compaq_Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 20:42:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-08 20:44:57
ComboFix2.txt 2008-01-09 01:35:52
.
2008-01-08 23:08:15	--- E O F ---


----------



## jca716 (May 28, 2005)

i also would like to post the other log(winpfind3u) that you wanted from but it is to long to post ..it keeps telling me that a thread can oly contain 30,000 characters and i even tried to post it in its own individual thread but it would not let me proceed.please advise me on how to get this informtion to you otherwise..i will also add the spybot log in this reply to see if you see why my security center is not working as well................

--- Search result list ---
Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, nothing done)

well it told me that that was to long also so i will just place the error entry that kept comming up only...thankx


----------



## Cookiegal (Aug 27, 2003)

Please upload the Winpfind3U log as an attachment or split it into two attachments if necessary.


----------



## jca716 (May 28, 2005)

how do i upload as an attachment?I did not see the action specified in the THREAD TOOLS above nor in the private message [email protected]


----------



## Cookiegal (Aug 27, 2003)

Below the reply box you will see a button called "manage attachments". Click on that and then click on "browse" to locate the file on your computer. Open it and click on "upload" and then submit your reply.


----------



## jca716 (May 28, 2005)

here is the log you requested.


----------



## Cookiegal (Aug 27, 2003)

Disconnect from the Internet and disable your anti-virus and firewall programs. *Be sure to remember to re-start them before going on-line again.*

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program. Copy and paste the information in the box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.



> [Kill Explorer]
> [Files/Folders - Created Within 60 days]
> NY -> S8A6A6C06.tmp -> %SystemRoot%\S8A6A6C06.tmp
> NY -> hosts.20080102-195622.backup -> %System32%\drivers\etc\hosts.20080102-195622.backup
> ...


----------



## Cookiegal (Aug 27, 2003)

Also, please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "application" and "system" for recent errors shown in red and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## jca716 (May 28, 2005)

Well ive got bad news...when i copied and pasted in the run fix box the program became nonresponsive more than 10 times ..i disabled all the virus and firewall programs like you told me to as well before i diid it i even unpluged my modem...when i wen tot the event viewer and clicked on the two pages icon you specified it did nothing at all..their were a great deal of error messages in each catagory as well..i went to differant errors with the same results.when i hit copy to clipboard it did nothing at all...the only thing i have is a hijack this log for you as posted below...my PC still boots very slow now and I mean very slow compared to normal...the first time i rebooted after running wimpfind3u.exe the desktop recovery deal popped up as well...then some script error message...my cd drive now dosent read or write Cd's anymore..my PC is not even a year old so i dont think its faulty..what ever you need i will help to the best of my ability...here is the log you requested...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:05 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D} - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - Winlogon Notify: pmnonop - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 3972 bytes


----------



## Cookiegal (Aug 27, 2003)

When you clicked on the two pages, did you open a Word document and click "edit" and "paste"? If you do that the error should appear.

Please remove the version of ComboFix that you have and get the latest version.

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix and make sure you are disconnected from the Internet *after downloading the program and before scanning*.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *ComboFix* and save it to your desktop.

***Note: In the event you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running ComboFix.

 WARNING: *IF you have not already done so ComboFix will disconnect your machine from the Internet when it starts. *
*Please do not re-connect your machine back to the Internet until ComboFix has completely finished.*
If there is no Internet connection when Combofix has completely finished then restart your computer to restore the connection.

Double-click on *combofix.exe* and follow the prompts. When finished, it will produce a report for you. Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.

***Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall***


----------



## jca716 (May 28, 2005)

ComboFix 08-01-17.3 - Compaq_Owner 2008-01-16 23:08:19.6 - NTFSx86
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-12 19:25 . 2008-01-12 19:59 d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-11 20:36 . 2008-01-11 21:59 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\AVG7
2008-01-11 20:35 . 2008-01-11 20:35 d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-11 20:34 . 2008-01-11 20:34 d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-11 20:34 . 2008-01-16 08:00 d--------	C:\Documents and Settings\All Users\Application Data\avg7
2008-01-02 20:15 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-12-30 19:26 . 2007-12-30 19:26 d--------	C:\Program Files\LimeWire
2007-12-30 18:58 . 2007-12-30 19:34 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\PrevxCSI
2007-12-30 18:58 . 2007-12-30 22:41 d--------	C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 15:53 . 2007-12-30 15:52	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-30 15:51 . 2007-12-30 16:10 d--------	C:\Documents and Settings\Compaq_Owner\.housecall6.6
2007-12-30 11:12 . 2007-07-30 19:19	207,736	--a------	C:\WINDOWS\system32\muweb.dll
2007-12-29 23:33 . 2004-08-04 00:56	116,224	--a------	C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-12-29 23:33 . 2001-08-17 22:37	27,648	--a------	C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-12-29 23:33 . 2001-08-17 22:36	23,040	--a------	C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-12-29 23:33 . 2001-08-17 22:36	17,408	--a------	C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-12-29 23:31 . 2001-08-17 13:28	701,386	--a------	C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-12-29 23:30 . 2001-08-17 13:28	794,654	--a------	C:\WINDOWS\system32\dllcache\usr1801.sys
2007-12-29 23:29 . 2001-08-17 22:36	216,064	--a------	C:\WINDOWS\system32\dllcache\um34scan.dll
2007-12-29 23:28 . 2004-08-04 07:00	571,392	--a------	C:\WINDOWS\system32\dllcache\tintlgnt.ime
2007-12-29 23:27 . 2001-08-17 14:56	172,768	--a------	C:\WINDOWS\system32\dllcache\t2r4disp.dll
2007-12-29 23:26 . 2001-08-17 12:18	285,760	--a------	C:\WINDOWS\system32\dllcache\stlnata.sys
2007-12-29 23:25 . 2001-08-17 13:51	61,824	--a------	C:\WINDOWS\system32\dllcache\speed.sys
2007-12-29 23:25 . 2001-08-17 22:36	24,660	--a------	C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-12-29 23:24 . 2001-08-17 22:36	106,584	--a------	C:\WINDOWS\system32\dllcache\spdports.dll
2007-12-29 23:24 . 2001-08-17 14:07	19,072	--a------	C:\WINDOWS\system32\dllcache\sparrow.sys
2007-12-29 23:22 . 2004-08-04 07:00	456,704	--a------	C:\WINDOWS\system32\dllcache\smtpsvc.dll
2007-12-29 23:21 . 2004-08-03 22:41	404,990	--a------	C:\WINDOWS\system32\dllcache\slntamr.sys
2007-12-29 23:20 . 2001-08-17 22:36	495,616	--a------	C:\WINDOWS\system32\dllcache\sblfx.dll
2007-12-29 23:19 . 2004-08-04 00:56	397,056	--a------	C:\WINDOWS\system32\dllcache\s3gnb.dll
2007-12-29 23:18 . 2001-08-17 13:28	899,146	--a------	C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2007-12-29 23:17 . 2004-08-04 07:00	482,304	--a------	C:\WINDOWS\system32\dllcache\pintlgnt.ime
2007-12-29 23:16 . 2004-08-04 00:56	259,328	--a------	C:\WINDOWS\system32\dllcache\perm3dd.dll
2007-12-29 23:15 . 2001-08-17 14:05	351,616	--a------	C:\WINDOWS\system32\dllcache\ovcodek2.sys
2007-12-29 23:14 . 2004-08-04 00:56	4,274,816	--a------	C:\WINDOWS\system32\dllcache\nv4_disp.dll
2007-12-29 23:13 . 2004-08-04 00:56	1,737,856	--a------	C:\WINDOWS\system32\dllcache\mtxparhd.dll
2007-12-29 23:12 . 2004-08-04 07:00	1,875,968	--a------	C:\WINDOWS\system32\dllcache\msir3jp.lex
2007-12-29 23:11 . 2001-08-17 12:50	320,384	--a------	C:\WINDOWS\system32\dllcache\mgaum.sys
2007-12-29 23:10 . 2001-08-17 13:28	802,683	--a------	C:\WINDOWS\system32\dllcache\ltsm.sys
2007-12-29 23:09 . 2004-08-04 07:00	1,158,818	--a------	C:\WINDOWS\system32\dllcache\korwbrkr.lex
2007-12-29 23:08 . 2004-08-04 00:56	152,576	--a------	C:\WINDOWS\system32\dllcache\irftp.exe
2007-12-29 23:07 . 2004-08-04 07:00	811,064	--a------	C:\WINDOWS\system32\dllcache\imjp81k.dll
2007-12-29 23:06 . 2001-08-17 22:36	372,824	--a------	C:\WINDOWS\system32\dllcache\iconf32.dll
2007-12-29 23:05 . 2004-08-04 07:00	13,463,552	--a------	C:\WINDOWS\system32\dllcache\hwxjpn.dll
2007-12-29 23:04 . 2001-08-17 13:28	542,879	--a------	C:\WINDOWS\system32\dllcache\hsf_msft.sys
2007-12-29 23:03 . 2001-08-17 22:36	126,976	--a------	C:\WINDOWS\system32\dllcache\hpgt34tk.dll
2007-12-29 23:02 . 2001-08-17 14:56	1,733,120	--a------	C:\WINDOWS\system32\dllcache\g400d.dll
2007-12-29 23:01 . 2001-08-17 12:14	444,416	--a------	C:\WINDOWS\system32\dllcache\fpcibase.sys
2007-12-29 23:00 . 2001-08-17 13:28	595,647	--a------	C:\WINDOWS\system32\dllcache\es56cvmp.sys
2007-12-29 22:59 . 2001-08-17 13:28	634,134	--a------	C:\WINDOWS\system32\dllcache\el656ct5.sys
2007-12-29 22:58 . 2001-08-17 12:14	952,007	--a------	C:\WINDOWS\system32\dllcache\diwan.sys
2007-12-29 22:57 . 2001-08-17 22:36	419,357	--a------	C:\WINDOWS\system32\dllcache\dgconfig.dll
2007-12-29 22:56 . 2004-08-04 07:00	1,677,824	--a------	C:\WINDOWS\system32\dllcache\chsbrkr.dll
2007-12-29 22:55 . 2001-08-17 13:28	871,388	--a------	C:\WINDOWS\system32\dllcache\bcmdm.sys
2007-12-29 22:54 . 2004-08-04 00:56	870,784	--a------	C:\WINDOWS\system32\dllcache\ati3d1ag.dll
2007-12-29 22:53 . 2001-08-17 13:28	762,780	--a------	C:\WINDOWS\system32\dllcache\3cwmcru.sys
2007-12-29 22:52 . 2004-05-13 00:39	876,653	--a------	C:\WINDOWS\system32\dllcache\fp4awel.dll
2007-12-29 02:49 . 2005-11-09 11:23 d--------	C:\Documents and Settings\Administrator\WINDOWS
2007-12-29 02:49 . 2005-11-09 11:46 d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-29 02:49 . 2005-11-09 11:25 d--------	C:\Documents and Settings\Administrator\Application Data\Intuit
2007-12-29 01:20 . 2007-12-29 01:20 d--------	C:\Program Files\Trend Micro
2007-12-28 09:20 . 2007-12-30 20:22 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\Move Networks
2007-12-27 22:23 . 2007-12-27 22:23 d--------	C:\Program Files\MSN Messenger
2007-12-27 00:09 . 2007-05-29 13:55	22,112	--a------	C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-12-27 00:09 . 2007-05-29 13:55	10,592	--a------	C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-12-27 00:09 . 2007-05-29 13:55	705	--a------	C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-12-25 23:37 . 2007-12-25 23:37 d--------	C:\Program Files\EA GAMES
2007-12-17 20:23 . 2007-12-17 20:23 d--------	C:\Program Files\Common Files\SureThing Shared
2007-12-17 19:20 . 2007-12-17 19:20 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\WinBatch
2007-12-17 18:47 . 2003-06-12 23:25	7,062	--a------	C:\WINDOWS\system32\audiopid.vxd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 18:56	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-16 18:55	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 13:51	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\uTorrent
2008-01-13 01:51	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-01-12 01:30	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-03 00:25	15,360	----a-w	C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-03 00:25	15,360	----a-w	C:\WINDOWS\system32\ctfmon.exe
2008-01-01 21:12	---------	d-----w	C:\Program Files\DivX
2007-12-31 01:22	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2007-12-28 02:14	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-12-26 04:14	715,248	----a-w	C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 01:23	---------	d-----w	C:\Program Files\Sonic
2007-12-18 01:23	---------	d-----w	C:\Program Files\Common Files\Sonic Shared
2007-12-18 00:35	---------	d-----w	C:\Program Files\HP
2007-12-17 23:46	---------	d-----w	C:\Program Files\Creative
2007-12-17 06:27	1,960	----a-w	C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2007-12-15 18:05	---------	d-----w	C:\Program Files\Java
2007-12-15 18:02	---------	d-----w	C:\Program Files\Common Files\Java
2007-12-13 01:37	---------	d-----w	C:\Program Files\uTorrent
2007-12-11 01:33	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Ubisoft
2007-12-05 23:16	---------	d-----w	C:\Program Files\Eidos Interactive
2007-11-27 05:54	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Creative
2007-11-17 06:25	---------	d-----w	C:\Program Files\Surreal
2007-11-07 09:26	721,920	----a-w	C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26	721,920	----a-w	C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-31 10:12	3,590,656	----a-w	C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20	360,064	----a-w	C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:43	1,287,680	----a-w	C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43	1,287,680	----a-w	C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40	222,720	----a-w	C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40	222,720	----a-w	C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34	8,460,288	----a-w	C:\WINDOWS\system32\dllcache\shell32.dll
2005-05-12 14:36	12,288	----a-w	C:\WINDOWS\Fonts\RandFont.dll
2006-08-09 16:27	2,516	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

```
<pre>
----a-w         1,694,208 2007-12-27 03:33:19  C:\Program Files\Messenger\msmsgs .exe
</pre>
```
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-02 19:25 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-11 20:35 219136]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-11-09 10:38:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnonop]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" -boot

S3 ATIXPGAA;ATIXPGAA;C:\Program Files\PC-Doctor 5 for Windows\ATIXPGAA.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 22:15:02 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 23:12:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 23:15:02
.
2008-01-08 23:08:15	--- E O F ---


----------



## jca716 (May 28, 2005)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:50 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O20 - Winlogon Notify: pmnonop - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 3176 bytes


----------



## Cookiegal (Aug 27, 2003)

Since you're using AVG Free anti-virus you need to completely remove Norton. This could be causing some problems.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.
*
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O20 - Winlogon Notify: pmnonop - C:\WINDOWS\*

Open Notepad and copy and paste the text in the code box below into it:


```
RenV::
C:\Program Files\Messenger\msmsgs .exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnonop]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## jca716 (May 28, 2005)

ComboFix 08-01-17.3 - Compaq_Owner 2008-01-17 15:14:55.7 - NTFSx86
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-12 19:25 . 2008-01-12 19:59 d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-11 20:36 . 2008-01-11 21:59 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\AVG7
2008-01-11 20:35 . 2008-01-11 20:35 d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-11 20:34 . 2008-01-11 20:34 d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-11 20:34 . 2008-01-17 08:00 d--------	C:\Documents and Settings\All Users\Application Data\avg7
2008-01-02 20:15 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-12-30 19:26 . 2007-12-30 19:26 d--------	C:\Program Files\LimeWire
2007-12-30 18:58 . 2007-12-30 19:34 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\PrevxCSI
2007-12-30 18:58 . 2007-12-30 22:41 d--------	C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 15:53 . 2007-12-30 15:52	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-30 15:51 . 2007-12-30 16:10 d--------	C:\Documents and Settings\Compaq_Owner\.housecall6.6
2007-12-30 11:12 . 2007-07-30 19:19	207,736	--a------	C:\WINDOWS\system32\muweb.dll
2007-12-29 23:33 . 2004-08-04 00:56	116,224	--a------	C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-12-29 23:33 . 2001-08-17 22:37	27,648	--a------	C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-12-29 23:33 . 2001-08-17 22:36	23,040	--a------	C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-12-29 23:33 . 2001-08-17 22:36	17,408	--a------	C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-12-29 23:31 . 2001-08-17 13:28	701,386	--a------	C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-12-29 23:30 . 2001-08-17 13:28	794,654	--a------	C:\WINDOWS\system32\dllcache\usr1801.sys
2007-12-29 23:29 . 2001-08-17 22:36	216,064	--a------	C:\WINDOWS\system32\dllcache\um34scan.dll
2007-12-29 23:28 . 2004-08-04 07:00	571,392	--a------	C:\WINDOWS\system32\dllcache\tintlgnt.ime
2007-12-29 23:27 . 2001-08-17 14:56	172,768	--a------	C:\WINDOWS\system32\dllcache\t2r4disp.dll
2007-12-29 23:26 . 2001-08-17 12:18	285,760	--a------	C:\WINDOWS\system32\dllcache\stlnata.sys
2007-12-29 23:25 . 2001-08-17 13:51	61,824	--a------	C:\WINDOWS\system32\dllcache\speed.sys
2007-12-29 23:25 . 2001-08-17 22:36	24,660	--a------	C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-12-29 23:24 . 2001-08-17 22:36	106,584	--a------	C:\WINDOWS\system32\dllcache\spdports.dll
2007-12-29 23:24 . 2001-08-17 14:07	19,072	--a------	C:\WINDOWS\system32\dllcache\sparrow.sys
2007-12-29 23:22 . 2004-08-04 07:00	456,704	--a------	C:\WINDOWS\system32\dllcache\smtpsvc.dll
2007-12-29 23:21 . 2004-08-03 22:41	404,990	--a------	C:\WINDOWS\system32\dllcache\slntamr.sys
2007-12-29 23:20 . 2001-08-17 22:36	495,616	--a------	C:\WINDOWS\system32\dllcache\sblfx.dll
2007-12-29 23:19 . 2004-08-04 00:56	397,056	--a------	C:\WINDOWS\system32\dllcache\s3gnb.dll
2007-12-29 23:18 . 2001-08-17 13:28	899,146	--a------	C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2007-12-29 23:17 . 2004-08-04 07:00	482,304	--a------	C:\WINDOWS\system32\dllcache\pintlgnt.ime
2007-12-29 23:16 . 2004-08-04 00:56	259,328	--a------	C:\WINDOWS\system32\dllcache\perm3dd.dll
2007-12-29 23:15 . 2001-08-17 14:05	351,616	--a------	C:\WINDOWS\system32\dllcache\ovcodek2.sys
2007-12-29 23:14 . 2004-08-04 00:56	4,274,816	--a------	C:\WINDOWS\system32\dllcache\nv4_disp.dll
2007-12-29 23:13 . 2004-08-04 00:56	1,737,856	--a------	C:\WINDOWS\system32\dllcache\mtxparhd.dll
2007-12-29 23:12 . 2004-08-04 07:00	1,875,968	--a------	C:\WINDOWS\system32\dllcache\msir3jp.lex
2007-12-29 23:11 . 2001-08-17 12:50	320,384	--a------	C:\WINDOWS\system32\dllcache\mgaum.sys
2007-12-29 23:10 . 2001-08-17 13:28	802,683	--a------	C:\WINDOWS\system32\dllcache\ltsm.sys
2007-12-29 23:09 . 2004-08-04 07:00	1,158,818	--a------	C:\WINDOWS\system32\dllcache\korwbrkr.lex
2007-12-29 23:08 . 2004-08-04 00:56	152,576	--a------	C:\WINDOWS\system32\dllcache\irftp.exe
2007-12-29 23:07 . 2004-08-04 07:00	811,064	--a------	C:\WINDOWS\system32\dllcache\imjp81k.dll
2007-12-29 23:06 . 2001-08-17 22:36	372,824	--a------	C:\WINDOWS\system32\dllcache\iconf32.dll
2007-12-29 23:05 . 2004-08-04 07:00	13,463,552	--a------	C:\WINDOWS\system32\dllcache\hwxjpn.dll
2007-12-29 23:04 . 2001-08-17 13:28	542,879	--a------	C:\WINDOWS\system32\dllcache\hsf_msft.sys
2007-12-29 23:03 . 2001-08-17 22:36	126,976	--a------	C:\WINDOWS\system32\dllcache\hpgt34tk.dll
2007-12-29 23:02 . 2001-08-17 14:56	1,733,120	--a------	C:\WINDOWS\system32\dllcache\g400d.dll
2007-12-29 23:01 . 2001-08-17 12:14	444,416	--a------	C:\WINDOWS\system32\dllcache\fpcibase.sys
2007-12-29 23:00 . 2001-08-17 13:28	595,647	--a------	C:\WINDOWS\system32\dllcache\es56cvmp.sys
2007-12-29 22:59 . 2001-08-17 13:28	634,134	--a------	C:\WINDOWS\system32\dllcache\el656ct5.sys
2007-12-29 22:58 . 2001-08-17 12:14	952,007	--a------	C:\WINDOWS\system32\dllcache\diwan.sys
2007-12-29 22:57 . 2001-08-17 22:36	419,357	--a------	C:\WINDOWS\system32\dllcache\dgconfig.dll
2007-12-29 22:56 . 2004-08-04 07:00	1,677,824	--a------	C:\WINDOWS\system32\dllcache\chsbrkr.dll
2007-12-29 22:55 . 2001-08-17 13:28	871,388	--a------	C:\WINDOWS\system32\dllcache\bcmdm.sys
2007-12-29 22:54 . 2004-08-04 00:56	870,784	--a------	C:\WINDOWS\system32\dllcache\ati3d1ag.dll
2007-12-29 22:53 . 2001-08-17 13:28	762,780	--a------	C:\WINDOWS\system32\dllcache\3cwmcru.sys
2007-12-29 22:52 . 2004-05-13 00:39	876,653	--a------	C:\WINDOWS\system32\dllcache\fp4awel.dll
2007-12-29 02:49 . 2005-11-09 11:23 d--------	C:\Documents and Settings\Administrator\WINDOWS
2007-12-29 02:49 . 2005-11-09 11:46 d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-29 02:49 . 2005-11-09 11:25 d--------	C:\Documents and Settings\Administrator\Application Data\Intuit
2007-12-29 01:20 . 2007-12-29 01:20 d--------	C:\Program Files\Trend Micro
2007-12-28 09:20 . 2007-12-30 20:22 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\Move Networks
2007-12-27 22:23 . 2007-12-27 22:23 d--------	C:\Program Files\MSN Messenger
2007-12-27 00:09 . 2007-05-29 13:55	22,112	--a------	C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-12-27 00:09 . 2007-05-29 13:55	10,592	--a------	C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-12-27 00:09 . 2007-05-29 13:55	705	--a------	C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-12-25 23:37 . 2007-12-25 23:37 d--------	C:\Program Files\EA GAMES
2007-12-17 20:23 . 2007-12-17 20:23 d--------	C:\Program Files\Common Files\SureThing Shared
2007-12-17 19:20 . 2007-12-17 19:20 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\WinBatch
2007-12-17 18:47 . 2003-06-12 23:25	7,062	--a------	C:\WINDOWS\system32\audiopid.vxd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 18:56	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-16 18:55	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 13:51	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\uTorrent
2008-01-13 01:51	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-01-12 01:30	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-01 21:12	---------	d-----w	C:\Program Files\DivX
2007-12-31 01:22	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2007-12-28 02:14	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-12-26 04:14	715,248	----a-w	C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 01:23	---------	d-----w	C:\Program Files\Sonic
2007-12-18 01:23	---------	d-----w	C:\Program Files\Common Files\Sonic Shared
2007-12-18 00:35	---------	d-----w	C:\Program Files\HP
2007-12-17 23:46	---------	d-----w	C:\Program Files\Creative
2007-12-17 06:27	1,960	----a-w	C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2007-12-15 18:05	---------	d-----w	C:\Program Files\Java
2007-12-15 18:02	---------	d-----w	C:\Program Files\Common Files\Java
2007-12-13 01:37	---------	d-----w	C:\Program Files\uTorrent
2007-12-11 01:33	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Ubisoft
2007-12-05 23:16	---------	d-----w	C:\Program Files\Eidos Interactive
2007-11-27 05:54	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Creative
2007-11-17 06:25	---------	d-----w	C:\Program Files\Surreal
2006-08-09 16:27	2,516	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_23.14.42.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-17 04:07:55	1,417,216	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-17 20:14:21	1,417,216	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-17 04:07:55	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 20:14:21	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-17 04:07:55	1,417,216	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-17 20:14:21	1,417,216	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-17 04:07:55	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 20:14:22	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-17 04:07:56	7,999,488	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-17 20:14:24	7,999,488	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-17 04:07:56	307,200	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-17 20:14:24	307,200	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-02 19:25 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-11 20:35 219136]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-11-09 10:38:31]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" -boot

S3 ATIXPGAA;ATIXPGAA;C:\Program Files\PC-Doctor 5 for Windows\ATIXPGAA.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 22:15:02 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 15:21:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 15:24:12
ComboFix2.txt 2008-01-17 04:15:03
.
2008-01-08 23:08:15	--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:45 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 3067 bytes

i deleted the nortons entry in the hijackthis log also with the other 2 entrys that you stated before...


----------



## jca716 (May 28, 2005)

why is it saying i dont have a recovery console installed?


----------



## Cookiegal (Aug 27, 2003)

Fix this one as well:
*
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)*

How are things now?


----------



## jca716 (May 28, 2005)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:38 AM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Webteh\BSplayerPro\bsplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 3124 bytes

cant seem to get the nortons and symtec entries to dissapear...this will be the 3rd time i try to rid my system of them..im gonna download adawaer again when i get off wokr to see if it will perform a full scan now..but otherwise all is runnign fine...my boot time has improved a great deal as well...you are an angel sent from [email protected]


----------



## Cookiegal (Aug 27, 2003)

Don't worry about the recovery console notation.

You really should run Symantec's removal tool to clear out the remnants of Norton.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

Run Kaspersky online virus scan *Kaspersky Online Scanner*.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the *"Extended database" *for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

*Note:* You have to use Internet Explorer to do the online scan.

*Post a new HiJackThis log along with the results from the Kaspersky scan*


----------



## jca716 (May 28, 2005)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:32 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 3665 bytes


----------



## jca716 (May 28, 2005)

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 29, 2008 7:28:08 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/01/2008
Kaspersky Anti-Virus database records: 536353
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 86458
Number of viruses found: 4
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 02:03:59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\svchost.exe.bac_a02388	Infected: not-a-virus:RiskTool.Win32.HideWindows	skipped
C:\Documents and Settings\Compaq_Owner\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\MSHist012008012920080130\index.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\1496169721.exe	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DFEEB0.tmp	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DFEEBD.tmp	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\sti.log	Object is locked	skipped
C:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP44\change.log	Object is locked	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{3627C4F6-D7D2-49BE-B9FF-DF59A8486C0B}.bin	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\system\dcache\data\scan\Fun.tim	Infected: Backdoor.IRC.Flood	skipped
C:\WINDOWS\system\dcache\data\scan\k.exe	Infected: not-a-virus:RiskTool.Win32.PsKill.1101	skipped
C:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\Internet.evt	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\drivers\sptd.sys	Object is locked	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped
D:\I386\Apps\APP16510\src\CompaqPresario_Spring06.exe/WISE0015.BIN	Infected: not-a-virus:AdWare.Win32.WeatherBug.a	skipped
D:\I386\Apps\APP16510\src\CompaqPresario_Spring06.exe/WISE0016.BIN	Infected: not-a-virus:AdWare.Win32.WeatherBug.a	skipped
D:\I386\Apps\APP16510\src\CompaqPresario_Spring06.exe	WiseSFX: infected - 2	skipped
D:\I386\Apps\APP16510\src\CompaqPresario_Spring06.exe	WiseSFXDropper: infected - 2	skipped
D:\I386\Apps\APP16510\src\HPPavillion_Spring06.exe/WISE0015.BIN	Infected: not-a-virus:AdWare.Win32.WeatherBug.a	skipped
D:\I386\Apps\APP16510\src\HPPavillion_Spring06.exe/WISE0016.BIN	Infected: not-a-virus:AdWare.Win32.WeatherBug.a	skipped
D:\I386\Apps\APP16510\src\HPPavillion_Spring06.exe	WiseSFX: infected - 2	skipped
D:\I386\Apps\APP16510\src\HPPavillion_Spring06.exe	WiseSFXDropper: infected - 2	skipped

Scan process completed.


----------



## Cookiegal (Aug 27, 2003)

Do you recognize this?

C:\WINDOWS\system\dcache\data\scan\Fun.tim

I'd like to know what else is in this folder please (file names):

C:\WINDOWS\system\*dcache*


----------



## jca716 (May 28, 2005)

data/scan/fun.tim......lockdown2.tim.....lockdown.tim........mirc.ini.....remote.ini......ScanKit cmds.txt...secyrity.tim


----------



## Cookiegal (Aug 27, 2003)

I don't understand. Are those items in the "scan" folder?


----------



## jca716 (May 28, 2005)

yes they are...ive never seen it before....i have no apps that i know run off that folder...but you will let me know all that right?


----------



## Cookiegal (Aug 27, 2003)

So to be sure, all you have under this:

C:\WINDOWS\system\*dcache*

is the folder called *data *and nothing else?

Are you using mIRC?


----------



## jca716 (May 28, 2005)

Yes just data...dont know if im using mIRC.dont even know what that is .


----------



## Cookiegal (Aug 27, 2003)

It's an Internet Relay Chat Client.

http://en.wikipedia.org/wiki/MIRC

Are you using it?

Open Notepad and copy and paste the text in the code box below into it:


```
DirLook::
C:\WINDOWS\system\dcache
C:\WINDOWS\system\dcache\data
C:\WINDOWS\system\dcache\data\scan
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## jca716 (May 28, 2005)

im about to do the requested action above now...but now i have a new trojin in my system....Everytime I use Spybot it detects Smitfraud-C.Coreservice, removes it, but after reboot it's detected again.


----------



## jca716 (May 28, 2005)

P.S.

the only chat software that is installed is live messanger,and aim...plus the combo fix that i have said it was out of date


----------



## jca716 (May 28, 2005)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:41, on 2008-02-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [SpybotDeletingA3465] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8411] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7189] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1501] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 3954 bytes


----------



## Cookiegal (Aug 27, 2003)

Please remove the ComboFix version you have and grab a new one and then run the script in my instructions in post no. 51 please:

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix and make sure you are disconnected from the Internet *after downloading the program and before scanning*.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *ComboFix* and save it to your desktop.


----------



## jca716 (May 28, 2005)

ComboFix 08-02.03.1 - Compaq_Owner 2008-02-03 20:33:32.8 - NTFSx86
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-03 14:14 . 2008-02-03 14:14 d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-03 14:14 . 2008-02-03 19:10 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\AVG7
2008-02-03 14:13 . 2008-02-03 14:13 d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-03 14:09 . 2008-02-03 14:18 d--------	C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-03 10:37 . 2008-02-03 10:38	41,168,824	--a------	C:\WINDOWS\system32\avg75avwt_516a1225.exe
2008-02-03 10:37 . 2008-02-03 10:37	167,545	--a------	C:\WINDOWS\system32\drivers\core.cache.dsk
2008-02-03 10:37 . 2008-02-03 10:37	86,144	--a------	C:\WINDOWS\system32\drivers\bridgee.sys
2008-01-29 21:07 . 2008-01-29 21:32	1,122,304	---h-----	C:\WINDOWS\system32\wodfamop.dll
2008-01-29 16:49 . 2008-01-29 16:49 d--------	C:\WINDOWS\system32\Kaspersky Lab
2008-01-29 16:49 . 2008-01-29 16:49 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-28 20:27 . 2008-01-28 20:27 d--------	C:\WINDOWS\system32\bak
2008-01-21 19:48 . 2008-02-03 20:27 d--------	C:\Program Files\Spybot - Search & Destroy
2008-01-12 19:25 . 2008-01-12 19:59 d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 01:27	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-02-04 01:27	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 11:12	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\uTorrent
2008-01-29 21:33	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-01-29 21:33	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-22 02:01	---------	d-----w	C:\Program Files\PC-Doctor 5 for Windows
2008-01-01 21:12	---------	d-----w	C:\Program Files\DivX
2007-12-31 03:41	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-31 01:22	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Move Networks
2007-12-31 01:22	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2007-12-31 00:34	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\PrevxCSI
2007-12-31 00:26	---------	d-----w	C:\Program Files\LimeWire
2007-12-30 20:52	102,664	----a-w	C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-29 06:20	---------	d-----w	C:\Program Files\Trend Micro
2007-12-28 03:23	---------	d-----w	C:\Program Files\MSN Messenger
2007-12-28 02:14	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-12-26 04:37	---------	d-----w	C:\Program Files\EA GAMES
2007-12-26 04:14	715,248	----a-w	C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 01:23	---------	d-----w	C:\Program Files\Sonic
2007-12-18 01:23	---------	d-----w	C:\Program Files\Common Files\SureThing Shared
2007-12-18 01:23	---------	d-----w	C:\Program Files\Common Files\Sonic Shared
2007-12-18 00:35	---------	d-----w	C:\Program Files\HP
2007-12-18 00:20	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\WinBatch
2007-12-17 23:46	---------	d-----w	C:\Program Files\Creative
2007-12-17 06:27	1,960	----a-w	C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2007-12-15 18:05	---------	d-----w	C:\Program Files\Java
2007-12-15 18:02	---------	d-----w	C:\Program Files\Common Files\Java
2007-12-13 01:37	---------	d-----w	C:\Program Files\uTorrent
2007-12-11 01:33	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Ubisoft
2007-12-05 23:16	---------	d-----w	C:\Program Files\Eidos Interactive
2006-08-09 16:27	2,516	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system\dcache ----

2007-01-24 09:34	3453	--a------	C:\WINDOWS\system\dcache\data\scan\mirc.ini 
2007-01-24 01:03	761	--a------	C:\WINDOWS\system\dcache\data\scan\remote.ini 
2006-12-25 20:09	376	--a------	C:\WINDOWS\system\dcache\data\scan\ScanKit Cmds.txt 
2006-12-13 21:54	8823	--a------	C:\WINDOWS\system\dcache\data\scan\Fun.tim 
2006-10-31 03:28	14	--ah-----	C:\WINDOWS\system\dcache\data\scan\server.txt 
2006-09-18 01:10	658	--a------	C:\WINDOWS\system\dcache\data\scan\security.tim 
2006-09-18 00:55	327	--a------	C:\WINDOWS\system\dcache\data\scan\lockdown.tim 
2006-02-19 00:00	205	--a------	C:\WINDOWS\system\dcache\data\scan\lockdown2.tim 
2005-05-28 00:00	341	--ah-----	C:\WINDOWS\system\dcache\data\scan\start.bat 
2005-02-12 00:00	204	--ah-----	C:\WINDOWS\system\dcache\data\scan\HideWin.ini 
2005-01-31 00:00	4	--ah-----	C:\WINDOWS\system\dcache\data\scan\spoolsvc.dll 
2004-12-03 00:00	122880	--ah-----	C:\WINDOWS\system\dcache\data\scan\k.exe 
2004-08-05 00:00	151	--ah-----	C:\WINDOWS\system\dcache\data\scan\mirc.REG 
2004-08-03 00:00	659456	--ah-----	C:\WINDOWS\system\dcache\data\scan\spoolsv.exe

---- Directory of C:\WINDOWS\system\dcache\data ----

2007-01-24 09:34	3453	--a------	C:\WINDOWS\system\dcache\data\scan\mirc.ini 
2007-01-24 01:03	761	--a------	C:\WINDOWS\system\dcache\data\scan\remote.ini 
2006-12-25 20:09	376	--a------	C:\WINDOWS\system\dcache\data\scan\ScanKit Cmds.txt 
2006-12-13 21:54	8823	--a------	C:\WINDOWS\system\dcache\data\scan\Fun.tim 
2006-10-31 03:28	14	--ah-----	C:\WINDOWS\system\dcache\data\scan\server.txt 
2006-09-18 01:10	658	--a------	C:\WINDOWS\system\dcache\data\scan\security.tim 
2006-09-18 00:55	327	--a------	C:\WINDOWS\system\dcache\data\scan\lockdown.tim 
2006-02-19 00:00	205	--a------	C:\WINDOWS\system\dcache\data\scan\lockdown2.tim 
2005-05-28 00:00	341	--ah-----	C:\WINDOWS\system\dcache\data\scan\start.bat 
2005-02-12 00:00	204	--ah-----	C:\WINDOWS\system\dcache\data\scan\HideWin.ini 
2005-01-31 00:00	4	--ah-----	C:\WINDOWS\system\dcache\data\scan\spoolsvc.dll 
2004-12-03 00:00	122880	--ah-----	C:\WINDOWS\system\dcache\data\scan\k.exe 
2004-08-05 00:00	151	--ah-----	C:\WINDOWS\system\dcache\data\scan\mirc.REG 
2004-08-03 00:00	659456	--ah-----	C:\WINDOWS\system\dcache\data\scan\spoolsv.exe

---- Directory of C:\WINDOWS\system\dcache\data\scan ----

2007-01-24 09:34	3453	--a------	C:\WINDOWS\system\dcache\data\scan\mirc.ini 
2007-01-24 01:03	761	--a------	C:\WINDOWS\system\dcache\data\scan\remote.ini 
2006-12-25 20:09	376	--a------	C:\WINDOWS\system\dcache\data\scan\ScanKit Cmds.txt 
2006-12-13 21:54	8823	--a------	C:\WINDOWS\system\dcache\data\scan\Fun.tim 
2006-10-31 03:28	14	--ah-----	C:\WINDOWS\system\dcache\data\scan\server.txt 
2006-09-18 01:10	658	--a------	C:\WINDOWS\system\dcache\data\scan\security.tim 
2006-09-18 00:55	327	--a------	C:\WINDOWS\system\dcache\data\scan\lockdown.tim 
2006-02-19 00:00	205	--a------	C:\WINDOWS\system\dcache\data\scan\lockdown2.tim 
2005-05-28 00:00	341	--ah-----	C:\WINDOWS\system\dcache\data\scan\start.bat 
2005-02-12 00:00	204	--ah-----	C:\WINDOWS\system\dcache\data\scan\HideWin.ini 
2005-01-31 00:00	4	--ah-----	C:\WINDOWS\system\dcache\data\scan\spoolsvc.dll 
2004-12-03 00:00	122880	--ah-----	C:\WINDOWS\system\dcache\data\scan\k.exe 
2004-08-05 00:00	151	--ah-----	C:\WINDOWS\system\dcache\data\scan\mirc.REG 
2004-08-03 00:00	659456	--ah-----	C:\WINDOWS\system\dcache\data\scan\spoolsv.exe

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 180,269 2007-02-10 19:28:55 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 1,460,560 2007-08-31 21:46:28 C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe

----a-w 15,360 2008-01-03 00:25:43 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2008-01-03 00:25:43 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-02 19:25 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-03 14:15 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-03 14:14 219136]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-11-09 10:38:31 27136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" -boot

R1 bridgee;bridgee;C:\WINDOWS\system32\drivers\bridgee.sys [2008-02-03 10:37]
S3 ATIXPGAA;ATIXPGAA;C:\Program Files\PC-Doctor 5 for Windows\ATIXPGAA.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 20:39:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-03 20:44:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 01:44:29
ComboFix2.txt 2008-01-17 20:24:13
.
2008-01-08 23:08:15	--- E O F --- 
-----------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:48, on 2008-02-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 2982 bytes
------------------------------------------------------------------------------------------------------------------------

just wanted to mention that i have AVG free edition and the resident shield is turned on,but at the bottom right of my screen the windows security is telling me that my virus protection is turned off.Im still getting pop ups as well from the Smithfraud-C.Core services entry...i deleted spybot and adaware se for the meantime till these new threats are deleted..thankx so [email protected]


----------



## jca716 (May 28, 2005)

i found this process on a site and tried it with no results..the popus are getting even worse..i even used combofix and made my own CFScript file to delete core.cashe.dsk...and it is now gone..but here is a copy of the process i attempted just to let you know my progress

STEP 1. SYSTEM PREPARATION
A. SHOW ALL HIDDEN FILES:
Windows XP
• Click Start. 
• Open My Computer. 
• Select the Tools menu and click Folder Options. 
• Select the View Tab. 
• Under the Hidden files and folders heading select Show hidden files and folders. 
• Uncheck the Hide protected operating system files (recommended) option. 
• Click Yes to confirm. 
• Click OK.
B. Copy this text below into a text file called Smithfraud.txt

Put it on your desktop (this is a list of bad files) Although you can just type them manually its best to copy and paste so you don't have typo's.

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

C. Copy and Paste the following text into a file called Malware.txt

Put it on your desktop (this is a list of bad files) Although you can just type them manually its best to copy and paste so you don't have typo's.

C:\WINDOWS\SYSTEM\Xcite.dll
C:\WINDOWS\SYSTEM\FLEOK
C:\WINDOWS\SYSTEM\stlbupdt.dll
C:\WINDOWS\TEMP\SAHUpdate
C:\WINDOWS\Application Data\Lycos
C:\WINDOWS\TEMP\msview.inf
C:\WINDOWS\TEMP\asmfiles.cab
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\SYSTEM\kyf.dat
C:\WINDOWS\SYSTEM\wb.dll
C:\WINDOWS\SYSTEM\CometTB.dll
C:\WINDOWS\SYSTEM\CometTB.exe
C:\WINDOWS\SYSTEM\Agent.dll
C:\WINDOWS\SYSTEM\nostalgia.dll
C:\WINDOWS\SYSTEM\OMsetup.exe
C:\WINDOWS\SYSTEM\cm1.dll
C:\WINDOWS\SYSTEM\stlbupdt.dll
C:\WINDOWS\SYSTEM\Xcite.exe
C:\WINDOWS\SYSTEM\Xcite.dll
C:\WINDOWS\SYSTEM\msss.exe
C:\WINDOWS\SYSTEM\kyf.dat
C:\WINDOWS\TEMP\saveinstwm.exe
C:\WINDOWS\TEMP\MSView.inf
C:\WINDOWS\TEMP\asmfiles.cab
C:\WINDOWS\TEMP\asmfiles.cab[asm.exe]
C:\WINDOWS\TEMP\__unin__.exe
C:\WINDOWS\msxmidi.exe
C:\RECYCLED\DC1\unbzip2s.dll
C:\RECYCLED\DC8.EXE
C:\wp.bmp
D. Download SmithFraud Reg

It is best to put Smithfraud.reg to your desktop (so you can find it). DO NOT double click on it yet.

Right Click on this link and "Save As":
http://www.bleepingcomputer.com/files/reg/smitfraud.reg

E. GET KILLBOX

Download the Killbox Unzip it to the desktop.

STEP 2. DELETE the MALWARE
A. Boot into SAFE MODE

Getting into Safe Mode on Window is easy.
Reboot your computer and HIT the "F8" Funtion Key like crazy
If it doesn't, work try again. The system should ask you what mode you want to 
boot in. You want "Safe Mode" or "Safe Mode with Networking"
MORE ON SAFE MODE

B. Use KillBox to remove the Malware

Once you are in Safe Mode you will be able to delete all the unwanted malware. Use Malware.txt and Smithfraud.txt on your desktop to copy and pasted each path (e.g c:\wp.bmp) into Killbox and click the "X" to remove them.

You will be prompted to reboot each time you delete one of the files. Choose "NO" until you are complete.

C. Remove ScareWare files that were possibly added by Trojan.spy.smithfraud.c

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard 
Virtual Maid 
Search Maid 
Exit Add/Remove Programs.

Press Control-Alt-Del to enter the Task Manager.

Click on the Processes tab and end the following processes (it is running):

wsys.exe

Exit the Task Manager when finished.

TO KILL ALL THE "TROJAN-SPY.HTML.SMITFRAUD.C" FILES AT ONCE AUTOMATICALLY:

Double-click Killbox.exe to run it.

Select "Delete on Reboot".

You'll need the text you copied in your SMITHFRAUD.TXT (highlighting ALL of them and pressing CTRL + C)

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

STEP 3. RUN SMITHFRAUD.REG
Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to update the registry, click YES. Wait for the "Smitfraud.reg has been successfully added to the registry"

http://www.bleepingcomputer.com/files/reg/smitfraud.reg

If you haven't already done so, Right click on the link and download it the desktop. As your last step, click on the smitfraud.reg file.

It will ask you if you are sure, click "yes." Registry Edits do not take hold until you reboot. This edit just cleans up some of the Smithfraud files from your registry.

Many trojan and virus fixes can be found on Beeping Computers site. It is an excellent resource.

Here are some free scans to check an make sure there are no holes left in your network:

These are sites that allow you to scan your system from the outside. It is a very simple penetration test.

Sygate 
GRC

If you system is exposed to the Internet go to my Broadband Internet Security Site.

If ALL else fails and you have already backed up your data (or don't need to) Reload your operation system. That will fix everything! Secure your system or you will get more malware for sure.

FIN.

References:
http://www.xtra.co.nz -Show Hidden files 
www.bleepingcomputer.com - smithfraud.reg
http://www.viruslist.com - Trojan-Spy.HTML.Smithfraud.c
http://forum.us.dell.com - Scanners
http://www.geekstogo.com - Trojan-Spy.HTML.Smithfraud.c removal (thanks to "thatman" with the GeekSquad Staff)
http://www.geekstogo.com - GREAT STUFF
http://www.atribune.org - Killbox (mad props to Option^X)

http://www.pchell.com - Safe Mode
http://www.webhelper4u.com - Hijacking Scare ads

List of more removal tools:
http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41
http://www.netrn.net/spywareblog/


----------



## Cookiegal (Aug 27, 2003)

I did not post instructions to do any of those things and ComboFix should never be used without supervision so if you really don't want my help then I will move on to those who do.


----------



## jca716 (May 28, 2005)

so sorry for real..i will only follow your direct instruction form here on out...i just ran the Kaspersky online scan again to see how bad i am infected and i will post if you would like below..thank you for being so tollerant with [email protected]

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-02-04 16:30
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/02/2008
Kaspersky Anti-Virus database records: 547209
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 76788
Number of viruses found: 5
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 02:04:49

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\svchost.exe.bac_a02388	Infected: not-a-virus:RiskTool.Win32.HideWindows	skipped
C:\Documents and Settings\Compaq_Owner\Application Data\AVG7\l_000103.log	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DFDBF5.tmp	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DFDC03.tmp	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\NGEFBMQC\125x125_04[1].swf	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\NGEFBMQC\preloader_testimonials[1].swf	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\sti.log	Object is locked	skipped
C:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP6\A0000387.exe/data.rar/SmitfraudFix/Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP6\A0000387.exe/data.rar	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP6\A0000387.exe	RarSFX: infected - 2	skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP6\A0000395.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP6\change.log	Object is locked	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C662E422-2F1C-4BFA-A2F4-B54EAFA16F43}.bin	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\system\dcache\data\scan\Fun.tim	Infected: Backdoor.IRC.Flood	skipped
C:\WINDOWS\system\dcache\data\scan\k.exe	Infected: not-a-virus:RiskTool.Win32.PsKill.1101	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\Internet.evt	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\drivers\bridgee.sys	Object is locked	skipped
C:\WINDOWS\system32\drivers\core.cache.dsk	Object is locked	skipped
C:\WINDOWS\system32\drivers\sptd.sys	Object is locked	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped
D:\I386\Apps\APP16510\src\CompaqPresario_Spring06.exe/WISE0015.BIN	Infected: not-a-virus:AdWare.Win32.WeatherBug.a	skipped
D:\I386\Apps\APP16510\src\CompaqPresario_Spring06.exe/WISE0016.BIN	Infected: not-a-virus:AdWare.Win32.WeatherBug.a	skipped
D:\I386\Apps\APP16510\src\CompaqPresario_Spring06.exe	WiseSFX: infected - 2	skipped
D:\I386\Apps\APP16510\src\CompaqPresario_Spring06.exe	WiseSFXDropper: infected - 2	skipped
D:\I386\Apps\APP16510\src\HPPavillion_Spring06.exe/WISE0015.BIN	Infected: not-a-virus:AdWare.Win32.WeatherBug.a	skipped
D:\I386\Apps\APP16510\src\HPPavillion_Spring06.exe/WISE0016.BIN	Infected: not-a-virus:AdWare.Win32.WeatherBug.a	skipped
D:\I386\Apps\APP16510\src\HPPavillion_Spring06.exe	WiseSFX: infected - 2	skipped
D:\I386\Apps\APP16510\src\HPPavillion_Spring06.exe	WiseSFXDropper: infected - 2	skipped
D:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP6\change.log	Object is locked	skipped

Scan process completed.


----------



## Cookiegal (Aug 27, 2003)

Delete this folder:

C:\WINDOWS\system\*dcache*

Then run ComboFix again and post the new log please.


----------



## jca716 (May 28, 2005)

I deleted the file you requested and here is the Combofix log you requested....i can hardly get on the net anymore due to so many pop up windows ..ive had to close at leat 10 since ive started typing this message...i am sorry earlier really...i thank you for all your help so far and i am really [email protected]

----------------------------------------------------------------------------------------------------------------------

ComboFix 08-02.03.1 - Compaq_Owner 2008-02-04 19:20:49.11 - NTFSx86
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-04 21:30 . 2007-09-24 23:31	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2008-02-04 21:29 . 2008-02-04 21:30 d--------	C:\Program Files\Java
2008-02-04 21:27 . 2008-02-04 21:27 d--------	C:\Program Files\Common Files\Java
2008-02-04 13:49 . 2008-02-04 13:49	167,545	--a------	C:\WINDOWS\system32\drivers\core.cache.dsk
2008-02-04 13:18 . 2008-02-04 13:41	652	--a------	C:\WINDOWS\system32\tmp.reg
2008-02-03 14:14 . 2008-02-03 14:14 d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-03 14:14 . 2008-02-04 17:30 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\AVG7
2008-02-03 14:13 . 2008-02-03 14:13 d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-03 14:09 . 2008-02-03 14:18 d--------	C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-03 10:37 . 2008-02-03 10:38	41,168,824	--a------	C:\WINDOWS\system32\avg75avwt_516a1225.exe
2008-02-03 10:37 . 2008-02-03 10:37	86,144	--a------	C:\WINDOWS\system32\drivers\bridgee.sys
2008-01-29 21:07 . 2008-01-29 21:32	1,122,304	---h-----	C:\WINDOWS\system32\wodfamop.dll
2008-01-29 16:49 . 2008-01-29 16:49 d--------	C:\WINDOWS\system32\Kaspersky Lab
2008-01-29 16:49 . 2008-01-29 16:49 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-28 20:27 . 2008-01-28 20:27 d--------	C:\WINDOWS\system32\bak
2008-01-21 19:48 . 2008-02-03 20:27 d--------	C:\Program Files\Spybot - Search & Destroy
2008-01-12 19:25 . 2008-01-12 19:59 d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 01:27	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-02-04 01:27	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 11:12	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\uTorrent
2008-01-29 21:33	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-01-29 21:33	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-22 02:01	---------	d-----w	C:\Program Files\PC-Doctor 5 for Windows
2008-01-01 21:12	---------	d-----w	C:\Program Files\DivX
2007-12-31 03:41	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-31 01:22	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Move Networks
2007-12-31 01:22	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2007-12-31 00:34	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\PrevxCSI
2007-12-31 00:26	---------	d-----w	C:\Program Files\LimeWire
2007-12-30 20:52	102,664	----a-w	C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-29 06:20	---------	d-----w	C:\Program Files\Trend Micro
2007-12-28 03:23	---------	d-----w	C:\Program Files\MSN Messenger
2007-12-28 02:14	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-12-26 04:37	---------	d-----w	C:\Program Files\EA GAMES
2007-12-26 04:14	715,248	----a-w	C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 01:23	---------	d-----w	C:\Program Files\Sonic
2007-12-18 01:23	---------	d-----w	C:\Program Files\Common Files\SureThing Shared
2007-12-18 01:23	---------	d-----w	C:\Program Files\Common Files\Sonic Shared
2007-12-18 00:35	---------	d-----w	C:\Program Files\HP
2007-12-18 00:20	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\WinBatch
2007-12-17 23:46	---------	d-----w	C:\Program Files\Creative
2007-12-17 06:27	1,960	----a-w	C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2007-12-13 01:37	---------	d-----w	C:\Program Files\uTorrent
2007-12-11 01:33	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Ubisoft
2007-12-05 23:16	---------	d-----w	C:\Program Files\Eidos Interactive
2006-08-09 16:27	2,516	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 180,269 2007-02-10 19:28:55 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 1,460,560 2007-08-31 21:46:28 C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe

----a-w 15,360 2008-01-03 00:25:43 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2008-01-03 00:25:43 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-02 19:25 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-03 14:15 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-03 14:14 219136]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-11-09 10:38:31 27136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" -boot

R1 bridgee;bridgee;C:\WINDOWS\system32\drivers\bridgee.sys [2008-02-03 10:37]
S3 ATIXPGAA;ATIXPGAA;C:\Program Files\PC-Doctor 5 for Windows\ATIXPGAA.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 19:27:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-04 19:31:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-05 00:31:48
ComboFix2.txt 2008-02-04 05:02:05
ComboFix3.txt 2008-02-04 03:12:10
ComboFix4.txt 2008-02-04 01:44:34
ComboFix5.txt 2008-01-17 20:24:13
.
2008-01-08 23:08:15	--- E O F ---


----------



## Cookiegal (Aug 27, 2003)

You've picked up another infection but we'll deal with it after the next step.

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\bridgee.sys

Driver::
bridgee

DirLook::
C:\Documents and Settings\Compaq_Owner\Application Data\WinBatch
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups and then restore them.

Download FindAWF.exe from *here* or *here* and save it to your desktop.

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with the following Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT​
*Select option 1*, then press Enter
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in Notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.


----------



## jca716 (May 28, 2005)

ComboFix 08-02.03.1 - Compaq_Owner 2008-02-04 20:19:39.12 - NTFSx86
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*

FILE
C:\WINDOWS\system32\drivers\bridgee.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\bridgee.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\bridgee.sys
C:\WINDOWS\system32\drivers\core.cache.dsk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_BRIDGEE
-------\bridgee

((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-04 21:30 . 2007-09-24 23:31	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2008-02-04 21:29 . 2008-02-04 21:30 d--------	C:\Program Files\Java
2008-02-04 21:27 . 2008-02-04 21:27 d--------	C:\Program Files\Common Files\Java
2008-02-04 13:18 . 2008-02-04 13:41	652	--a------	C:\WINDOWS\system32\tmp.reg
2008-02-03 14:14 . 2008-02-03 14:14 d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-03 14:14 . 2008-02-04 17:30 d--------	C:\Documents and Settings\Compaq_Owner\Application Data\AVG7
2008-02-03 14:13 . 2008-02-03 14:13 d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-03 14:09 . 2008-02-03 14:18 d--------	C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-03 10:37 . 2008-02-03 10:38	41,168,824	--a------	C:\WINDOWS\system32\avg75avwt_516a1225.exe
2008-01-29 21:07 . 2008-01-29 21:32	1,122,304	---h-----	C:\WINDOWS\system32\wodfamop.dll
2008-01-29 16:49 . 2008-01-29 16:49 d--------	C:\WINDOWS\system32\Kaspersky Lab
2008-01-29 16:49 . 2008-01-29 16:49 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-28 20:27 . 2008-01-28 20:27 d--------	C:\WINDOWS\system32\bak
2008-01-21 19:48 . 2008-02-03 20:27 d--------	C:\Program Files\Spybot - Search & Destroy
2008-01-12 19:25 . 2008-01-12 19:59 d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 01:27	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-02-04 01:27	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 11:12	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\uTorrent
2008-01-29 21:33	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-01-29 21:33	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-22 02:01	---------	d-----w	C:\Program Files\PC-Doctor 5 for Windows
2008-01-01 21:12	---------	d-----w	C:\Program Files\DivX
2007-12-31 03:41	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-31 01:22	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Move Networks
2007-12-31 01:22	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft
2007-12-31 00:34	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\PrevxCSI
2007-12-31 00:26	---------	d-----w	C:\Program Files\LimeWire
2007-12-30 20:52	102,664	----a-w	C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-29 06:20	---------	d-----w	C:\Program Files\Trend Micro
2007-12-28 03:23	---------	d-----w	C:\Program Files\MSN Messenger
2007-12-28 02:14	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-12-26 04:37	---------	d-----w	C:\Program Files\EA GAMES
2007-12-26 04:14	715,248	----a-w	C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 01:23	---------	d-----w	C:\Program Files\Sonic
2007-12-18 01:23	---------	d-----w	C:\Program Files\Common Files\SureThing Shared
2007-12-18 01:23	---------	d-----w	C:\Program Files\Common Files\Sonic Shared
2007-12-18 00:35	---------	d-----w	C:\Program Files\HP
2007-12-18 00:20	---------	d-----w	C:\Documents and Settings\Compaq_Owner\Application Data\WinBatch
2007-12-17 23:46	---------	d-----w	C:\Program Files\Creative
2007-12-17 06:27	1,960	----a-w	C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2007-12-13 01:37	---------	d-----w	C:\Program Files\uTorrent
2007-12-11 01:33	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Ubisoft
2007-12-05 23:16	---------	d-----w	C:\Program Files\Eidos Interactive
2005-05-12 14:36	12,288	----a-w	C:\WINDOWS\Fonts\RandFont.dll
2006-08-09 16:27	2,516	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Compaq_Owner\Application Data\WinBatch ----

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 180,269 2007-02-10 19:28:55 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 1,460,560 2007-08-31 21:46:28 C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe

----a-w 15,360 2008-01-03 00:25:43 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2008-01-03 00:25:43 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-02 19:25 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-03 14:15 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-03 14:14 219136]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-11-09 10:38:31 27136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" -boot

S3 ATIXPGAA;ATIXPGAA;C:\Program Files\PC-Doctor 5 for Windows\ATIXPGAA.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 20:26:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
.
**************************************************************************
.
Completion time: 2008-02-04 20:31:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-05 01:30:55
ComboFix2.txt 2008-02-05 00:31:53
ComboFix3.txt 2008-02-04 05:02:05
ComboFix4.txt 2008-02-04 03:12:10
ComboFix5.txt 2008-02-04 01:44:34
.
2008-01-08 23:08:15	--- E O F --- 
------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:31, on 2008-02-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 3533 bytes
------------------------------------------------------------------------------------------------------------------------

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: 2008-02-04 
The current time is: 20:32:50.14

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\SPYBOT~1\BAK

2007-08-31 16:46 1,460,560 TeaTimer.exe
1 File(s) 1,460,560 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

2008-01-02 19:25 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

2007-02-10 14:28 180,269 realsched.exe
1 File(s) 180,269 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
15360 Jan 2 2008 "C:\WINDOWS\system32\ctfmon.exe"
15360 Jan 2 2008 "C:\WINDOWS\system32\bak\ctfmon.exe"
180269 Feb 10 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"

end of report


----------



## Cookiegal (Aug 27, 2003)

Go to *Start* - *Search* - *All Files and Folders* and under *More advanced search options*. 
Make sure there is a check by *Search System Folders* and *Search hidden files and folders* and *Search system subfolders*.

Next click on *My Computer*. Go to *Tools* - *Folder Options*. Click on the View tab and make sure that *Show hidden files and folders* is checked. Also uncheck *Hide protected operating system files* and *Hide extensions for known file types*. Now click *Apply to all folders*. Click *Apply* then *OK*.

Now, go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

*C:\WINDOWS\system32\ctfmon.exe*

Copy the file paths below to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*"C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
*

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
*Select option 2* from the menu and press Enter.
Press any key to continue.
A Notepad document *FindAWF.txt* will appear with instructions to click below the line and paste the list of files to be restored.
Right click below this line and select* Paste*, to paste the list of files copied to the clipboard earlier. Save and close the document.
The program will proceed to move the legit files and will perform another scan for bak folders.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in Notepad called *AWF.txt*.
Please copy and paste the contents of the *AWF.txt* file in your next reply.


----------



## jca716 (May 28, 2005)

their were 3 files with the name Ctfmon.exe..i only uploaded the one you specifically asked...the other two were in...C:\WINDOWS
system32\bak......and....C;\WINDOWS\system32\dllcache...but i uploaded neither of thes two other files..just wnated you to know they were their in the search
All 3 Files haad been modified on 2008-01-02 19:25


Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1 

File to upload & scan: 
Service 
Service load: 0% 100% 

File: ctfmon.exe 
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database) 
MD5: 24232996a38c0b0cf151c2140ae29fc8 
Packers detected: - 
Bit9 reports: No threat detected (more info) 

Scanner results 
Scan taken on 05 Feb 2008 22:06:45 (GMT) 
A-Squared Found nothing 
AntiVir Found nothing 
ArcaVir Found nothing 
Avast Found nothing 
AVG Antivirus Found nothing 
BitDefender Found nothing 
ClamAV Found nothing 
CPsecure Found nothing 
Dr.Web Found nothing 
F-Prot Antivirus Found nothing 
F-Secure Anti-Virus Found nothing 
Fortinet Found nothing 
Ikarus Found nothing 
Kaspersky Anti-Virus Found nothing 
NOD32 Found nothing 
Norman Virus Control Found nothing 
Panda Antivirus Found nothing 
Rising Antivirus Found nothing 
Sophos Antivirus Found nothing 
VirusBuster Found nothing 
VBA32 Found nothing 




-----------------------------------------------------------------------------------------------------------------------
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: 2008-02-05 
The current time is: 5:31:38.46


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\SPYBOT~1\BAK

2007-08-31 16:46 1,460,560 TeaTimer.exe
1 File(s) 1,460,560 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

2008-01-02 19:25 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

2007-02-10 14:28 180,269 realsched.exe
1 File(s) 180,269 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
15360 Jan 2 2008 "C:\WINDOWS\system32\ctfmon.exe"
15360 Jan 2 2008 "C:\WINDOWS\system32\bak\ctfmon.exe"
180269 Feb 10 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


end of report


----------



## Cookiegal (Aug 27, 2003)

OK, it looks fine. It must have been recreated by the system file protection as the date is current but the size and Md5 hash are correct.


Are you sure you copied the two lines exactly as shown when running option 2 of FindAWF? Because it didn't work. Try doing it again but with your anti-virus program disabled (be sure you're disconnected from the Internet when doing this and re-enable it before reconnecting).


----------



## jca716 (May 28, 2005)

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: 2008-02-05 
The current time is: 7:30:39.04


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\SPYBOT~1\BAK

2007-08-31 16:46 1,460,560 TeaTimer.exe
1 File(s) 1,460,560 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

2008-01-02 19:25 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

2007-02-10 14:28 180,269 realsched.exe
1 File(s) 180,269 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
15360 Jan 2 2008 "C:\WINDOWS\system32\ctfmon.exe"
15360 Jan 2 2008 "C:\WINDOWS\system32\bak\ctfmon.exe"
180269 Feb 10 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Feb 10 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


end of report


yes i did exactly as you stated...unplugged modem..turned off antivirus(resident shield)...and copied all the text even the excelimations to the notepad generated by the program..then i clicked save then closed the txt window..then the process [email protected]


----------



## Cookiegal (Aug 27, 2003)

This time it worked.

Copy the file paths below to the clipboard by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*C:\Program Files\Spybot - Search & Destroy\bak
C:\WINDOWS\system32\bak
C:\Program Files\Common Files\Real\Update_OB\bak
*


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
*Select option 3* from the menu and press Enter.
Press any key to continue. 
A Notepad document *FindAWF.txt* will appear with instructions to click below the line and paste the list of folders to be removed.
Right click below this line and select* Paste*, to paste the list of folders copied to the clipboard earlier. Save and close the document.
The program will proceed to remove the bak folders and will perform another scan for bak folders.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in Notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.


----------



## jca716 (May 28, 2005)

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: 2008-02-06 
The current time is: 4:18:11.56


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\SPYBOT~1\BAK

2007-08-31 16:46 1,460,560 TeaTimer.exe
1 File(s) 1,460,560 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"


end of report


----------



## Cookiegal (Aug 27, 2003)

Delete this folder manually:

C:\Program Files\Spybot - Search & Destroy\*bak*

Reboot and post a new HijackThis log please.


----------



## jca716 (May 28, 2005)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:50, on 2008-02-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Webteh\BSplayerPro\bsplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 3682 bytes

deleted the file you requested as well


----------



## Cookiegal (Aug 27, 2003)

How are things now?


----------



## jca716 (May 28, 2005)

no problems seen at all on my end...ill run kasperskys scan later on tonight and post the results in the morning..if their is anything else you would request of me just let me know..and if not i thank you so very much and i will mark the thread as closed when you tell me [email protected]


----------



## Cookiegal (Aug 27, 2003)

Let's see what Kaspersky says and how things are tomorrow and then if all is fine, I'll post some final instructions for you.


----------



## jca716 (May 28, 2005)

sounds great thanx


----------



## Cookiegal (Aug 27, 2003)

You're welcome.


----------



## jca716 (May 28, 2005)

i have to leave town this morning...but i will run the virus scan on monday and repost when i return home...have a great [email protected]


----------



## Cookiegal (Aug 27, 2003)

That's fine. Have a great trip.


----------



## jca716 (May 28, 2005)

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-02-11 18:48
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/02/2008
Kaspersky Anti-Virus database records: 558085
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 79702
Number of viruses found: 5
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 01:59:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\svchost.exe.bac_a02388	Infected: not-a-virus:RiskTool.Win32.HideWindows	skipped
C:\Documents and Settings\Compaq_Owner\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\MSHist012008021120080212\index.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF6CA1.tmp	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DF6CAE.tmp	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat	Object is locked	skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\QooBox\Quarantine\catchme2008-02-04_202600.45.zip/bridgee.sys	Infected: Rootkit.Win32.Agent.zl	skipped
C:\QooBox\Quarantine\catchme2008-02-04_202600.45.zip	ZIP: infected - 1	skipped
C:\sti.log	Object is locked	skipped
C:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP13\change.log	Object is locked	skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP6\A0000387.exe/data.rar/SmitfraudFix/Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP6\A0000387.exe/data.rar	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP6\A0000387.exe	RarSFX: infected - 2	skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP6\A0000395.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP6\A0000427.exe	Infected: not-a-virus:RiskTool.Win32.PsKill.1101	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\Internet.evt	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\drivers\sptd.sys	Object is locked	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped
D:\I386\Apps\APP16510\src\CompaqPresario_Spring06.exe/WISE0015.BIN	Infected: not-a-virus:AdWare.Win32.WeatherBug.a	skipped
D:\I386\Apps\APP16510\src\CompaqPresario_Spring06.exe/WISE0016.BIN	Infected: not-a-virus:AdWare.Win32.WeatherBug.a	skipped
D:\I386\Apps\APP16510\src\CompaqPresario_Spring06.exe	WiseSFX: infected - 2	skipped
D:\I386\Apps\APP16510\src\CompaqPresario_Spring06.exe	WiseSFXDropper: infected - 2	skipped
D:\I386\Apps\APP16510\src\HPPavillion_Spring06.exe/WISE0015.BIN	Infected: not-a-virus:AdWare.Win32.WeatherBug.a	skipped
D:\I386\Apps\APP16510\src\HPPavillion_Spring06.exe/WISE0016.BIN	Infected: not-a-virus:AdWare.Win32.WeatherBug.a	skipped
D:\I386\Apps\APP16510\src\HPPavillion_Spring06.exe	WiseSFX: infected - 2	skipped
D:\I386\Apps\APP16510\src\HPPavillion_Spring06.exe	WiseSFXDropper: infected - 2	skipped

Scan process completed.


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download *Dr.Web CureIt* and save it to your desktop.

Doubleclick the *drweb-cureit.exe* file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the *green arrow* at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:








If so, click it and then click the next icon right below and select *Move incurable* as you'll see in next image:








This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click *file* and choose *save report list*
Save the report to your desktop. The report will be called *DrWeb.csv*
Close Dr.Web Cureit.
*Reboot* your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log.


----------



## jca716 (May 28, 2005)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:46, on 2008-02-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 3709 bytes

setup.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\3869.9.20;Probably BACKDOOR.Trojan;Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\3899.1.16;Probably BACKDOOR.Trojan;Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\3991.4.16;Probably BACKDOOR.Trojan;Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4000.1.4;Probably BACKDOOR.Trojan;Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\AIMSUD338;Probably BACKDOOR.Trojan;Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.6.1;Probably BACKDOOR.Trojan;Moved.;
j4_f.wav;C:\Documents and Settings\Compaq_Owner\My Documents\Chance\Games\GTA 3 (PC) Grand Theft Auto III - Liberty City\GTA3\audio;Modification of V2Px.1190;Moved.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Moved.;
PPCInstall.dll;C:\Program Files\Online Services\PeoplePC;Probably STPAGE.Trojan;Moved.;
A0000005.bat;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1;Probably BATCH.Virus;Moved.;
A0000043.bat;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP2;Probably BATCH.Virus;Moved.;
A0000108.bat;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP3;Probably BATCH.Virus;Moved.;
A0000199.bat;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP3;Probably BATCH.Virus;Moved.;
A0000370.exe;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP6;Tool.Prockill;Moved.;
A0000394.exe;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP6;Tool.Prockill;Moved.;
A0000396.exe;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP6;Tool.ShutDown.11;Moved.;
A0000427.exe;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP6;Program.PsKill.101;Moved.;
A0000431.exe;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP6;Program.mIRC.603;Moved.;
A0000444.bat;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP6;Probably BATCH.Virus;Moved.;
A0000508.bat;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP7;Probably BATCH.Virus;Moved.;
firstopt.js;D:\I386\Apps\APP17729;Probably SCRIPT.Virus;Moved.;

i think i did something wrong..i didnt cure any of it i just moved it...i hope your not mad...


----------



## Cookiegal (Aug 27, 2003)

No, it's fine. How are things now?


----------



## jca716 (May 28, 2005)

seems ok to me...one of the files that was moved was from a game i downloaded and it was mp3 formAT DO I NEED TO DELETE THE ENTIRE GAME FROM MY SYSTEM AS WELL...IT WAS gta3 AND A CRACKED VERSION AT [email protected]


----------



## jca716 (May 28, 2005)

well my clock is still set to military time prob from the combofix i guess..tried to change it back to regular time by syncronizing it but it wont [email protected]


----------



## Cookiegal (Aug 27, 2003)

jca716 said:


> seems ok to me...one of the files that was moved was from a game i downloaded and it was mp3 formAT DO I NEED TO DELETE THE ENTIRE GAME FROM MY SYSTEM AS WELL...IT WAS gta3 AND A CRACKED VERSION AT [email protected]


Yes, it would probably be best. I hope you learned a lesson about using cracks as it's likely what got you infected.

For the time, go to *Control Panel* - *Regional and Language Settings* - click on "customize" and change it back there.

Is everything else fine?


----------



## jca716 (May 28, 2005)

seems that way to me..lol


----------



## Cookiegal (Aug 27, 2003)

You can delete the ComboFix utility and delete this folder, which is where ComboFix stores deleted files as backups:

C:\*Qoobox*

Here are some final instructions for you.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

Delete Temporary Files:

Go to *Start* - *Run* and type in *cleanmgr* and click OK. 
Let it scan your system for files to remove. 
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. 
Press OK to remove them.


----------



## jca716 (May 28, 2005)

thanks so much ....you have been a great help...i finished the last instructions given as [email protected]


----------



## Cookiegal (Aug 27, 2003)

It's my pleasure.


----------

