# Solved: Virus that delete my system restore point and disable the task manager



## Lacoste (Feb 2, 2007)

Greetings and salutations

I have been away for a while and my brother inserted my cousin's USb drive to our computer for an errand. While the pc boot up an unknown program suddenly promt my brother to open file with what option. Seeing this as nothing, he proceed to access the usb and double click. This made my Desktop dl files from the infected usb, created a back up file for every program in my program menu (i.e Yahoo messenger > yahoo messenger.exe etc....) to make matters worse, it delete the system restore file points and disable the task manager. The AVG does not scan any malware and lavasoft ad aware did not pick up any unusual file. I ran the HJTthis file nd create a log file without deleting anything. Hope this helps.

Here is my computer specs:

Athlon XP 1600
1 gig ram DDR

Windows XP Home edition
80 Gig sea gate ram (2 partition 20 gig, and 60 gig)

Internet connection
IE6
Firefox

AVG 7.54 Free edition

Thanks

Oh and the latest HJTT log file

Logfile of HijackThis v1.99.1
Scan saved at 10:06:56 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\SSCVIHOST.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\SSCVIHOST.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Startup.exe
C:\Documents and Settings\Ray\Start Menu\Programs\Startup\Startup.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe SSCVIHOST.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [FS6519] C:\WINDOWS\FS6519.dll.vbs
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIHOST.exe
O4 - Startup: Startup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - http://www.e-games.com.ph/com/EGamesPlugin.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/KeyCrypt/npkcx.cab
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe


----------



## Lacoste (Feb 2, 2007)

Bump!

Its been 2 days now and according to the rules i should do this

Oh and additional information. when I try to open a Picture, it sometimes open up multiple program that i did not open. Program activated this way multiple open up.


----------



## Lacoste (Feb 2, 2007)

Bump!!




Its been 3 days since the thread have no reply. I am patient sir, I do follow the rules to the fullest if possible but my pc is getting worse by the day. help


----------



## Lacoste (Feb 2, 2007)

Bump

its the 4th day please help

HJT this log scan:

Logfile of HijackThis v1.99.1
Scan saved at 10:01:07 PM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\SSCVIHOST.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\SSCVIHOST.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Startup.exe
C:\Documents and Settings\Ray\Start Menu\Programs\Startup\Startup.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe SSCVIHOST.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [FS6519] C:\WINDOWS\FS6519.dll.vbs
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIHOST.exe
O4 - Startup: Startup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - http://www.e-games.com.ph/com/EGamesPlugin.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/KeyCrypt/npkcx.cab
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe


----------



## Lacoste (Feb 2, 2007)

BUMP !!!!!

the fifth day, my pc is getting worse...

Latest scans from HTJthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:29:54 AM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\SSCVIHOST.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\SSCVIHOST.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Startup.exe
C:\Documents and Settings\Ray\Start Menu\Programs\Startup\Startup.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe SSCVIHOST.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [FS6519] C:\WINDOWS\FS6519.dll.vbs
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIHOST.exe
O4 - Startup: Startup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - http://www.e-games.com.ph/com/EGamesPlugin.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/KeyCrypt/npkcx.cab
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe


----------



## Lacoste (Feb 2, 2007)

Greetings,

Since I would be leaving to visit a relative I would not be able to view this thread for the next day. Ill post my concerns a little early then check them in the following morning (here eastern time):

It has been day six and my pc is slowing down. Every time I ran a video file it slows down and would not run smoothly.

I constantly ran the AVG anti virus to checy any malware present on my system, unfortunately it does not pick up any thing in time. My friends say it is a Brontox virus and keeps replicating but until I found conclusive proof, I wont act hastily.

Anyway here is the latest HJT this scan log:

Logfile of HijackThis v1.99.1
Scan saved at 6:12:30 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SSCVIHOST.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\SSCVIHOST.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Startup.exe
C:\Documents and Settings\Ray\Start Menu\Programs\Startup\Startup.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\My Documents\Rayan\Current bots\Serphim harvest uli\Serphim\start.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe SSCVIHOST.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [FS6519] C:\WINDOWS\FS6519.dll.vbs
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIHOST.exe
O4 - Startup: Startup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - http://www.e-games.com.ph/com/EGamesPlugin.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/KeyCrypt/npkcx.cab
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe


----------



## Lacoste (Feb 2, 2007)

Bump!!!!!!!

7th day. 

I currently unplugged my desktop and is currently using the laptop. Its apparrent that as the days go by it goes a little bit slower than it usually is so Im posting my reply here.


HELP PLS and god bless


----------



## Cookiegal (Aug 27, 2003)

Download *Brute Force Uninstaller* to your desktop.
Right click the BFU folder on your desktop, and choose *Extract All*
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C) or whatever your primary drive is
Click "Make New Folder"
Type in *BFU*
Click "Next", and *Un*check the "Show Extracted Files" box and then click "Finish".
 *RIGHT-CLICK HERE* and choose "Save As" (in IE it's "Save Target As") in order to download Coolpics Remover.
*Save it in the same folder you made earlier (c:\BFU)*.

Then, please go to *Start > My Computer and navigate to the C:\BFU folder*.
 Start the Brute Force Uninstaller by doubleclicking *BFU.exe*
 Behind the *scriptline to execute* field click the folder icon







and select *coolpics.bfu*
 Press *Execute* and let it do its job. (You ought to see a progress bar if you did this correctly.)
Wait for the *complete script execution* box to pop up and press OK.
Press *exit* to terminate the BFU program.

Reboot your computer and post a new HijackThis log please.


----------



## Lacoste (Feb 2, 2007)

Greetings Cookie gal,

I can't express my gratitude in replying on my mail. Thank you!! When I ran the BFU program and did all the instrucitons within, It only went up to 48% then the pc hangs for a minute before resuming to Error "7" out of memory.

When I restart my pc though, the windows explorer option was enable and the task manager was semi operational. Accessing it by right click from the task bar and you can access it but close immediately. I ran the bfu again and it still stops at 48%. I restart the pc then, the moment windows open AVG shows that it has a virus as autorun.ini and the task manager is disable again.

anyway Here is the latest Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:50:14 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\SSCVIHOST.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Startup.exe
C:\Documents and Settings\Ray\Start Menu\Programs\Startup\Startup.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\My Documents\Rayan\Current bots\Serphim harvest uli\Serphim\start.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe SSCVIHOST.exe
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [FS6519] C:\WINDOWS\FS6519.dll.vbs
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIHOST.exe
O4 - Startup: Startup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - http://www.e-games.com.ph/com/EGamesPlugin.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/KeyCrypt/npkcx.cab
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

oh by the way I also uninstall some minor programs thatI wasnt using. Hope it helps.


----------



## Cookiegal (Aug 27, 2003)

Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix and make sure you are disconnected from the Internet *after downloading the program and before scanning*.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *ComboFix* and save it to your desktop.

***Note: In the event you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running ComboFix.

 WARNING: *IF you have not already done so ComboFix will disconnect your machine from the Internet when it starts. *
*Please do not re-connect your machine back to the Internet until ComboFix has completely finished.*
If there is no Internet connection when Combofix has completely finished then restart your computer to restore the connection.

Double-click on *combofix.exe* and follow the prompts. When finished, it will produce a report for you. Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.

***Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall***


----------



## Lacoste (Feb 2, 2007)

Greeting Kookie gal,

When I double click the combofix.exe it prompts me that the kde.exe is not found thats why I fail to use it. What would I do?


----------



## Cookiegal (Aug 27, 2003)

Remove that version of ComboFix and grab this new version. Do not rename it but install it on the desktop, as is and run it following the same instructions please.

http://download.bleepingcomputer.com/sUBs/Combo-Fix.exe


----------



## Lacoste (Feb 2, 2007)

Ahh Thats ok,

When I restart the machine I put it on the Safemode and combo fix run well. Is this ok or I have to start all over again not on Safemode?

ComboFix 08-01-29.3 - Ray 2008-01-30 2:29:33.1 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Ray\Desktop\ComboFix.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\autorun.ini
C:\WINDOWS\system32\restore\restore.exe
C:\WINDOWS\system32\setting.ini
C:\WINDOWS\system32\system32.exe
C:\WINDOWS\windows.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-26 03:37 . 2008-01-29 00:54 d--------	C:\Documents and Settings\Administrator\Application Data\vlc
2008-01-22 22:33 . 2008-01-29 01:27 d--------	C:\WINDOWS\system32\ActiveScan
2008-01-22 22:33 . 2008-01-23 23:40	30,590	--a------	C:\WINDOWS\system32\pavas.ico
2008-01-20 20:45 . 2008-01-29 00:54 d--------	C:\Documents and Settings\Administrator\Application Data\DivX
2008-01-20 20:44 . 2008-01-29 00:54 d--------	C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2008-01-20 19:48 . 2008-01-29 00:54 d--------	C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-20 11:10 . 2007-05-15 09:34	250,999	--a------	C:\WINDOWS\system32\drivers\drivers.exe
2008-01-20 11:10 . 2007-05-15 09:34	250,999	--a--c---	C:\WINDOWS\system32\dllcache\dllcache.exe
2008-01-20 11:10 . 2007-05-15 09:34	250,999	--a------	C:\WINDOWS\system32\config\systemprofile\systemprofile.exe
2008-01-20 11:10 . 2007-05-15 09:34	250,999	--a------	C:\WINDOWS\system32\config\systemprofile\Application Data\Application Data.exe
2008-01-20 11:09 . 2007-05-15 09:34	250,999	--a------	C:\WINDOWS\system\system.exe
2008-01-20 11:01 . 2007-05-15 09:34	250,999	--a------	C:\temp\temp.exe
2008-01-20 10:35 . 2007-05-15 09:34	250,999	--a------	C:\Program Files\Common Files\Common Files.exe
2008-01-20 10:31 . 2007-05-15 09:34	250,999	--a------	C:\Program Files\Program Files.exe
2008-01-20 09:49 . 2007-05-15 09:34	250,999	--a------	C:\Documents and Settings\Ray\Ray.exe
2008-01-20 09:49 . 2007-05-15 09:34	250,999	--a------	C:\Documents and Settings\Ray\Application Data\Application Data.exe
2008-01-20 09:49 . 2007-05-15 09:34	250,999	--a------	C:\Documents and Settings\NetworkService\NetworkService.exe
2008-01-20 09:49 . 2007-05-15 09:34	250,999	--a------	C:\Documents and Settings\NetworkService\Application Data\Application Data.exe
2008-01-20 09:49 . 2007-05-15 09:34	250,999	--a------	C:\Documents and Settings\LocalService\LocalService.exe
2008-01-20 09:49 . 2007-05-15 09:34	250,999	--a------	C:\Documents and Settings\LocalService\Application Data\Application Data.exe
2008-01-20 09:48 . 2007-05-15 09:34	250,999	--a------	C:\Documents and Settings\Default User\Default User.exe
2008-01-20 09:48 . 2007-05-15 09:34	250,999	--a------	C:\Documents and Settings\Default User\Application Data\Application Data.exe
2008-01-20 09:47 . 2007-05-15 09:34	250,999	-rahs----	C:\WINDOWS\system32\SSCVIHOST.exe
2008-01-20 09:47 . 2007-05-15 09:34	250,999	-rahs----	C:\WINDOWS\system32\blastclnnn.exe
2008-01-20 09:47 . 2007-05-15 09:34	250,999	--a------	C:\WINDOWS\SSCVIHOST.exe
2008-01-20 09:47 . 2007-05-15 09:34	250,999	-rahs----	C:\SSCVIHOST.exe
2008-01-20 09:47 . 2007-05-15 09:34	250,999	--a------	C:\Documents and Settings\All Users\Application Data\Application Data.exe
2008-01-20 09:47 . 2007-05-15 09:34	250,999	--a------	C:\Documents and Settings\All Users\All Users.exe
2008-01-20 09:47 . 2007-05-15 09:34	250,999	--a------	C:\Documents and Settings\Administrator\Application Data\Application Data.exe
2008-01-20 09:47 . 2007-05-15 09:34	250,999	--a------	C:\Documents and Settings\Administrator\Administrator.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 18:25	---------	d-----w	C:\Program Files\Yahoo!
2008-01-29 14:43	---------	d-----w	C:\Program Files\netbeans-5.5
2008-01-29 14:22	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Yahoo!
2008-01-29 14:22	---------	d-----w	C:\Documents and Settings\All Users\Application Data\yahoo!
2008-01-28 17:37	---------	d-----w	C:\Documents and Settings\Ray\Application Data\AVG7
2008-01-25 00:00	---------	d-----w	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-24 23:24	---------	d-----w	C:\Documents and Settings\Ray\Application Data\BitTorrent
2008-01-24 16:39	---------	d-----w	C:\Documents and Settings\All Users\Application Data\avg7
2008-01-20 11:50	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-20 02:59	---------	d--h--w	C:\Program Files\Uninstall Information
2008-01-20 02:59	---------	d-----w	C:\Program Files\Web Publish
2008-01-20 02:59	---------	d-----w	C:\Program Files\VideoLAN
2008-01-20 02:58	---------	d-----w	C:\Program Files\Ulead Systems
2008-01-20 02:57	---------	d-----w	C:\Program Files\TortoiseSVN
2008-01-20 02:57	---------	d-----w	C:\Program Files\TortoiseCVS
2008-01-20 02:57	---------	d-----w	C:\Program Files\Timed Shutdown
2008-01-20 02:57	---------	d-----w	C:\Program Files\SmartFTP Setup Files
2008-01-20 02:57	---------	d-----w	C:\Program Files\SmartFTP
2008-01-20 02:49	---------	d-----w	C:\Program Files\Sing-Gium International Pte Ltd
2008-01-20 02:49	---------	d-----w	C:\Program Files\RegCleaner
2008-01-20 02:49	---------	d-----w	C:\Program Files\Realtek Sound Manager
2008-01-20 02:49	---------	d-----w	C:\Program Files\QuickTime
2008-01-20 02:49	---------	d-----w	C:\Program Files\Panicware
2008-01-20 02:48	---------	d-----w	C:\Program Files\Ocean Technology
2008-01-20 02:48	---------	d-----w	C:\Program Files\Nokia
2008-01-20 02:47	---------	d-----w	C:\Program Files\MySQL
2008-01-20 02:47	---------	d-----w	C:\Program Files\Mozilla Firefox(2)
2008-01-20 02:46	---------	d-----w	C:\Program Files\Microtek
2008-01-20 02:45	---------	d-----w	C:\Program Files\Microsoft SQL Server
2008-01-20 02:44	---------	d-----w	C:\Program Files\microsoft frontpage
2008-01-20 02:44	---------	d-----w	C:\Program Files\Microsoft ActiveSync
2008-01-20 02:42	---------	d-----w	C:\Program Files\Macromedia
2008-01-20 02:42	---------	d-----w	C:\Program Files\Lavasoft
2008-01-20 02:42	---------	d-----w	C:\Program Files\KanjiGold
2008-01-20 02:42	---------	d-----w	C:\Program Files\K-Lite Codec Pack
2008-01-20 02:37	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-01-20 02:37	---------	d-----w	C:\Program Files\Java
2008-01-20 02:37	---------	d-----w	C:\Program Files\Google
2008-01-20 02:37	---------	d-----w	C:\Program Files\GlobalSCAPE
2008-01-20 02:37	---------	d-----w	C:\Program Files\EAGLE-4.09r2
2008-01-20 02:37	---------	d-----w	C:\Program Files\DivX
2008-01-20 02:37	---------	d-----w	C:\Program Files\DBTC
2008-01-20 02:37	---------	d-----w	C:\Program Files\CuteFTP
2008-01-20 02:36	---------	d-----w	C:\Program Files\Crimson Editor
2008-01-20 02:36	---------	d-----w	C:\Program Files\Creative
2008-01-20 02:36	---------	d-----w	C:\Program Files\CoreFTP
2008-01-20 02:36	---------	d-----w	C:\Program Files\Common Files\Virtual CD v5_02
2008-01-20 02:36	---------	d-----w	C:\Program Files\Common Files\Real
2008-01-20 02:36	---------	d-----w	C:\Program Files\Common Files\Nero
2008-01-20 02:35	---------	d-----w	C:\Program Files\Common Files\Macromedia Shared
2008-01-20 02:35	---------	d-----w	C:\Program Files\Common Files\Macromedia
2008-01-20 02:35	---------	d-----w	C:\Program Files\Common Files\Java
2008-01-20 02:35	---------	d-----w	C:\Program Files\Common Files\InstallShield
2008-01-20 02:35	---------	d-----w	C:\Program Files\Common Files\Ahead
2008-01-20 02:35	---------	d-----w	C:\Program Files\Common Files\Adobe Systems Shared
2008-01-20 02:35	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-01-20 02:33	---------	d-----w	C:\Program Files\Canon
2008-01-20 02:33	---------	d-----w	C:\Program Files\BPFTP
2008-01-20 02:33	---------	d-----w	C:\Program Files\AvRack
2008-01-20 02:33	---------	d-----w	C:\Program Files\AviSynth 2.5
2008-01-20 02:33	---------	d-----w	C:\Program Files\Avi2Dvd
2008-01-20 02:33	---------	d-----w	C:\Program Files\AvantGo Connect
2008-01-20 02:33	---------	d-----w	C:\Program Files\Apache Group
2008-01-20 02:33	---------	d-----w	C:\Program Files\Anewsoft Video Converter
2008-01-20 02:33	---------	d-----w	C:\Program Files\Ahead
2008-01-20 02:31	---------	d-----w	C:\Program Files\Abexo
2008-01-20 02:00	---------	d-----w	C:\Documents and Settings\Ray\Application Data\vlc
2008-01-20 02:00	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Visicom Media
2008-01-20 02:00	---------	d-----w	C:\Documents and Settings\Ray\Application Data\U3
2008-01-20 02:00	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Subversion
2008-01-20 02:00	---------	d-----w	C:\Documents and Settings\Ray\Application Data\SmartFTP
2008-01-20 02:00	---------	d-----w	C:\Documents and Settings\Ray\Application Data\PC Suite
2008-01-20 02:00	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Notepad++
2008-01-20 02:00	---------	d-----w	C:\Documents and Settings\Ray\Application Data\MSN6
2008-01-20 01:58	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Media Player Classic
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Lavasoft
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\GlobalSCAPE
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\dvdcss
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Datalayer
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Creative
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\CoreFTP
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\CoffeeCup Software
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\BPFTP
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Ahead
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\AdobeUM
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\LocalService\Application Data\Creative
2008-01-20 01:48	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-20 01:48	---------	d-----w	C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-01-20 01:48	---------	d-----w	C:\Documents and Settings\All Users\Application Data\MSN6
2008-01-20 01:48	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Macrovision
2008-01-20 01:48	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-20 01:48	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Ahead
2008-01-20 01:47	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Subversion
2007-05-15 01:34	250,999	----a-w	C:\WINDOWS\Tasks\Tasks.exe
2007-05-15 01:34	250,999	----a-w	C:\WINDOWS\Prefetch\Prefetch.exe
2007-05-15 01:34	250,999	----a-w	C:\WINDOWS\Media\Media.exe
2007-05-15 01:34	250,999	----a-w	C:\WINDOWS\inf\inf.exe
2007-05-15 01:34	250,999	----a-w	C:\WINDOWS\inf\catalog\catalog.exe
2007-05-15 01:34	250,999	----a-w	C:\WINDOWS\Fonts\Fonts.exe
2007-05-15 01:34	250,999	----a-w	C:\WINDOWS\Cursors\Cursors.exe
2007-05-15 01:34	250,999	--sha-r	C:\WINDOWS\system32\blastclnnn.exe
2007-05-15 01:34	250,999	--sha-r	C:\WINDOWS\system32\SSCVIHOST.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2006-08-05 14:49	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2006-08-05 14:49	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2006-08-05 14:49	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2006-08-05 14:49	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2006-08-05 14:49	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2006-08-05 14:49	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2006-08-05 14:49	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10 536576]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-04 05:42 401491]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-01-09 02:54 65536 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-11 13:47 7311360]
"nwiz"="nwiz.exe" [2005-11-11 13:47 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-11 13:47 86016]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:37 579072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-07 19:25 77824]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-07-29 19:07 188416]
"FS6519"="C:\WINDOWS\FS6519.dll.vbs" [ ]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 19:59 219136]
"Yahoo Messengger"="C:\WINDOWS\system32\SSCVIHOST.exe" [2007-05-15 09:34 250999]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Startup.exe [2007-05-15 09:34:36 250999]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Startup.exe [2007-05-15 09:34:36 250999]

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
Startup.exe [2007-05-15 09:34:36 250999]

C:\Documents and Settings\Ray\Start Menu\Programs\Startup\
Startup.exe [2007-05-15 09:34:36 250999]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Startup.exe [2007-05-15 09:34:36 250999]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NofolderOptions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrvc32]
winrvc32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hamachi.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
backup=C:\WINDOWS\pss\Microtek Scanner Finder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^BitTorrent.lnk]
path=C:\Documents and Settings\Ray\Start Menu\Programs\Startup\BitTorrent.lnk
backup=C:\WINDOWS\pss\BitTorrent.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
--a------ 2004-01-14 09:10 409600 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-01-07 19:25 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MySQL"=2 (0x2)

S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;C:\Program Files\VMLaunch\BuddyVM.sys []
S2 P0250BUK;Creative PC-CAM 550 (Still);C:\WINDOWS\system32\Drivers\p0250Buk.sys [2002-04-09 01:00]
S2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-10-31 00:13]
S3 P0250VID;Creative PC-CAM 550 (Video);C:\WINDOWS\system32\DRIVERS\p0250v2k.sys [2002-06-10 01:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc33634c-c6f8-11dc-9ac0-000c76e094f6}]
\Shell\0pen\command - krag.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe

*Newly Created Service* - PSEXESVC 
.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 14:11:33 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\blastclnnn.exe
"2008-01-29 14:11:33 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\blastclnnn.exe
"2008-01-29 14:11:33 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\blastclnnn.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 02:34:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-30 2:35:16
ComboFix-quarantined-files.txt 2008-01-29 18:34:55

and here is the latest HJTlthis file:

Logfile of HijackThis v1.99.1
Scan saved at 2:46:49 AM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Startup.exe
C:\Documents and Settings\Ray\Start Menu\Programs\Startup\Startup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe SSCVIHOST.exe
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [FS6519] C:\WINDOWS\FS6519.dll.vbs
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIHOST.exe
O4 - Startup: Startup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - http://www.e-games.com.ph/com/EGamesPlugin.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/KeyCrypt/npkcx.cab
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\WINDOWS\system32\drivers\drivers.exe
C:\WINDOWS\system32\dllcache\dllcache.exe
C:\WINDOWS\system32\config\systemprofile\systemprofile.exe
C:\WINDOWS\system32\config\systemprofile\Application Data\Application Data.exe
C:\WINDOWS\system\system.exe
C:\temp\temp.exe
C:\Program Files\Common Files\Common Files.exe
C:\Program Files\Program Files.exe
C:\Documents and Settings\Ray\Ray.exe
C:\Documents and Settings\Ray\Application Data\Application Data.exe
C:\Documents and Settings\NetworkService\NetworkService.exe
C:\Documents and Settings\NetworkService\Application Data\Application Data.exe
C:\Documents and Settings\LocalService\LocalService.exe
C:\Documents and Settings\LocalService\Application Data\Application Data.exe
C:\Documents and Settings\Default User\Default User.exe
C:\Documents and Settings\Default User\Application Data\Application Data.exe
C:\WINDOWS\system32\SSCVIHOST.exe
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\SSCVIHOST.exe
C:\SSCVIHOST.exe
C:\Documents and Settings\All Users\Application Data\Application Data.exe
C:\Documents and Settings\All Users\All Users.exe
C:\Documents and Settings\Administrator\Application Data\Application Data.exe
C:\Documents and Settings\Administrator\Administrator.exe
C:\WINDOWS\Tasks\Tasks.exe
C:\WINDOWS\Prefetch\Prefetch.exe
C:\WINDOWS\Media\Media.exe
C:\WINDOWS\inf\inf.exe
C:\WINDOWS\inf\catalog\catalog.exe
C:\WINDOWS\Fonts\Fonts.exe
C:\WINDOWS\Cursors\Cursors.exe
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\SSCVIHOST.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\system32\SSCVIHOST.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Startup.exe
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Startup.exe
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\Startup.exe
C:\Documents and Settings\Ray\Start Menu\Programs\Startup\Startup.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Startup.exe
C:\Windows\krag.exe

DirLook::
C:\Documents and Settings\Administrator\Application Data\Lavasoft
C:\Documents and Settings\Ray\Application Data\AVG7
C:\Program Files\Realtek Sound Manager

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FS6519"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo Messengger"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NofolderOptions"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrvc32]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc33634c-c6f8-11dc-9ac0-000c76e094f6}]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## Lacoste (Feb 2, 2007)

Greetings and salutations Cookiegal,

May I add an additional information before I proceed with the latest scans? ANyway when I try to drag the file to combofix it keeps on popping this window message as Kmd.exe is not detected etc.....

So I ran the program on safe mode, and still do the same reaction. Well when i try to see the window tool bar most of the virus persistent problem return. Such as disabling the tool menu for the windows option and such.

So I ran the BFU till it stops at 48% because of insuficient memory and try combo fix again. This time it worked. When Combofix ran it says that it is storing many of this corrupt files which I dont know what they are states that they cannot be recovered and whatnot then it continue till it generate the log file. I hope I did the right thing:

anyway here are the scans:

ComboFix 08-01-29.2 - Ray 2008-01-30 22:56:02.2 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Ray\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Ray\Desktop\CFScript.txt

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*

FILE
C:\Documents and Settings\Administrator\Administrator.exe
C:\Documents and Settings\Administrator\Application Data\Application Data.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Startup.exe
C:\Documents and Settings\All Users\All Users.exe
C:\Documents and Settings\All Users\Application Data\Application Data.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Startup.exe
C:\Documents and Settings\Default User\Application Data\Application Data.exe
C:\Documents and Settings\Default User\Default User.exe
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Startup.exe
C:\Documents and Settings\LocalService\Application Data\Application Data.exe
C:\Documents and Settings\LocalService\LocalService.exe
C:\Documents and Settings\NetworkService\Application Data\Application Data.exe
C:\Documents and Settings\NetworkService\NetworkService.exe
C:\Documents and Settings\Ray\Application Data\Application Data.exe
C:\Documents and Settings\Ray\Ray.exe
C:\Documents and Settings\Ray\Start Menu\Programs\Startup\Startup.exe
C:\Program Files\Common Files\Common Files.exe
C:\Program Files\Program Files.exe
C:\SSCVIHOST.exe
C:\temp\temp.exe
C:\WINDOWS\Cursors\Cursors.exe
C:\WINDOWS\Fonts\Fonts.exe
C:\WINDOWS\inf\catalog\catalog.exe
C:\WINDOWS\inf\inf.exe
C:\Windows\krag.exe
C:\WINDOWS\Media\Media.exe
C:\WINDOWS\Prefetch\Prefetch.exe
C:\WINDOWS\SSCVIHOST.exe
C:\WINDOWS\system\system.exe
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\config\systemprofile\Application Data\Application Data.exe
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\Startup.exe
C:\WINDOWS\system32\config\systemprofile\systemprofile.exe
C:\WINDOWS\system32\dllcache\dllcache.exe
C:\WINDOWS\system32\drivers\drivers.exe
C:\WINDOWS\system32\SSCVIHOST.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\Tasks.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\SSCVIHOST.exe
C:\Documents and Settings\Administrator\Administrator.exe
C:\Documents and Settings\Administrator\Application Data\Application Data.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Startup.exe
C:\Documents and Settings\All Users\All Users.exe
C:\Documents and Settings\All Users\Application Data\Application Data.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Startup.exe
C:\Documents and Settings\Default User\Application Data\Application Data.exe
C:\Documents and Settings\Default User\Default User.exe
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Startup.exe
C:\Documents and Settings\LocalService\Application Data\Application Data.exe
C:\Documents and Settings\LocalService\LocalService.exe
C:\Documents and Settings\NetworkService\Application Data\Application Data.exe
C:\Documents and Settings\NetworkService\NetworkService.exe
C:\Documents and Settings\Ray\Application Data\Application Data.exe
C:\Documents and Settings\Ray\Ray.exe
C:\Documents and Settings\Ray\Start Menu\Programs\Startup\Startup.exe
C:\Program Files\Common Files\Common Files.exe
C:\Program Files\Program Files.exe
C:\SSCVIHOST.exe
C:\temp\temp.exe
C:\WINDOWS\Cursors\Cursors.exe
C:\WINDOWS\Fonts\Fonts.exe
C:\WINDOWS\inf\catalog\catalog.exe
C:\WINDOWS\inf\inf.exe
C:\WINDOWS\Media\Media.exe
C:\WINDOWS\Prefetch\Prefetch.exe
C:\WINDOWS\SSCVIHOST.exe
C:\WINDOWS\system\system.exe
C:\WINDOWS\system32\autorun.ini
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\config\systemprofile\Application Data\Application Data.exe
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\Startup.exe
C:\WINDOWS\system32\config\systemprofile\systemprofile.exe
C:\WINDOWS\system32\dllcache\dllcache.exe
C:\WINDOWS\system32\drivers\drivers.exe
C:\WINDOWS\system32\setting.ini
C:\WINDOWS\system32\SSCVIHOST.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\Tasks.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-30 23:05 . 2008-01-30 23:05 d--hs----	C:\found.000
2008-01-30 22:04 . 2008-01-28 21:31 d--------	C:\ComboFix
2008-01-26 03:37 . 2008-01-29 00:54 d--------	C:\Documents and Settings\Administrator\Application Data\vlc
2008-01-22 22:33 . 2008-01-29 01:27 d--------	C:\WINDOWS\system32\ActiveScan
2008-01-22 22:33 . 2008-01-23 23:40	30,590	--a------	C:\WINDOWS\system32\pavas.ico
2008-01-20 20:45 . 2008-01-29 00:54 d--------	C:\Documents and Settings\Administrator\Application Data\DivX
2008-01-20 20:44 . 2008-01-29 00:54 d--------	C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2008-01-20 19:48 . 2008-01-29 00:54 d--------	C:\Documents and Settings\Administrator\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 18:25	---------	d-----w	C:\Program Files\Yahoo!
2008-01-29 14:43	---------	d-----w	C:\Program Files\netbeans-5.5
2008-01-29 14:22	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Yahoo!
2008-01-29 14:22	---------	d-----w	C:\Documents and Settings\All Users\Application Data\yahoo!
2008-01-28 17:37	---------	d-----w	C:\Documents and Settings\Ray\Application Data\AVG7
2008-01-25 00:00	---------	d-----w	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-24 23:24	---------	d-----w	C:\Documents and Settings\Ray\Application Data\BitTorrent
2008-01-24 16:39	---------	d-----w	C:\Documents and Settings\All Users\Application Data\avg7
2008-01-20 11:50	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-20 02:59	---------	d--h--w	C:\Program Files\Uninstall Information
2008-01-20 02:59	---------	d-----w	C:\Program Files\Web Publish
2008-01-20 02:59	---------	d-----w	C:\Program Files\VideoLAN
2008-01-20 02:58	---------	d-----w	C:\Program Files\Ulead Systems
2008-01-20 02:57	---------	d-----w	C:\Program Files\TortoiseSVN
2008-01-20 02:57	---------	d-----w	C:\Program Files\TortoiseCVS
2008-01-20 02:57	---------	d-----w	C:\Program Files\Timed Shutdown
2008-01-20 02:57	---------	d-----w	C:\Program Files\SmartFTP Setup Files
2008-01-20 02:57	---------	d-----w	C:\Program Files\SmartFTP
2008-01-20 02:49	---------	d-----w	C:\Program Files\Sing-Gium International Pte Ltd
2008-01-20 02:49	---------	d-----w	C:\Program Files\RegCleaner
2008-01-20 02:49	---------	d-----w	C:\Program Files\Realtek Sound Manager
2008-01-20 02:49	---------	d-----w	C:\Program Files\QuickTime
2008-01-20 02:49	---------	d-----w	C:\Program Files\Panicware
2008-01-20 02:48	---------	d-----w	C:\Program Files\Ocean Technology
2008-01-20 02:48	---------	d-----w	C:\Program Files\Nokia
2008-01-20 02:47	---------	d-----w	C:\Program Files\MySQL
2008-01-20 02:47	---------	d-----w	C:\Program Files\Mozilla Firefox(2)
2008-01-20 02:46	---------	d-----w	C:\Program Files\Microtek
2008-01-20 02:45	---------	d-----w	C:\Program Files\Microsoft SQL Server
2008-01-20 02:44	---------	d-----w	C:\Program Files\microsoft frontpage
2008-01-20 02:44	---------	d-----w	C:\Program Files\Microsoft ActiveSync
2008-01-20 02:42	---------	d-----w	C:\Program Files\Macromedia
2008-01-20 02:42	---------	d-----w	C:\Program Files\Lavasoft
2008-01-20 02:42	---------	d-----w	C:\Program Files\KanjiGold
2008-01-20 02:42	---------	d-----w	C:\Program Files\K-Lite Codec Pack
2008-01-20 02:37	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-01-20 02:37	---------	d-----w	C:\Program Files\Java
2008-01-20 02:37	---------	d-----w	C:\Program Files\Google
2008-01-20 02:37	---------	d-----w	C:\Program Files\GlobalSCAPE
2008-01-20 02:37	---------	d-----w	C:\Program Files\EAGLE-4.09r2
2008-01-20 02:37	---------	d-----w	C:\Program Files\DivX
2008-01-20 02:37	---------	d-----w	C:\Program Files\DBTC
2008-01-20 02:37	---------	d-----w	C:\Program Files\CuteFTP
2008-01-20 02:36	---------	d-----w	C:\Program Files\Crimson Editor
2008-01-20 02:36	---------	d-----w	C:\Program Files\Creative
2008-01-20 02:36	---------	d-----w	C:\Program Files\CoreFTP
2008-01-20 02:36	---------	d-----w	C:\Program Files\Common Files\Virtual CD v5_02
2008-01-20 02:36	---------	d-----w	C:\Program Files\Common Files\Real
2008-01-20 02:36	---------	d-----w	C:\Program Files\Common Files\Nero
2008-01-20 02:35	---------	d-----w	C:\Program Files\Common Files\Macromedia Shared
2008-01-20 02:35	---------	d-----w	C:\Program Files\Common Files\Macromedia
2008-01-20 02:35	---------	d-----w	C:\Program Files\Common Files\Java
2008-01-20 02:35	---------	d-----w	C:\Program Files\Common Files\InstallShield
2008-01-20 02:35	---------	d-----w	C:\Program Files\Common Files\Ahead
2008-01-20 02:35	---------	d-----w	C:\Program Files\Common Files\Adobe Systems Shared
2008-01-20 02:35	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-01-20 02:33	---------	d-----w	C:\Program Files\Canon
2008-01-20 02:33	---------	d-----w	C:\Program Files\BPFTP
2008-01-20 02:33	---------	d-----w	C:\Program Files\AvRack
2008-01-20 02:33	---------	d-----w	C:\Program Files\AviSynth 2.5
2008-01-20 02:33	---------	d-----w	C:\Program Files\Avi2Dvd
2008-01-20 02:33	---------	d-----w	C:\Program Files\AvantGo Connect
2008-01-20 02:33	---------	d-----w	C:\Program Files\Apache Group
2008-01-20 02:33	---------	d-----w	C:\Program Files\Anewsoft Video Converter
2008-01-20 02:33	---------	d-----w	C:\Program Files\Ahead
2008-01-20 02:31	---------	d-----w	C:\Program Files\Abexo
2008-01-20 02:00	---------	d-----w	C:\Documents and Settings\Ray\Application Data\vlc
2008-01-20 02:00	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Visicom Media
2008-01-20 02:00	---------	d-----w	C:\Documents and Settings\Ray\Application Data\U3
2008-01-20 02:00	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Subversion
2008-01-20 02:00	---------	d-----w	C:\Documents and Settings\Ray\Application Data\SmartFTP
2008-01-20 02:00	---------	d-----w	C:\Documents and Settings\Ray\Application Data\PC Suite
2008-01-20 02:00	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Notepad++
2008-01-20 02:00	---------	d-----w	C:\Documents and Settings\Ray\Application Data\MSN6
2008-01-20 01:58	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Media Player Classic
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Lavasoft
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\GlobalSCAPE
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\dvdcss
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Datalayer
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Creative
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\CoreFTP
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\CoffeeCup Software
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\BPFTP
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\Ahead
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\Ray\Application Data\AdobeUM
2008-01-20 01:49	---------	d-----w	C:\Documents and Settings\LocalService\Application Data\Creative
2008-01-20 01:48	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-20 01:48	---------	d-----w	C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-01-20 01:48	---------	d-----w	C:\Documents and Settings\All Users\Application Data\MSN6
2008-01-20 01:48	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Macrovision
2008-01-20 01:48	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-20 01:48	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Ahead
2008-01-20 01:47	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Subversion
2006-06-12 15:56	9,216	--sha-w	C:\Program Files\Thumbs.db
2006-04-22 04:54	378,794	----a-w	C:\Program Files\Platform010017.jpg
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Administrator\Application Data\Lavasoft ----

2008-01-20 20:08	177	--a------	C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\stats.awd 
2008-01-20 20:08	1497	-r-h-----	C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\settings.awc 
2008-01-20 20:02	12195	--a------	C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2008-01-20 20-02-15.txt 
2008-01-20 19:49	224313	--a------	C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\description.ini 
2007-05-15 09:34	250999	--a------	C:\Documents and Settings\Administrator\Application Data\Lavasoft\Lavasoft.exe 
2007-05-15 09:34	250999	--a------	C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Quarantine\Quarantine.exe 
2007-05-15 09:34	250999	--a------	C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Logs\Logs.exe 
2007-05-15 09:34	250999	--a------	C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Ad-Aware.exe

---- Directory of C:\Documents and Settings\Ray\Application Data\AVG7 ----

×‹
[email protected] ƒÄQÿ[email protected] ƒÄ…Àt‹[email protected] Rhð[email protected] èwïÿÿƒÄjÿ[email protected] ƒÄ…öu0¡[email protected] Pÿ[email protected] ƒÄ…À„Ó ‹
[email protected] [email protected] è=ïÿÿƒÄéº ‹H^@ Rÿ[email protected] ƒÄ…ÀtI¡H^@ ‹
T^@ [email protected] Qÿ×‹[email protected] ƒÄRÿ[email protected] ƒÄ…Àt¡[email protected] Ph"[email protected] èæîÿÿƒÄjÿ[email protected] ƒÄ‹
H^@ ‹[email protected] QRÿ[email protected] ƒÄ…Àt
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2006-08-05 14:49	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2006-08-05 14:49	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2006-08-05 14:49	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2006-08-05 14:49	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2006-08-05 14:49	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2006-08-05 14:49	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2006-08-05 14:49	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10 536576]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-04 05:42 401491]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-01-09 02:54 65536 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-11 13:47 7311360]
"nwiz"="nwiz.exe" [2005-11-11 13:47 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-11 13:47 86016]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:37 579072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-07 19:25 77824]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-07-29 19:07 188416]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 19:59 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\system32\narrator.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hamachi.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
backup=C:\WINDOWS\pss\Microtek Scanner Finder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^BitTorrent.lnk]
path=C:\Documents and Settings\Ray\Start Menu\Programs\Startup\BitTorrent.lnk
backup=C:\WINDOWS\pss\BitTorrent.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
--a------ 2004-01-14 09:10 409600 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-01-07 19:25 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MySQL"=2 (0x2)

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-10-31 00:13]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;C:\Program Files\VMLaunch\BuddyVM.sys []
S2 P0250BUK;Creative PC-CAM 550 (Still);C:\WINDOWS\system32\Drivers\p0250Buk.sys [2002-04-09 01:00]
S3 P0250VID;Creative PC-CAM 550 (Video);C:\WINDOWS\system32\DRIVERS\p0250v2k.sys [2002-06-10 01:00]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 23:10:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
.
**************************************************************************
.
Completion time: 2008-01-30 23:13:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-30 15:13:52
ComboFix2.txt 2008-01-29 18:35:17

heres the HTJthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 11:24:42 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - http://www.e-games.com.ph/com/EGamesPlugin.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/KeyCrypt/npkcx.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

and always thank you for your help.


----------



## Cookiegal (Aug 27, 2003)

Do you have your XP CD?

I think this one is going to be very difficult to sort out as it's created executable files with the names of every folder on your computer. It's going to be next to impossible to figure out which is bad and which is good.

The best option, give the infections present, would be to back up all of your important data, pictures, etc. and wipe the drive and reformat.


----------



## Lacoste (Feb 2, 2007)

Greetings Anne, 

So is there really no way to fix the problem then? I see well if that is the case is it safe to burn all my data files and format that as well?

Or just the primary hard disk? If that is the optimal case then I'll reformat it clean then. Let me buy a couple of cd to back up my datas then. Another thing does the virus affect data such as windows word and stuff.


Thanks for all your help then


----------



## Cookiegal (Aug 27, 2003)

Hi,

I'll tell Anne you said hi.  BTW, my name is Karen. 

Yes, I believe it's the best way to go with this. You should be fine backing up Word or Excel documents, photos, music files and things of that nature. Don't back up any executable files or programs. It would be best to reinstall them.

I would also advise you to change all log-in or access passwords, bank account numbers, etc. as this information may have been compromised.


----------



## Cookiegal (Aug 27, 2003)

I also want to caution you that you may have an external or flash drive that is infected as well so it should not be used or you risk reinfection.

Best thing to do would be to reformat the flash drive as well.


----------



## Lacoste (Feb 2, 2007)

Greeting Karen,


Ok then, well organizing and backing up all the datas here will take time so I'll better get started on the weekends. 

Oh and may I ask if there are other ways to learn to be a security pc expert and how to guides to better protect my pc? Since I was taken by surprise it would be impossible to be alert all the time. 

Well safe to say I have not use my pc for online banking and password and the sort so Im safe. 

The usb drive? well It was my cousin, so I dont know what to do with it. I'll tell her to reformat the usb later. 

May I mark this thread solve after I back up? because I may want to ask something related to this matter and I dont want to make another thread. 

thanks and I really appreciate your help



Edit:

Oh sorry, where's my manners. I always email my boss Anne   in every mail I send her. Learned response I guess..


----------



## Cookiegal (Aug 27, 2003)

No worries about the name. I was just teasing. 

Before reformatting you should download the AVG Free anti-virus installer to a CD so you can install it before actually going on-line.

The very first thing you should do after that is go to Microsoft and download all of the updates needed to help protect your system from vulnerabilities that can be exploited by malware.

You should also get a third party firewall, rather than just the XP one, which only blocks incoming packets. A third party one, such as Zone Alarm free, will block both incoming and outgoing.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

I will send you a private message with information regarding malware removal training.


----------



## Lacoste (Feb 2, 2007)

Greetings Karen,

I have read both link and study the conditions and environment both forums have offered. For the past 2 days I have been weighing the time and dedication one would required for this booth camps.

I am interested, but since I am new at my company I am undergoing several booth camps and training (not to mention several 15 hrs/day work) my schedule is very hectic at the moment.

Thank you for the link, It will take me sometime to actually be a member to those forums but eventually Ill join and undergo their boothcamps. I guess I shouldn't said pc expert so easily.


Well Ill close this thread soon after I reformat, but before that are the list here is enough for the security for my new os?

HJTthis
ATS Cleanup exe
AVG 7 free edition 
Lavasoft AD-aware and 
spyware blaster?

thank you
lacoste


----------



## Cookiegal (Aug 27, 2003)

That's understable. You really need to have the time to devote to it.

I'm not familiar with ATS Cleanup. Are you perhaps referring to ATF Cleaner? That is a good program to have to clean up temp files.


You're should be well-protected with these:

AVG free anti-virus
Ad-Aware
SpyBot Search & Destroy
SpywareBlaster
Zone Alarm

and an anti-spyware such as either AVG Anti-Spyware or SuperAntiSpyware. But you should only use the real-time protection of one program so if you're using SpyBot's TeaTimer, don't use real-time from the other anti-spyware or vice versa. Although AVG and SAS don't have real-time protection in the free versions beyond the trial period.

I also recommend staying away from registry cleaners as they often do more harm than good.


----------



## Lacoste (Feb 2, 2007)

Hi Karen,

Well thank you for your reply for the list. Indeed that is the ATF Cleaner. It was recommended to me when I ask for help here on feburary last year for the autorun.vbs virus back then. I am in the process of compiling my data and recording all important files on my hard disk in preparation for the re-format. 

Thank you again for helping me solve my problem it really is appreciated here in our family. I'll drop a line if I pass the boothcamp for the links you have provided to me. Again thank you and more power to techguy.com  


P.S this thread is long enough, closing it for others

P.S.S How do you close threads again?


----------



## Cookiegal (Aug 27, 2003)

You're quite welcome. 

You can mark your thread solved by clicking on "Thread Tools" and selecting that option from the drop down menu.


----------



## Lacoste (Feb 2, 2007)

Thanks karen 


:up:


----------



## Cookiegal (Aug 27, 2003)

It's my pleasure.


----------

