# Solved: I am infected :(



## Trinx (Nov 13, 2007)

Hello. My computer isn't very well. On startup I get a Windows Script Error box saying: *C:\Program Files\func.js*. In addition I keep getting balloons from the taskbar saying things like:

Security Alert: [email protected]
and
System performance monitor: Warning

I keep getting pop-ups with magical solutions to my problems like Security Center as well as adverts for "Save The Information" and "Sky Poker". I suspect these magical solutions will plunge me deeper into crisis. Everything is running very slowly. AVG Spyware (free) keeps picking things up & telling me to restart immediately but those same items seems to remain when I have restarted.

I'm running XP, here's my HJT log, thanks in advance for any help you can provide. I have seen other simila problems posted but I'm not clever enough to know if the prescribed fixes will work in my case.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:36:05, on 13/11/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ryan & Fi\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {01048EEF-DDF2-4577-B03F-E1A61E79F453} - C:\Program Files\Messenger\menorus83122.dll
O2 - BHO: (no name) - {28CF1032-331C-4628-9E08-E5F07FEF5B58} - C:\Program Files\Messenger\menorus4444.dll
O2 - BHO: (no name) - {4856708B-FEB4-4913-B925-3649CBFD9238} - C:\WINDOWS\System32\opnli.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\System32\0lad4Yr7.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\System32\vhmgrjgv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: {37f1cf60-ff79-c73b-4974-323371bdd47f} - {f74ddb17-3323-4794-b37c-97ff06fc1f73} - C:\WINDOWS\System32\pjyusfaq.dll
O2 - BHO: 0 - {FE4E79CC-68AB-4B5C-B581-45A7E38C87DF} - C:\Program Files\MSN Gaming Zone\quzaletum534.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\System32\vhmgrjgv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [3cd73b5b] rundll32.exe "C:\WINDOWS\System32\ulqshpyl.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamsterball/raptisoftgameloader.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\__c005AF4C.dat
O20 - Winlogon Notify: vhmgrjgv - C:\WINDOWS\SYSTEM32\vhmgrjgv.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UnlhbiAmIEZp\command.exe (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\jfmofacc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\rtejezanel.html

--
End of file - 6439 bytes


----------



## ~Candy~ (Jan 27, 2001)

Hi and welcome. You have a computer running with no Windows Service Packs...why is that?


----------



## Trinx (Nov 13, 2007)

Thanks!

I acquired this computer 2nd hand with XP already installed. Do I need to update before I can proceed?

I've tried to be a bit more pro-active since my post & have downloaded & run the new Combofix in normal mode. The log is:
____

ComboFix 07-11-08.1 - Ryan & Fi 2007-11-13 16:18:42.1 - NTFSx86 
Running from: C:\Documents and Settings\Ryan & Fi\Desktop\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\NetMon
C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\NetMon\log.txt
C:\Documents and Settings\Ryan & Fi\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Ryan & Fi\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Ryan & Fi\Favorites\Online Security Guide.lnk
C:\Program Files\MSN Gaming Zone\quzaletum.dll
C:\Program Files\MSN Gaming Zone\quzaletum534.dll
C:\Program Files\MSN Gaming Zone\rtejezanel.html
C:\Program Files\Temporary
C:\Program Files\Temporary\wininstall.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\__c0038C76.dat
C:\WINDOWS\system32\__c005AF4C.dat
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\iflfyiol.dll
C:\WINDOWS\system32\ilnpo.bak1
C:\WINDOWS\system32\ilnpo.bak2
C:\WINDOWS\system32\ilnpo.ini
C:\WINDOWS\system32\opnli.dll
C:\WINDOWS\system32\owfpumdv.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\swmvnwtu.dll
C:\WINDOWS\system32\vhmgrjgv.dllbox
C:\WINDOWS\system32\x2
C:\WINDOWS\system32\x2\jumper83122.exe
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
.

2007-11-13 16:49	169,147	--a------	C:\WINDOWS\TTC-4444.exe
2007-11-13 16:10	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-11-12 23:11 C:\Documents and Settings\Ryan 2007-11-12 23:11 Fi\Application Data\Grisoft
2007-11-12 23:03	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-12 23:02 d--------	C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2007-11-12 20:14	184,320	--a------	C:\WINDOWS\system32\0lad4Yr7.dll
2007-11-12 20:10	89,664	--a------	C:\WINDOWS\system32\ulqshpyl.dll
2007-11-12 20:04	81,472	--a------	C:\WINDOWS\system32\pjyusfaq.dll
2007-11-12 19:55	71,232	--a------	C:\WINDOWS\system32\vpcyplnm.exe
2007-11-10 19:38	27,200	--a------	C:\WINDOWS\system32\IpCD8UWg.exe
2007-11-10 18:35	85,056	--a------	C:\WINDOWS\system32\ixfqnlki.dll
2007-11-10 18:33	81,472	--a------	C:\WINDOWS\system32\ciawnnqa.dll
2007-11-10 18:30	145,984	--a------	C:\WINDOWS\system32\vhmgrjgv.dll
2007-11-10 18:29	145,984	--a------	C:\WINDOWS\system32\aslefqil.dll
2007-11-09 16:32 d--hs----	C:\WINDOWS\UnlhbiAmIEZp
2007-11-09 16:31	36,352	--a------	C:\WINDOWS\system32\tuvwutq.dll
2007-11-09 16:29	36,352	--a------	C:\WINDOWS\system32\hgggfdd.dll
2007-11-09 16:28 d--------	C:\WINDOWS\system32\rev3
2007-11-09 16:28 d--------	C:\WINDOWS\system32\dn5
2007-11-09 16:27 d--------	C:\WINDOWS\system32\rMa01yy
2007-11-09 16:27 d--------	C:\Temp\abW9
2007-11-09 16:27	36,352	--a------	C:\WINDOWS\system32\wvutrsq.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 23:11	---------	d-----w	C:\Documents and Settings\Ryan & Fi\Application Data\Grisoft
2007-11-09 18:48	---------	d-----w	C:\Program Files\Soulseek
2007-10-23 13:37	---------	d-----w	C:\Program Files\BitTorrent
2007-08-02 13:43	282,624	----a-w	C:\Program Files\TTC.dll
2005-12-05 20:37	33,096	-c--a-w	C:\Documents and Settings\Ryan & Fi\Application Data\GDIPFONTCACHEV1.DAT
2005-06-13 23:13:12	56	--sh--r	C:\WINDOWS\system32\179D0E0F3F.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01048EEF-DDF2-4577-B03F-E1A61E79F453}]
2007-08-02 13:43	282624	--a------	C:\Program Files\Messenger\menorus83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28CF1032-331C-4628-9E08-E5F07FEF5B58}]
2007-08-02 13:43	282624	--a------	C:\Program Files\Messenger\menorus4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-11-12 20:14	184320	--a------	C:\WINDOWS\System32\0lad4Yr7.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-10 18:30	145984	--a------	C:\WINDOWS\system32\vhmgrjgv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF6A3C5D-90E6-4739-01BD-ED8226F430E8}]
2007-11-13 16:53	70144	--a------	C:\Program Files\MSN Gaming Zone\quzaletum.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f74ddb17-3323-4794-b37c-97ff06fc1f73}]
2007-11-12 20:04	81472	--a------	C:\WINDOWS\System32\pjyusfaq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\vhmgrjgv.dll [2007-11-10 18:30 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]


----------



## Trinx (Nov 13, 2007)

My new HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:02:39, on 13/11/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Ryan & Fi\Desktop\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {01048EEF-DDF2-4577-B03F-E1A61E79F453} - C:\Program Files\Messenger\menorus83122.dll
O2 - BHO: (no name) - {28CF1032-331C-4628-9E08-E5F07FEF5B58} - C:\Program Files\Messenger\menorus4444.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\System32\0lad4Yr7.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\vhmgrjgv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: 0 - {DF6A3C5D-90E6-4739-01BD-ED8226F430E8} - C:\Program Files\MSN Gaming Zone\quzaletum.dll
O2 - BHO: {37f1cf60-ff79-c73b-4974-323371bdd47f} - {f74ddb17-3323-4794-b37c-97ff06fc1f73} - C:\WINDOWS\System32\pjyusfaq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\vhmgrjgv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [3cd73b5b] rundll32.exe "C:\WINDOWS\System32\ulqshpyl.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamsterball/raptisoftgameloader.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O20 - Winlogon Notify: vhmgrjgv - C:\WINDOWS\SYSTEM32\vhmgrjgv.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5979 bytes


----------



## ~Candy~ (Jan 27, 2001)

I think before the security folks will help, you need to AT LEAST install SP1 now....DO NOT install SP2 yet.


----------



## Trinx (Nov 13, 2007)

Thanks for your advice, will report back after SP1 installed.


----------



## Trinx (Nov 13, 2007)

XP SP1 installed now. What next?

Thanks again in advance...


----------



## ~Candy~ (Jan 27, 2001)

Post a new log.


----------



## Cookiegal (Aug 27, 2003)

Once you post your new log, I'll be assisting you.


----------



## Cookiegal (Aug 27, 2003)

And why no anti-virus program?


----------



## ~Candy~ (Jan 27, 2001)

Thanks Karen :up:

I saw AVG and didn't notice that it was just spyware 

OOPSIE


----------



## Cookiegal (Aug 27, 2003)

You're welcome.


----------



## Trinx (Nov 13, 2007)

This machine's hard-drive is tiny - I did have AVG free but had to make some space for some large files I was working with. Obviously now I'm paying the price for not re-installing it straight away. I'm reinstalling it now. Which scan/log should I post, ComboFix, HJT or both? Thankyou so much.


----------



## Cookiegal (Aug 27, 2003)

Just the HijackThis please.


----------



## Trinx (Nov 13, 2007)

New HJT log attached.

FYI I have installed AVG Free 7.5 & have updated it but have not perfomed a scan yet, as I wasn't sure if I should, and if so whether I should do it in safe mode.

Thanks again.


----------



## Cookiegal (Aug 27, 2003)

Pasting the log here for easier viewing.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:52:33, on 13/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\Ryan & Fi\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {01048EEF-DDF2-4577-B03F-E1A61E79F453} - C:\Program Files\Messenger\menorus83122.dll
O2 - BHO: (no name) - {28CF1032-331C-4628-9E08-E5F07FEF5B58} - C:\Program Files\Messenger\menorus4444.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\System32\0lad4Yr7.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\vhmgrjgv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: 0 - {ADA37359-BCDA-449F-3F9D-BEECD46CB821} - C:\Program Files\MSN Gaming Zone\quzaletum80.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: {37f1cf60-ff79-c73b-4974-323371bdd47f} - {f74ddb17-3323-4794-b37c-97ff06fc1f73} - C:\WINDOWS\System32\pjyusfaq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\vhmgrjgv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [3cd73b5b] rundll32.exe "C:\WINDOWS\System32\ulqshpyl.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamsterball/raptisoftgameloader.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O20 - Winlogon Notify: vhmgrjgv - C:\WINDOWS\SYSTEM32\vhmgrjgv.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\rtejezanel.html

--
End of file - 6692 bytes


----------



## Cookiegal (Aug 27, 2003)

Please download *SmitfraudFix* (by *S!Ri*)

Extract (unzip) the content (a folder named *SmitfraudFix*) to your Desktop.

Open the *SmitfraudFix* folder and double-click *smitfraudfix.cmd*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Warning: Do not run Option #2 until you are instructed to do so. Running option #2 on a non infected computer will remove your Desktop background.


----------



## Trinx (Nov 13, 2007)

SmitFraudFix v2.253

Scan done at 0:27:30.88, 14/11/2007
Run from 
C:\Documents and Settings\Ryan & Fi\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\Tasks\At?.job FOUND !
C:\WINDOWS\Tasks\At??.job FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\RYAN

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\rtejezanel.html"
"SubscribedURL"=""
"FriendlyName"=""

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) - Packet Scheduler Miniport
DNS Server Search Order: 194.168.4.100
DNS Server Search Order: 194.168.8.100

HKLM\SYSTEM\CCS\Services\Tcpip\..\{625A1254-708F-41EC-A994-FEB1934CE8C9}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{625A1254-708F-41EC-A994-FEB1934CE8C9}: DhcpNameServer=194.168.4.100 194.168.8.100

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Cookiegal (Aug 27, 2003)

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, fouble-click *smitfraudfix.exe*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at *C:\rapport.txt*

Warning : running option #2 on a non infected computer will remove your Desktop background.


----------



## Trinx (Nov 13, 2007)

Thankyou. When you said to run smitfraudfix.exe in safe mode I assume you meant smitfraudFix.cmd. I selected Option 2 (Clean) & pressed enter. I did not get a prompt to confirm Y to clean registry, it seemed to start without that prompt. Some text scrolled quickly down the screen then the screen went black (apart from Safe Mode information). I gave it 15 minutes to be sure the task was completed then restarted in normal mode.

When Windows started I got a error box called RUNDLL which said: 
___
Error loading C:\WINDOWS\System32\ulqshpyl.dll
Access is denied.
___

AVG keeps picking items up & continually suggesting I heal them, but so far I have had no pop-ups at all. And when I click on IE I get my normal homepage, which is also an improvement.

Here's the report (which I had to locate as per your instructions at C:\rapport.txt

Thanks again. Again!
___

SmitFraudFix v2.253

Scan done at 4:13:38.24, 14/11/2007
Run from 
C:\Documents and Settings\Ryan & Fi\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{625A1254-708F-41EC-A994-FEB1934CE8C9}: DhcpNameServer=194.168.4.100 194.168.8.100

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


----------



## Trinx (Nov 13, 2007)

update: I am getting occassional pop-ups but I am not getting any of the balloons telling me to install antivirus software. Apart from the fact that this machine takes a fair bit longer to start-up (probably due to AVG applications) once it's up & running it's operating at something approaching normal speed.

I'm still geting the RUNDLL window on start-up though, and when I open IE I still get the WINDOWS SCRIPT ERROR box which says 

C:\Program Files\func.js - access is denied.

Thanks.


----------



## Cookiegal (Aug 27, 2003)

Download *ComboFix* and save it to your desktop.

***Note: As you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

1. Close any open browsers.

2. Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._

Double click on *combofix.exe* & follow the prompts.

When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.

***Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall***


----------



## Trinx (Nov 13, 2007)

Thanks!

ComboFix log attached.

New HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20:37:02, on 14/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Ryan & Fi\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {01048EEF-DDF2-4577-B03F-E1A61E79F453} - C:\Program Files\Messenger\menorus83122.dll
O2 - BHO: (no name) - {28CF1032-331C-4628-9E08-E5F07FEF5B58} - C:\Program Files\Messenger\menorus4444.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\System32\0lad4Yr7.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: 0 - {ADA37359-BCDA-449F-3F9D-BEECD46CB821} - C:\Program Files\MSN Gaming Zone\quzaletum80.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: {37f1cf60-ff79-c73b-4974-323371bdd47f} - {f74ddb17-3323-4794-b37c-97ff06fc1f73} - C:\WINDOWS\System32\pjyusfaq.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [3cd73b5b] rundll32.exe "C:\WINDOWS\System32\ulqshpyl.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamsterball/raptisoftgameloader.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O20 - Winlogon Notify: vhmgrjgv - vhmgrjgv.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 6353 bytes


----------



## Cookiegal (Aug 27, 2003)

You didn't get the latest version of ComboFix as I specifically asked so please remove the one you have and follow my instructions to get the new one and post a new log.


----------



## Trinx (Nov 13, 2007)

My apologies. To make sure I didn't have 2 versions on my desktop I overwrote the original file. Well I tried to, and just tried again. For some reason the overwrite didn't happen though, I still had yesterday's download on my desktop. Just got the right one so will run it again. Sorry! Thankyou!


----------



## Trinx (Nov 13, 2007)

Ok I ran the right version of ComboFix this time. This version did not restart my machine.

*ComboFix log*:

ComboFix 07-11-08.3 - Ryan & Fi 2007-11-14 21:53:55.3 - NTFSx86
Running from: C:\Documents and Settings\Ryan & Fi\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-14 04:08	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2007-11-14 04:08	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2007-11-14 04:08	53,248	--a------	C:\WINDOWS\system32\Process.exe
2007-11-14 04:08	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2007-11-14 04:08	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe
2007-11-14 00:28	1,512	--a------	C:\WINDOWS\system32\tmp.reg
2007-11-13 22:26 C:\Documents and Settings\Ryan 2007-11-13 22:26 Fi\Application Data\AVG7
2007-11-13 22:24 d--------	C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-11-13 17:59	115,200	--a------	C:\WINDOWS\system32\dpcdll.dll
2007-11-13 17:54 d--------	C:\WINDOWS\ServicePackFiles
2007-11-13 17:54 d--------	C:\WINDOWS\ehome
2007-11-13 17:54	29,696	---------	C:\WINDOWS\system32\asr_pfu.exe
2007-11-13 17:54	17,792	---------	C:\WINDOWS\system32\drivers\irbus.sys
2007-11-13 17:54	10,752	---------	C:\WINDOWS\system32\spiisupd.exe
2007-11-13 16:10	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-11-12 23:11 C:\Documents and Settings\Ryan 2007-11-12 23:11 Fi\Application Data\Grisoft
2007-11-12 23:03	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-12 23:02 d--------	C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2007-11-12 20:14	184,320	--a------	C:\WINDOWS\system32\0lad4Yr7.dll
2007-11-12 20:10	89,664	--a------	C:\WINDOWS\system32\ulqshpyl.dll
2007-11-12 19:55	71,232	--a------	C:\WINDOWS\system32\vpcyplnm.exe
2007-11-10 19:38	27,200	--a------	C:\WINDOWS\system32\IpCD8UWg.exe
2007-11-10 18:35	85,056	--a------	C:\WINDOWS\system32\ixfqnlki.dll
2007-11-10 18:33	81,472	--a------	C:\WINDOWS\system32\ciawnnqa.dll
2007-11-10 18:29	145,984	--a------	C:\WINDOWS\system32\aslefqil.dll
2007-11-09 16:32 d--hs----	C:\WINDOWS\UnlhbiAmIEZp
2007-11-09 16:31	36,352	--a------	C:\WINDOWS\system32\tuvwutq.dll
2007-11-09 16:29	36,352	--a------	C:\WINDOWS\system32\hgggfdd.dll
2007-11-09 16:28 d--------	C:\WINDOWS\system32\rev3
2007-11-09 16:28 d--------	C:\WINDOWS\system32\dn5
2007-11-09 16:27 d--------	C:\WINDOWS\system32\rMa01yy
2007-11-09 16:27 d--------	C:\Temp\abW9
2007-11-09 16:27	36,352	--a------	C:\WINDOWS\system32\wvutrsq.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 22:29	---------	d-----w	C:\Documents and Settings\Ryan & Fi\Application Data\AVG7
2007-11-13 22:28	---------	d-----w	C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2007-11-12 23:11	---------	d-----w	C:\Documents and Settings\Ryan & Fi\Application Data\Grisoft
2007-11-09 18:48	---------	d-----w	C:\Program Files\Soulseek
2007-10-23 13:37	---------	d-----w	C:\Program Files\BitTorrent
2007-08-02 13:43	282,624	----a-w	C:\Program Files\TTC.dll
2007-07-28 09:06	135	----a-w	C:\Program Files\page.html
2005-12-05 20:37	33,096	-c--a-w	C:\Documents and Settings\Ryan & Fi\Application Data\GDIPFONTCACHEV1.DAT
2005-06-13 23:13:12	56	--sh--r	C:\WINDOWS\system32\179D0E0F3F.sys
.

((((((((((((((((((((((((((((( snapshot_2007-11-14_20.30.31.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-14 20:08:14	266,240	----a-w	C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-11-14 21:53:31	266,240	----a-w	C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01048EEF-DDF2-4577-B03F-E1A61E79F453}]
2007-08-02 13:43	282624	--a------	C:\Program Files\Messenger\menorus83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28CF1032-331C-4628-9E08-E5F07FEF5B58}]
2007-08-02 13:43	282624	--a------	C:\Program Files\Messenger\menorus4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-11-12 20:14	184320	--a------	C:\WINDOWS\System32\0lad4Yr7.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADA37359-BCDA-449F-3F9D-BEECD46CB821}]
C:\Program Files\MSN Gaming Zone\quzaletum80.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f74ddb17-3323-4794-b37c-97ff06fc1f73}]
C:\WINDOWS\System32\pjyusfaq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-02 23:27]
"USB Hardware8 Monitoring"="USBhardware8.exe" []
"RFX_auto_upgrade"="" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 16:16]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-17 12:06]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-13 18:29]
"3cd73b5b"="C:\WINDOWS\System32\ulqshpyl.dll" [2007-11-12 20:10]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-13 22:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"USB Hardware8 Monitoring"="USBhardware8.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 17:38]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2007-10-05 11:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"USB Hardware8 Monitoring"=USBhardware8.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vhmgrjgv] 
vhmgrjgv.dll

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 22:00:58
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Aspi32]
"ImagePath"="hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,73,00,70,00,69,00,33,00,32,00,2e,00,73,00,79,00,73,00,00,00"
.
Completion time: 2007-11-14 22:03:11
C:\ComboFix2.txt ... 2007-11-14 20:32
C:\ComboFix3.txt ... 2007-11-13 16:58
.
--- E O F ---

*HJT log*

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:08:57, on 14/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Ryan & Fi\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {01048EEF-DDF2-4577-B03F-E1A61E79F453} - C:\Program Files\Messenger\menorus83122.dll
O2 - BHO: (no name) - {28CF1032-331C-4628-9E08-E5F07FEF5B58} - C:\Program Files\Messenger\menorus4444.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\System32\0lad4Yr7.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: 0 - {ADA37359-BCDA-449F-3F9D-BEECD46CB821} - C:\Program Files\MSN Gaming Zone\quzaletum80.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: {37f1cf60-ff79-c73b-4974-323371bdd47f} - {f74ddb17-3323-4794-b37c-97ff06fc1f73} - C:\WINDOWS\System32\pjyusfaq.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [3cd73b5b] rundll32.exe "C:\WINDOWS\System32\ulqshpyl.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamsterball/raptisoftgameloader.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O20 - Winlogon Notify: vhmgrjgv - vhmgrjgv.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 6260 bytes


----------



## Cookiegal (Aug 27, 2003)

Go to *Start* - *Search* - *All Files and Folders* and under *More advanced search options*. 
Make sure there is a check by *Search System Folders* and *Search hidden files and folders* and *Search system subfolders*.

Next click on *My Computer*. Go to *Tools* - *Folder Options*. Click on the View tab and make sure that *Show hidden files and folders* is checked. Also uncheck *Hide protected operating system files* and *Hide extensions for known file types*. Now click *Apply to all folders*. Click *Apply* then *OK*.

Now, go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

*C:\Program Files\Messenger\menorus83122.dll
C:\Program Files\Messenger\menorus4444.dll*


----------



## Cookiegal (Aug 27, 2003)

Also, please do the following.

Download *haxfix.exe*
and save it to your desktop.

Double click on *haxfix.exe* to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon"
Click "Next"
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
Click "Finish"

A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix


Select option *1. Make logfile* by typing *1* and then pressing Enter
Haxfix will start scanning the computer. When it is finished a logfile will open: *haxlog.txt* > (c:\haxfix.txt)
Copy the contents of that logfile and paste it into this thread.


----------



## Trinx (Nov 13, 2007)

Thanks again. I had no idea how time-consuming this would be & I really appreciate your help. Results & logs are listed below...
___

C:\Program Files\Messenger\menorus83122.dll

Service load: 0% 100%

File: menorus83122.dll 
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) 
MD5: 0b36bd26e49f50029b240ef4c5f2f729 
Packers detected: - 
Bit9 reports: Low threat detected (more info)

Scanner results 
Scan taken on 15 Nov 2007 01:11:23 (GMT) 
A-Squared Found Adware.Win32.TTC.a 
AntiVir Found ADSPY/TTC.A.5 
ArcaVir Found Adware.Ttc.A 
Avast Found Win32:Adloader-KH 
AVG Antivirus Found Generic2.JEG 
BitDefender Found Adware.TTC 
ClamAV Found nothing 
CPsecure Found AdWare.W32.TTC.A 
Dr.Web Found Adware.Ttc 
F-Prot Antivirus Found nothing 
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.TTC.a (4, 1, 400) 
Fortinet Found nothing 
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.TTC.a 
NOD32 Found nothing 
Norman Virus Control Found W32/TTC.DX 
Panda Antivirus Found nothing 
Rising Antivirus Found AdWare.Win32.TTC.d 
Sophos Antivirus Found Troj/TTC-Gen 
VirusBuster Found nothing 
VBA32 Found AdWare.Win32.TTC.a

_____

C:\Program Files\Messenger\menorus4444.dll

Service 
Service load: 0% 100%

File: menorus4444.dll 
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) 
MD5: 0b36bd26e49f50029b240ef4c5f2f729 
Packers detected: Analyzing... 
Bit9 reports: Low threat detected (more info)

Scanner results 
Scan taken on 15 Nov 2007 01:14:11 (GMT) 
A-Squared Found Adware.Win32.TTC.a 
AntiVir Found ADSPY/TTC.A.5 
ArcaVir Found Adware.Ttc.A 
Avast Found Win32:Adloader-KH 
AVG Antivirus Found Generic2.JEG 
BitDefender Found Adware.TTC 
ClamAV Found nothing 
CPsecure Found AdWare.W32.TTC.A 
Dr.Web Found Adware.Ttc 
F-Prot Antivirus Found nothing 
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.TTC.a (4, 1, 400) 
Fortinet Found nothing 
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.TTC.a 
NOD32 Found nothing 
Norman Virus Control Found W32/TTC.DX 
Panda Antivirus Found nothing 
Rising Antivirus Found AdWare.Win32.TTC.d 
Sophos Antivirus Found Troj/TTC-Gen 
VirusBuster Found nothing 
VBA32 Found AdWare.Win32.TTC.a

_____

HAXFIX logfile - by Marckie

version 4.57_1 
15/11/2007 1:19:36.12

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
matching services found 
Aspi32

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found

--- Checking for Goldun ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected

--- Catchme logfile - thank you Gmer ---

catchme 0.3.1207.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 01:19:39
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

--- Analysing Catchme logfile ---

no matching regkeys found

Finished!


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the quote box below into it:



> File::
> C:\WINDOWS\system32\0lad4Yr7.dll
> C:\WINDOWS\system32\ulqshpyl.dll
> C:\WINDOWS\system32\vpcyplnm.exe
> ...


Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## Trinx (Nov 13, 2007)

ComboFix 07-11-08.3 - Ryan & Fi 2007-11-15 13:30:12.4 - NTFSx86
Running from: C:\Documents and Settings\Ryan & Fi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ryan & Fi\Desktop\CFScript.txt

FILE
C:\Program Files\Messenger\menorus4444.dll
C:\Program Files\Messenger\menorus83122.dll
C:\Program Files\MSN Gaming Zone\quzaletum80.dll
C:\Program Files\page.html
C:\WINDOWS\system32\0lad4Yr7.dll
C:\WINDOWS\system32\aslefqil.dll
C:\WINDOWS\system32\ciawnnqa.dll
C:\WINDOWS\system32\hgggfdd.dll
C:\WINDOWS\system32\IpCD8UWg.exe
C:\WINDOWS\system32\ixfqnlki.dll
C:\WINDOWS\System32\pjyusfaq.dll
C:\WINDOWS\system32\tuvwutq.dll
C:\WINDOWS\system32\ulqshpyl.dll
C:\WINDOWS\system32\vpcyplnm.exe
C:\WINDOWS\system32\wvutrsq.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Messenger\menorus4444.dll
C:\Program Files\Messenger\menorus83122.dll
C:\Program Files\page.html
C:\Program Files\TTC.dll\
C:\Temp\abW9
C:\Temp\abW9\tOasF.log
C:\WINDOWS\system32\0lad4Yr7.dll
C:\WINDOWS\system32\aslefqil.dll
C:\WINDOWS\system32\ciawnnqa.dll
C:\WINDOWS\system32\hgggfdd.dll
C:\WINDOWS\system32\IpCD8UWg.exe
C:\WINDOWS\system32\ixfqnlki.dll
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rMa01yy\rMa01yy1065.exe
C:\WINDOWS\system32\tuvwutq.dll
C:\WINDOWS\system32\ulqshpyl.dll
C:\WINDOWS\system32\vpcyplnm.exe
C:\WINDOWS\system32\wvutrsq.dll
C:\WINDOWS\TTC-4444.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 01:19	90,112	--a------	C:\WINDOWS\system32\RegDACL.exe
2007-11-15 01:19	8,925	--a------	C:\clean.bat
2007-11-15 01:19	4,096	--a------	C:\WINDOWS\system32\reboot.exe
2007-11-15 01:19	347	--a------	C:\run2.reg
2007-11-14 04:08	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2007-11-14 04:08	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2007-11-14 04:08	53,248	--a------	C:\WINDOWS\system32\Process.exe
2007-11-14 04:08	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2007-11-14 04:08	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe
2007-11-14 00:28	1,512	--a------	C:\WINDOWS\system32\tmp.reg
2007-11-13 22:26 C:\Documents and Settings\Ryan 2007-11-13 22:26 Fi\Application Data\AVG7
2007-11-13 22:24 d--------	C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-11-13 17:59	115,200	--a------	C:\WINDOWS\system32\dpcdll.dll
2007-11-13 17:54 d--------	C:\WINDOWS\ServicePackFiles
2007-11-13 17:54 d--------	C:\WINDOWS\ehome
2007-11-13 17:54	29,696	---------	C:\WINDOWS\system32\asr_pfu.exe
2007-11-13 17:54	17,792	---------	C:\WINDOWS\system32\drivers\irbus.sys
2007-11-13 17:54	10,752	---------	C:\WINDOWS\system32\spiisupd.exe
2007-11-13 16:10	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-11-12 23:11 C:\Documents and Settings\Ryan 2007-11-12 23:11 Fi\Application Data\Grisoft
2007-11-12 23:03	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-12 23:02 d--------	C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2007-11-09 16:32 d--hs----	C:\WINDOWS\UnlhbiAmIEZp
2007-11-09 16:28 d--------	C:\WINDOWS\system32\rev3
2007-11-09 16:28 d--------	C:\WINDOWS\system32\dn5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 22:29	---------	d-----w	C:\Documents and Settings\Ryan & Fi\Application Data\AVG7
2007-11-13 22:28	---------	d-----w	C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2007-11-12 23:11	---------	d-----w	C:\Documents and Settings\Ryan & Fi\Application Data\Grisoft
2007-11-09 18:48	---------	d-----w	C:\Program Files\Soulseek
2007-10-23 13:37	---------	d-----w	C:\Program Files\BitTorrent
2005-12-05 20:37	33,096	-c--a-w	C:\Documents and Settings\Ryan & Fi\Application Data\GDIPFONTCACHEV1.DAT
2005-06-13 23:13:12	56	--sh--r	C:\WINDOWS\system32\179D0E0F3F.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\dn5 ----

---- Directory of C:\WINDOWS\system32\rev3 ----

2007-11-09 10:35	9814	--a------	C:\WINDOWS\system32\rev3\revdrive33b.exe

---- Directory of C:\WINDOWS\UnlhbiAmIEZp ----

((((((((((((((((((((((((((((( snapshot_2007-11-14_20.30.31.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-14 20:08:14	266,240	----a-w	C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-11-15 13:29:35	266,240	----a-w	C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2005-11-09 00:26:46	38,400	----a-w	C:\WINDOWS\system32\moveex.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-02 23:27]
"USB Hardware8 Monitoring"="USBhardware8.exe" []
"RFX_auto_upgrade"="" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 16:16]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-17 12:06]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-13 18:29]
"3cd73b5b"="C:\WINDOWS\System32\ulqshpyl.dll" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-13 22:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"USB Hardware8 Monitoring"="USBhardware8.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 17:38]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2007-10-05 11:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"USB Hardware8 Monitoring"=USBhardware8.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 13:52:24
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Aspi32]
"ImagePath"="hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,73,00,70,00,69,00,33,00,32,00,2e,00,73,00,79,00,73,00,00,00"
.
Completion time: 2007-11-15 14:00:43 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-14 22:03
C:\ComboFix3.txt ... 2007-11-14 20:32
.
--- E O F ---
_____

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:03:26, on 15/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Ryan & Fi\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [3cd73b5b] rundll32.exe "C:\WINDOWS\System32\ulqshpyl.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamsterball/raptisoftgameloader.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5717 bytes


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a FixTrinx.zip file to this post. Save it to your desktop. Unzip it and double click the FixTrinx.reg file and allow it to enter into the registry.

Open Notepad and copy and paste the text in the quote box below into it:



> Folder::
> C:\WINDOWS\system32\dn5
> C:\WINDOWS\system32\rev3
> C:\WINDOWS\UnlhbiAmIEZp
> ...


Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## Trinx (Nov 13, 2007)

ComboFix 07-11-08.3 - Ryan & Fi 2007-11-16 1:18:12.5 - NTFSx86
Running from: C:\Documents and Settings\Ryan & Fi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ryan & Fi\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dn5
C:\WINDOWS\system32\rev3
C:\WINDOWS\system32\rev3\revdrive33b.exe
C:\WINDOWS\UnlhbiAmIEZp

.
((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-15 01:19	90,112	--a------	C:\WINDOWS\system32\RegDACL.exe
2007-11-15 01:19	8,925	--a------	C:\clean.bat
2007-11-15 01:19	4,096	--a------	C:\WINDOWS\system32\reboot.exe
2007-11-15 01:19	347	--a------	C:\run2.reg
2007-11-14 04:08	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2007-11-14 04:08	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2007-11-14 04:08	53,248	--a------	C:\WINDOWS\system32\Process.exe
2007-11-14 04:08	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2007-11-14 04:08	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe
2007-11-14 00:28	1,512	--a------	C:\WINDOWS\system32\tmp.reg
2007-11-13 22:26 C:\Documents and Settings\Ryan 2007-11-13 22:26 Fi\Application Data\AVG7
2007-11-13 22:24 d--------	C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-11-13 17:59	115,200	--a------	C:\WINDOWS\system32\dpcdll.dll
2007-11-13 17:54 d--------	C:\WINDOWS\ServicePackFiles
2007-11-13 17:54 d--------	C:\WINDOWS\ehome
2007-11-13 17:54	29,696	---------	C:\WINDOWS\system32\asr_pfu.exe
2007-11-13 17:54	17,792	---------	C:\WINDOWS\system32\drivers\irbus.sys
2007-11-13 17:54	10,752	---------	C:\WINDOWS\system32\spiisupd.exe
2007-11-13 16:10	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-11-12 23:11 C:\Documents and Settings\Ryan 2007-11-12 23:11 Fi\Application Data\Grisoft
2007-11-12 23:03	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-12 23:02 d--------	C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 22:29	---------	d-----w	C:\Documents and Settings\Ryan & Fi\Application Data\AVG7
2007-11-13 22:28	---------	d-----w	C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2007-11-12 23:11	---------	d-----w	C:\Documents and Settings\Ryan & Fi\Application Data\Grisoft
2007-11-09 18:48	---------	d-----w	C:\Program Files\Soulseek
2007-10-23 13:37	---------	d-----w	C:\Program Files\BitTorrent
2005-12-05 20:37	33,096	-c--a-w	C:\Documents and Settings\Ryan & Fi\Application Data\GDIPFONTCACHEV1.DAT
2005-06-13 23:13:12	56	--sh--r	C:\WINDOWS\system32\179D0E0F3F.sys
.

((((((((((((((((((((((((((((( snapshot_2007-11-14_20.30.31.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-14 20:08:14	266,240	----a-w	C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-11-16 01:17:39	266,240	----a-w	C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2005-11-09 00:26:46	38,400	----a-w	C:\WINDOWS\system32\moveex.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-02 23:27]
"USB Hardware8 Monitoring"="USBhardware8.exe" []
"RFX_auto_upgrade"="" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 16:16]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-17 12:06]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-13 18:29]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-13 22:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"USB Hardware8 Monitoring"="USBhardware8.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 17:38]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2007-10-05 11:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"USB Hardware8 Monitoring"=USBhardware8.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 01:26:52
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-16 1:29:28
C:\ComboFix2.txt ... 2007-11-15 14:00
C:\ComboFix3.txt ... 2007-11-14 22:03
.
--- E O F ---

___

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 01:36:27, on 16/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ryan & Fi\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamsterball/raptisoftgameloader.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5686 bytes


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS

O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamste...gameloader.cab

Open Notepad and copy and paste the text in the quote box below into it:



> File::
> C:\Windows\System32\USBhardware8.exe
> 
> Driver::
> ...


Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## Trinx (Nov 13, 2007)

Thankyou so much for all your help & time thus far. Have a good weekend.

ComboFix 07-11-08.3 - Ryan & Fi 2007-11-17 3:56:50.6 - NTFSx86
Running from: C:\Documents and Settings\Ryan & Fi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ryan & Fi\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Windows\System32\USBhardware8.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-15 01:19	90,112	--a------	C:\WINDOWS\system32\RegDACL.exe
2007-11-15 01:19	8,925	--a------	C:\clean.bat
2007-11-15 01:19	4,096	--a------	C:\WINDOWS\system32\reboot.exe
2007-11-15 01:19	347	--a------	C:\run2.reg
2007-11-14 04:08	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2007-11-14 04:08	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2007-11-14 04:08	53,248	--a------	C:\WINDOWS\system32\Process.exe
2007-11-14 04:08	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2007-11-14 04:08	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe
2007-11-14 00:28	1,512	--a------	C:\WINDOWS\system32\tmp.reg
2007-11-13 22:26 C:\Documents and Settings\Ryan 2007-11-13 22:26 Fi\Application Data\AVG7
2007-11-13 22:24 d--------	C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-11-13 17:59	115,200	--a------	C:\WINDOWS\system32\dpcdll.dll
2007-11-13 17:54 d--------	C:\WINDOWS\ServicePackFiles
2007-11-13 17:54 d--------	C:\WINDOWS\ehome
2007-11-13 17:54	29,696	---------	C:\WINDOWS\system32\asr_pfu.exe
2007-11-13 17:54	17,792	---------	C:\WINDOWS\system32\drivers\irbus.sys
2007-11-13 17:54	10,752	---------	C:\WINDOWS\system32\spiisupd.exe
2007-11-13 16:10	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-11-12 23:11 C:\Documents and Settings\Ryan 2007-11-12 23:11 Fi\Application Data\Grisoft
2007-11-12 23:03	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-12 23:02 d--------	C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 15:20	---------	d-----w	C:\Program Files\Soulseek
2007-11-13 22:29	---------	d-----w	C:\Documents and Settings\Ryan & Fi\Application Data\AVG7
2007-11-13 22:28	---------	d-----w	C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2007-11-12 23:11	---------	d-----w	C:\Documents and Settings\Ryan & Fi\Application Data\Grisoft
2007-10-23 13:37	---------	d-----w	C:\Program Files\BitTorrent
2005-12-05 20:37	33,096	-c--a-w	C:\Documents and Settings\Ryan & Fi\Application Data\GDIPFONTCACHEV1.DAT
2005-06-13 23:13:12	56	--sh--r	C:\WINDOWS\system32\179D0E0F3F.sys
.

((((((((((((((((((((((((((((( snapshot_2007-11-14_20.30.31.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-14 20:08:14	266,240	----a-w	C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-11-17 03:56:16	266,240	----a-w	C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2005-11-09 00:26:46	38,400	----a-w	C:\WINDOWS\system32\moveex.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-02 23:27]
"RFX_auto_upgrade"="" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 16:16]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-17 12:06]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-13 18:29]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-13 22:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 17:38]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2007-10-05 11:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"USB Hardware8 Monitoring"=USBhardware8.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

S3 USBCamera;DIGITAL CAMERA;C:\WINDOWS\System32\Drivers\Bulk533.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 04:06:03
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 4:10:29
C:\ComboFix2.txt ... 2007-11-16 01:29
C:\ComboFix3.txt ... 2007-11-15 14:00
.
--- E O F ---
___

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 04:13:54, on 17/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Ryan & Fi\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5147 bytes


----------



## Cookiegal (Aug 27, 2003)

Sorry, I meant to include this entry in the last script that was run so please run this new script.

Open Notepad and copy and paste the text in the quote box below into it:



> [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
> "USB Hardware8 Monitoring"=-


Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## Trinx (Nov 13, 2007)

Reboot not required it seems.

ComboFix 07-11-08.3 - Ryan & Fi 2007-11-17 19:49:40.7 - NTFSx86
Running from: C:\Documents and Settings\Ryan & Fi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ryan & Fi\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-15 01:19	90,112	--a------	C:\WINDOWS\system32\RegDACL.exe
2007-11-15 01:19	8,925	--a------	C:\clean.bat
2007-11-15 01:19	4,096	--a------	C:\WINDOWS\system32\reboot.exe
2007-11-15 01:19	347	--a------	C:\run2.reg
2007-11-14 04:08	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2007-11-14 04:08	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2007-11-14 04:08	53,248	--a------	C:\WINDOWS\system32\Process.exe
2007-11-14 04:08	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2007-11-14 04:08	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe
2007-11-14 00:28	1,512	--a------	C:\WINDOWS\system32\tmp.reg
2007-11-13 22:26 C:\Documents and Settings\Ryan 2007-11-13 22:26 Fi\Application Data\AVG7
2007-11-13 22:24 d--------	C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-11-13 17:59	115,200	--a------	C:\WINDOWS\system32\dpcdll.dll
2007-11-13 17:54 d--------	C:\WINDOWS\ServicePackFiles
2007-11-13 17:54 d--------	C:\WINDOWS\ehome
2007-11-13 17:54	29,696	---------	C:\WINDOWS\system32\asr_pfu.exe
2007-11-13 17:54	17,792	---------	C:\WINDOWS\system32\drivers\irbus.sys
2007-11-13 17:54	10,752	---------	C:\WINDOWS\system32\spiisupd.exe
2007-11-13 16:10	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-11-12 23:11 C:\Documents and Settings\Ryan 2007-11-12 23:11 Fi\Application Data\Grisoft
2007-11-12 23:03	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-12 23:02 d--------	C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 15:20	---------	d-----w	C:\Program Files\Soulseek
2007-11-13 22:29	---------	d-----w	C:\Documents and Settings\Ryan & Fi\Application Data\AVG7
2007-11-13 22:28	---------	d-----w	C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2007-11-12 23:11	---------	d-----w	C:\Documents and Settings\Ryan & Fi\Application Data\Grisoft
2007-10-23 13:37	---------	d-----w	C:\Program Files\BitTorrent
2005-12-05 20:37	33,096	-c--a-w	C:\Documents and Settings\Ryan & Fi\Application Data\GDIPFONTCACHEV1.DAT
2005-06-13 23:13:12	56	--sh--r	C:\WINDOWS\system32\179D0E0F3F.sys
.

((((((((((((((((((((((((((((( snapshot_2007-11-14_20.30.31.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-14 20:08:14	266,240	----a-w	C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-11-17 19:49:11	266,240	----a-w	C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2005-11-09 00:26:46	38,400	----a-w	C:\WINDOWS\system32\moveex.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-02 23:27]
"RFX_auto_upgrade"="" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 16:16]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-17 12:06]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-13 18:29]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-13 22:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 17:38]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2007-10-05 11:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"USB Hardware8 Monitoring"=USBhardware8.exe

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

S3 USBCamera;DIGITAL CAMERA;C:\WINDOWS\System32\Drivers\Bulk533.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 19:55:59
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 19:59:18
C:\ComboFix2.txt ... 2007-11-17 04:10
C:\ComboFix3.txt ... 2007-11-16 01:29
.
--- E O F ---
___

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20:03:10, on 17/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Ryan & Fi\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [USB Hardware8 Monitoring] USBhardware8.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5054 bytes


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis and fix this entry:

*O4 - HKLM\..\RunServices: [USB Hardware8 Monitoring] USBhardware8.exe*

Reboot and post a new HijackThis log please.


----------



## Trinx (Nov 13, 2007)

There is a new folder on my desktop called backups. I have no idea if this is of any relevance! New HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:11:20, on 18/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Ryan & Fi\Desktop\HiJackThis_v2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Pando Networks\Pando\Pando.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5043 bytes


----------



## Cookiegal (Aug 27, 2003)

The backup folder belongs to HijackThis because you are running it from your desktop.

Please go *HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report


----------



## Trinx (Nov 13, 2007)

It's scanning now, but It's making me start to run dangerously low on disk space on my hard drive & it's not even half way though yet. I think I might have to abort, archive some files to free up space & try again.


----------



## Cookiegal (Aug 27, 2003)

How much RAM do you have?

What is the size of the paging file? To find that information, do this:

Click Start, and then click Control Panel. 
If in Category view, click on Click Performance and Maintenance and then click System (if in Classic view just click System). 
On the Advanced tab, under Performance, click Settings. 
On the Advanced tab, under Virtual memory, click Change. 
Don't change anything but let me know what it says the size of the initial file is.


----------



## Trinx (Nov 13, 2007)

Just as I was about to abort I suddenly realised I have magically got 400MB back. Still scanning.


----------



## Trinx (Nov 13, 2007)

A meagre 128MB of RAM.

Initial file size 192MB.

My free disk space is no longer beaten eaten away quickly & I have over half a gig free. Still scanning. I'm used to things taking longer than they ought to with this ageing machine!


----------



## Trinx (Nov 13, 2007)

Incident Status Location

Adware:adware/adlogix Not disinfected c:\windows\system32\retpdat32.xml 
Adware:adware/ist.istbar Not disinfected Windows Registry 
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][2].txt 
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][3].txt 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][1].txt 
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][2].txt 
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][3].txt 
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][1].txt 
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][1].txt 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][2].txt 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][2].txt 
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][1].txt 
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][2].txt 
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][1].txt 
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][1].txt 
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][1].txt 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][1].txt 
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][2].txt 
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][1].txt 
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][1].txt 
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][2].txt 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][1].txt 
Spyware:Cookie/Serving-sys Not disinfected  C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][2].txt 
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][1].txt 
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][2].txt 
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Ryan & Fi\Cookies\ryan & [email protected][1].txt 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Ryan & Fi\Desktop\ComboFix.exe[nircmd.exe] 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Ryan & Fi\Desktop\ComboFix.exe[nircmd.cfexe] 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ryan & Fi\Desktop\SmitfraudFix\Process.exe 
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Ryan & Fi\Desktop\SmitfraudFix\Reboot.exe 
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Ryan & Fi\Desktop\SmitfraudFix\restart.exe 
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\HaxFix\Process.exe 
Virus:Generic Malware Disinfected C:\Program Files\MSN Gaming Zone\quzaletum.dll  
Adware:Adware/TTC Not disinfected C:\qoobox\Quarantine\C\Program Files\Messenger\menorus4444.dll.vir 
Adware:Adware/TTC Not disinfected C:\qoobox\Quarantine\C\Program Files\Messenger\menorus83122.dll.vir 
Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\Program Files\MSN Gaming Zone\quzaletum.dll.vir 
Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\Program Files\MSN Gaming Zone\quzaletum534.dll.vir 
Virus:Trj/WinAble.A Disinfected C:\qoobox\Quarantine\C\Program Files\Temporary\wininstall.exe.vir 
Virus:Trj/BHO.O Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\0lad4Yr7.dll.vir 
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\aslefqil.dll.vir 
Virus:Trj/Agent.HBA Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\hgggfdd.dll.vir 
Adware:Adware/PurityScan Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\iflfyiol.dll.vir 
Virus:Trj/Agent.HAY Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\IpCD8UWg.exe.vir 
Adware:Adware/PurityScan Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\owfpumdv.dll.vir  
Virus:Trj/Downloader.RBV Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\rev3\revdrive33b.exe.vir 
Adware:Adware/PurityScan Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\swmvnwtu.dll.vir 
Virus:Trj/Agent.HBA Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\tuvwutq.dll.vir 
Virus:Trj/Agent.HCL Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\ulqshpyl.dll.vir 
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\vpcyplnm.exe.vir 
Virus:Trj/Agent.HBA Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\wvutrsq.dll.vir 
Adware:Adware/TTC Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\x2\jumper83122.exe.vir 
Adware:Adware/PurityScan Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\__c0038C76.dat.vir 
Adware:Adware/TTC Not disinfected C:\qoobox\Quarantine\C\WINDOWS\tk58.exe.vir 
Adware:Adware/TTC Not disinfected C:\qoobox\Quarantine\C\WINDOWS\TTC-4444.exe.vir 
Adware:Adware/PurityScan Not disinfected C:\qoobox\Quarantine\catchme2007-11-13_164649.89.zip[__c005AF4C.dat]  
Potentially unwanted tool:Application/MyWay Not disinfected C:\System Volume Information\_restore{3B56126E-9A8E-4353-87B4-26A87B4B57AA}\RP10\A0000154.exe 
Potentially unwanted tool:Application/MyWay Not disinfected C:\System Volume Information\_restore{3B56126E-9A8E-4353-87B4-26A87B4B57AA}\RP11\A0000355.EXE 
Potentially unwanted tool:Application/MyWay Not disinfected C:\System Volume Information\_restore{3B56126E-9A8E-4353-87B4-26A87B4B57AA}\RP11\A0000356.DLL 
Potentially unwanted tool:Application/MyWay Not disinfected C:\System Volume Information\_restore{3B56126E-9A8E-4353-87B4-26A87B4B57AA}\RP11\A0000360.DLL 
Dialerialer.Gen Not disinfected C:\System Volume Information\_restore{3B56126E-9A8E-4353-87B4-26A87B4B57AA}\RP12\A0000379.exe 
Dialerialer.Gen Not disinfected C:\System Volume Information\_restore{3B56126E-9A8E-4353-87B4-26A87B4B57AA}\RP12\A0000380.exe 
Dialerialer.Gen Not disinfected C:\System Volume Information\_restore{3B56126E-9A8E-4353-87B4-26A87B4B57AA}\RP12\A0000382.exe 
Potentially unwanted tool:Application/FunWeb Not disinfected C:\System Volume Information\_restore{3B56126E-9A8E-4353-87B4-26A87B4B57AA}\RP29\A0002994.DLL 
Potentially unwanted tool:Application/FunWeb Not disinfected C:\System Volume Information\_restore{3B56126E-9A8E-4353-87B4-26A87B4B57AA}\RP30\A0003003.inf 
Virus:Generic Malware  Disinfected C:\System Volume Information\_restore{3B56126E-9A8E-4353-87B4-26A87B4B57AA}\RP38\A0004161.dll 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe 
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe


----------



## ~Candy~ (Jan 27, 2001)

128 megs of ram with XP 

That is AMAZING that it even runs. You definitely need to keep your 04 startup items as lean as possible.


----------



## Trinx (Nov 13, 2007)

Indeed. I have just ordered some extra memory to get this up to 512MB.


----------



## ~Candy~ (Jan 27, 2001)

If you plan on keeping the original chip in there, be sure what you ordered is compatible, as all memory doesn't play nicely together.


----------



## Trinx (Nov 13, 2007)

Yeah I found a website that checks the manufacturer & model number & tells you exactly how much you can upgrade to & which type to get. I like things to be idiot-proof!

Thanks.


----------



## ~Candy~ (Jan 27, 2001)

:up:


----------



## Cookiegal (Aug 27, 2003)

Locate and delete this file:

c:\windows\system32\*retpdat32.xml *

How are things running now?


----------



## Trinx (Nov 13, 2007)

I located & deleted the file. Windows says it was created & last accessed in 2004, although I understand this information may have been manipulated.

To be honest things are running very slowly, not just internet but every action. I have no pop-ups or balloons invading my desktop any more but every action is very slow. It seemed to be faster a couple of days ago, about half way through the process so far.

I have not scanned using AVG AV or Antispyware since your kind help, and whenever either program has ever picked anything up I have instructed it to ignore, as I didn't want to move or quarantine any files you were working with. Let me know if you think I should run scans with those now. In the meantime I'll reboot having deleted the file you specified & see how things are then.


----------



## Trinx (Nov 13, 2007)

So it took me 25 minutes for me to restart & get IE back to make this post and it never used to take that long. However now "up to speed" everything seems fine.


----------



## Cookiegal (Aug 27, 2003)

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.

In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group click *SELECT ALL*
in the *Additional Scans* sections please press select *ALL* and make sure Non-Microsoft only is *UNCHECKED*.
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please post the resulting log here as an attachment.


----------



## Trinx (Nov 13, 2007)

Thankyou. The file is attached.


----------



## Cookiegal (Aug 27, 2003)

Disconnect from the Internet and disable your anti-virus and firewall programs. *Be sure to remember to re-start them before going on-line again.*

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program. Copy and paste the information in the box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.


```
[Kill Explorer]
[Unregister Dlls]
[Registry - All]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> RFX_auto_upgrade -> 
[Registry - Additional Scans - All]
< Uninstall List > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
YN -> ViewpointMediaPlayer -> Viewpoint Media Player
YN -> WildTangent CDA -> WildTangent Web Driver
[Files/Folders - Created Within 60 days]
NY -> iklnqfxi.ini -> %System32%\iklnqfxi.ini
NY -> lyphsqlu.ini -> %System32%\lyphsqlu.ini
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```


----------



## Trinx (Nov 13, 2007)

WinPFind3u did not ask me if I wanted to reboot. I checked the log file had been created & rebooted manually.
___
Explorer killed successfully
[Registry - All]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\RFX_auto_upgrade deleted successfully.
[Registry - Additional Scans - All]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WildTangent CDA deleted successfully.
[Files/Folders - Created Within 60 days]
C:\WINDOWS\SYSTEM32\iklnqfxi.ini moved successfully.
C:\WINDOWS\SYSTEM32\lyphsqlu.ini moved successfully.
[Empty Temp Folders]
C:\DOCUME~1\RYAN&F~1\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\Ryan & Fi\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
Explorer started successfully
< End of log >
Created on 11/21/2007 00:08:51
___

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 00:35:19, on 21/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ryan & Fi\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5233 bytes


----------



## Cookiegal (Aug 27, 2003)

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "application" and "system" for recent errors shown in red and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## Cookiegal (Aug 27, 2003)

Also, please do this:

Please open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## Trinx (Nov 13, 2007)

Both sets of information are too long to post & are attached as Notepad files.


----------



## Cookiegal (Aug 27, 2003)

These steps will take care of many of those errors:

http://support.microsoft.com/kb/916254

Also, do this:

1. Open the Component Services console.
2. Click on Computers.
3. Right click on My Computer and select Properties.
4. Select the MSDTC tab and click on Tracing Options.
5. Click in sequence: Stop Session, New Session, Flush Data, OK, and OK.
6. Restart the DTC service

Now do the following:

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders".
Click "Apply" then "OK".

Go to Start > Search - All Files and Folders and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Search for this file and let me know if you find it and where it's located if you do:

*aspi32.sys*


----------



## Trinx (Nov 13, 2007)

http://support.microsoft.com/kb/916254

This seems to relate to SP2, which I do not yet have installed. I was instructed to not install it yet. Or is it still relevant?

I always try to follow your instructions in the order you provide them so will do no more until you reply.

Many thanks.


----------



## Cookiegal (Aug 27, 2003)

Hmmmm.....I'm not sure about the MS article so skip it for now but carry on with the rest of the instructions.


----------



## Trinx (Nov 13, 2007)

_1. Open the Component Services console._

Do you mean:

Run: comexp.msc ?

Windows cannot find it why I try this. Sorry if I'm being stupid, as I suspect is the case.


----------



## Trinx (Nov 13, 2007)

I found it at:

c:\windows\system32\com\comexp.msc


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Administrative Tools - Component services and then follow the rest of the instructions.


----------



## Trinx (Nov 13, 2007)

All done. Although your instructions did not tell me to stop the DTC service so it took me a white to locate the Start command.

aspi32.sys was not found when searching the hard drive.

Everything seems very well with this machine though, especially now I have got my RAM upgrade sorted out.


----------



## Cookiegal (Aug 27, 2003)

Please go back into the Event Viewer and see if there are any errors from the last 48 hours only and if so, post them, as you did before.

Are you having any problems with your Nero burning software?


----------



## Trinx (Nov 13, 2007)

Nero loads up OK, I don't have any blank media handy to test it properly though. Actually I could do a test write on a rewritable disc. Should I try video or audio? Here's the event viewer information:

APPLICATION

Event Type:	Error
Event Source:	MSDTC Client
Event Category:	Tracing Infrastructure
Event ID:	4405
Date: 21/11/2007
Time: 23:48:41
User: N/A
Computer:	MA
Description:
MS DTC Tracing infrastructure : the attempt to create a new trace session failed. Internal Information : msdtc_trace : File: d:\nt_qxp\com\com1x\dtc\dtc\trace\src\tracelib.cpp, Line: 1115, StartTrace Failed, hr=0x80070070

.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	MSDTC Client
Event Category:	Tracing Infrastructure
Event ID:	4405
Date: 21/11/2007
Time: 23:48:33
User: N/A
Computer:	MA
Description:
MS DTC Tracing infrastructure : the attempt to create a new trace session failed. Internal Information : msdtc_trace : File: d:\nt_qxp\com\com1x\dtc\dtc\trace\src\tracelib.cpp, Line: 1115, StartTrace Failed, hr=0x80070070

.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

SYSTEM

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7026
Date: 22/11/2007
Time: 14:25:24
User: N/A
Computer:	MA
Description:
The following boot-start or system-start driver(s) failed to load: 
Aspi32

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7026
Date: 21/11/2007
Time: 17:18:03
User: N/A
Computer:	MA
Description:
The following boot-start or system-start driver(s) failed to load: 
Aspi32

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7026
Date: 21/11/2007
Time: 15:59:07
User: N/A
Computer:	MA
Description:
The following boot-start or system-start driver(s) failed to load: 
Aspi32

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7026
Date: 21/11/2007
Time: 00:18:23
User: N/A
Computer:	MA
Description:
The following boot-start or system-start driver(s) failed to load: 
Aspi32

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7011
Date: 21/11/2007
Time: 00:18:22
User: N/A
Computer:	MA
Description:
Timeout (30000 milliseconds) waiting for a transaction response from the AudioSrv service.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7026
Date: 20/11/2007
Time: 23:50:55
User: N/A
Computer:	MA
Description:
The following boot-start or system-start driver(s) failed to load: 
Aspi32

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Cookiegal (Aug 27, 2003)

Go to *Start* - *Run* - type in *cmd* and hit Enter.

Type this command exactly as shown below (including spaces) and hit enter:

*sc config Aspi32 start= disabled*

Reboot the computer.

Let me know how things are running please.


----------



## Trinx (Nov 13, 2007)

Yes everything seems well thankyou. Are we done?


----------



## Cookiegal (Aug 27, 2003)

Now you should get SP2 for maximum protection.

You can delete the ComboFix utility and delete this folder, which is where ComboFix stores deleted files as backups:

C:\*Qoobox*

Here are some final instructions for you.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

Delete Temporary Files:

Go to *Start* - *Run* and type in *cleanmgr* and click OK. 
Let it scan your system for files to remove. 
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. 
Press OK to remove them.


----------



## Trinx (Nov 13, 2007)

Cookiegal, thankyou so much for all your assistance. I have auctions ending on eBay this evening which means funds in my Paypal & I very much look forward to making a donation so you can continue fixing peoples' technical woes. It won't be a fortune but I am very aware how much it would have cost to get a professional to visit & fix this for me.

I know your time is precious, I just have a couple of questions:

`Will Spywareblaster run happily alongside AVG Anti-Spyware or should I use Spywareblaster instead?

`As a result of me being infected, am I now more vunerable to future attacks (ie is it likely a malicious attacker will now have my IP address & try to target me)?

`Did I read somewhere I few weeks ago that threads can be flagged as "fixed"? How do I do that?

Thanks again for all your time & assistance with cure & prevention, which is very much appreciated.


----------



## ~Candy~ (Jan 27, 2001)

I'll answer one of your questions, since I know that Cookiegal aka Karen is out right now....you can mark the thread solved using the THREAD TOOLS drop down menu.


----------



## Cookiegal (Aug 27, 2003)

Thank you for your kind donation which is much appreciated. :up:

SpywareBlaster doesn't actually "run" and you can have it installed along with AVG-AS without any problems.

IPs are targeted by port scans all the time so you should also get a good firewall such as Zone Alarm which is free. It's better than relying on the Windows one which only blocks incoming packets whereas Zone Alarm will block inbound and outbound. 


Trinx said:


> Cookiegal, thankyou so much for all your assistance. I have auctions ending on eBay this evening which means funds in my Paypal & I very much look forward to making a donation so you can continue fixing peoples' technical woes. It won't be a fortune but I am very aware how much it would have cost to get a professional to visit & fix this for me.
> 
> I know your time is precious, I just have a couple of questions:
> 
> ...


----------

