# iexplore.exe 99-100% CPU usage on startup {Moved thread needs help}



## Kadence (Nov 28, 2007)

Hi guys, 

Thanks for reading.

I'm having a bit of a problem here. When my computer gets to windows it basically freezes, but not quite. I check my processes in task manager, and i see that iexplore.exe is using up 99-100% of my CPU. I then end the process and all of the programs and computer boot up normally. I have scanned my computer for virus', spyware, adware and malware, but nothing comes up. I am using XP, with SP2 and all of the available updates, bar one. And that is because if i download and install it, i get an error when my computer boots up saying: 

The Following File is missing or corrupt blah blah

C:\WINDOWS\System32\ntoskrnl.exe

Please repair and such.

So i just don't download and install it, and i highly doubt this is the problem.

Thanks for taking the time to read, and i hope to hear from someone soon.

All the best


----------



## zabusant (Sep 6, 2007)

Is iexplore.exe already running when you boot up?


----------



## Kadence (Nov 28, 2007)

Hmm, yeah i think so. As soon as a can press ctrl alt and del and it loads it's there so...


----------



## zabusant (Sep 6, 2007)

That's most likely a virus.

"iexplore.exe" is usually the "Internet Explorer" process. But some viruses use the same name to hide. There is no reason IE should be running at startup - and if it would be the legitimate process your web browser window should appear.

Please install and run a scan with this:
http://downloads2.superantispyware.com/downloads/SUPERAntiSpyware.exe

What kind of anti-virus and other protection do you have installed?


----------



## gyrgrls (Nov 22, 2004)

Please post a HJT log.

It looks like you are infected by a virus and/or a trojan.


----------



## zabusant (Sep 6, 2007)

A slim chance, but go to:

Start>Run... type msconfig and ENTER

In the "startup" tab, look for an entry for internet explorer. Uncheck it, confirm, restart


----------



## gyrgrls (Nov 22, 2004)

If your machine will NOT boot to the DESKTOP;
Here is what I want you to do:

Take the HD out of your box, slave it to a slot in a friend/neighbors' box.
This is safe, since it's no longer booting off the infected drive anymore.

Then, do a HJT (download program here).

<http://www.spywareinfo.com/~merijn/programs.php>

Accessing the drive via slave, or via USB bridge, is usually safe,
provided the new [surrogate] host machine is booting off the 
primary drive, and has adequate virus and spyware protection.

IHTH.


----------



## gyrgrls (Nov 22, 2004)

This problem also happens with pirated or "cracked" versions of XP PRO SP2, 
from time to time. I am not accusing anyone, but it the shoe fits...

It's time to kiss a frog.


----------



## zabusant (Sep 6, 2007)

gyrgrls said:


> This problem also happens with pirated or "cracked" versions of XP PRO SP2,
> from time to time. I am not accusing anyone, but it the shoe fits...
> 
> It's time to kiss a frog.


Really? I've never heard of that. Do you know why this issue occurs?


----------



## gyrgrls (Nov 22, 2004)

Infected cracks / keygens,
and / or poorly done cracking, crippling the NT kernel (NTOSKRNL.EXE)

Anytime original code is modified, without being properly disassembled, 
or even understood, there is risk of corruption. (That's an UNDERSTATEMENT)

90% of all malware probably comes from email, and about 8% from pirated
software that is trojaned. 

Don't laugh: back about 25 years or so, those figures were actually REVERSED!.

I know what I am talking about.


----------



## gyrgrls (Nov 22, 2004)

Don't get me wrong.

I know machine language, and I know how to use a hex editor.

SO what? Big Deal!

Hacking binary or executable files should be done WITH EXTREME CAUTION.

"Crackers", or "software pirates", don't give a tinker's dam.
They just want to "get the product out" before their competing 
piracy ring does. 

Even the "esteemed" pirate clubs are ripping each other off, left and right.
There is no honor among thieves. No, sir.

IT IS __NOT__ A SAFE PRACTICE!


Thus, my stern warning.


----------



## zabusant (Sep 6, 2007)

Well, of course, but if you follow that logic you could suspect any problem being caused by a pirated copy. What I meant was, I've never heard of this particular issue being related to a cracked copy.

Because let me tell you, if trouble with IE is caused by a bad crack, I'm guilty of piracy too - since I've probably had more trouble with IE then any other part of windows. Of course now I use Firefox!


----------



## Kadence (Nov 28, 2007)

iexplore.exe isnt in startup.

And i can get to the desktop, just with 99% cpu. So i have to end the process to speed things up.

Also my windows is genuine 

Here's my HJT:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:03:49, on 09/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Xfire\xfire.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.mynortonaccount.com/amsweb/default.do
O1 - Hosts: 82.146.60.44 postbank.de
O1 - Hosts: 82.146.60.44 www.postbank.de
O1 - Hosts: 82.146.60.44 banking.postbank.de
O1 - Hosts: 82.146.60.44 direkt.postbank.de
O1 - Hosts: 82.146.60.44 www.smile.co.uk
O1 - Hosts: 82.146.60.44 smile.co.uk
O1 - Hosts: 82.146.60.44 cahoot.com
O1 - Hosts: 82.146.60.44 www.cahoot.com
O1 - Hosts: 82.146.60.44 www.cahoot.co.uk
O1 - Hosts: 82.146.60.44 cahoot.co.uk
O1 - Hosts: 82.146.60.44 www.co-operativebank.co.uk
O1 - Hosts: 82.146.60.44 co-operativebank.co.uk
O1 - Hosts: 82.146.60.44 www.co-operativebank.com
O1 - Hosts: 82.146.60.44 co-operativebank.com
O1 - Hosts: 82.146.60.44 personal.barclays.co.uk
O1 - Hosts: 82.146.60.44 barclays.co.uk
O1 - Hosts: 82.146.60.44 ibank.barclays.co.uk
O1 - Hosts: 82.146.60.44 www.barclays.co.uk
O1 - Hosts: 82.146.60.44 barclays.touchclarity.com
O1 - Hosts: 82.146.60.44 hsbc.co.uk
O1 - Hosts: 82.146.60.44 www.hsbc.co.uk
O1 - Hosts: 82.146.60.44 hsbc.touchclarity.com
O1 - Hosts: 82.146.60.44 www1.member-hsbc-group.com
O1 - Hosts: 82.146.60.44 lloydstsb.co.uk
O1 - Hosts: 82.146.60.44 www.lloydstsb.co.uk
O1 - Hosts: 82.146.60.44 lloydstsb.com
O1 - Hosts: 82.146.60.44 www.lloydstsb.com
O1 - Hosts: 82.146.60.44 mi.lloydstsb.com
O1 - Hosts: 82.146.60.44 www.woolwich.co.uk
O1 - Hosts: 82.146.60.44 woolwich.co.uk
O1 - Hosts: 82.146.60.44 www.deutsche-bank.de
O1 - Hosts: 82.146.60.44 deutsche-bank.de
O1 - Hosts: 82.146.60.44 meine.deutsche-bank.de
O1 - Hosts: 82.146.60.44 www.anbusiness.com
O1 - Hosts: 82.146.60.44 anbusiness.com
O1 - Hosts: 82.146.60.44 www.abbeyinternational.com
O1 - Hosts: 82.146.60.44 www.barclays.com
O1 - Hosts: 82.146.60.44 barclays.com
O1 - Hosts: 82.146.60.44 ibank.internationalbanking.barclays.com
O1 - Hosts: 82.146.60.44 offshore.hsbc.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Microsoft Network Services Controller] C:\WINDOWS\system32\mmsvc32.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Spools Service Controller] C:\WINDOWS\system32\spools.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AAWTray] D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10082 bytes


----------



## zabusant (Sep 6, 2007)

I believe you're in trouble here, I will request this thread get moved to the malware removal part of the forum. Good luck with this!

BTW, if you're doing any banking/paying bills over the internet, I suggest you stop until an expert examines the log. I hate malware! 
And be patient, it could take some time.


----------



## dvk01 (Dec 14, 2002)

you have a password stealing banker trojan

I was considering deleting all the posts with pretty useless advice but I have decided to leave them to show that they should think before posting

* Please read all these instructions very carefully before starting the fix *​
*Step 1.* Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix or SDfix and make sure you are disconnected from the net before starting any of these programs


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or SDfix and remove some of their embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again afterwards before connecting to the net*

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.

 Open the extracted SDFix folder and double click *RunThis.cmd* to start the script. 
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum 

then when it has rebooted

Delete any existing version of ComboFix you have sitting on your desktop

Download ComboFix from *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***
--------------------------------------------------------------------

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

 WARNING: *IF you have not already done so Combofix will disconnect your machine from the Internet when it starts *
*Please do not re-connect your machine back to the Internet until Combofix has completely finished.*
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connection.

Double click on *combofix.exe* & follow the prompts.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****​


----------



## dvk01 (Dec 14, 2002)

before we go any further read this

We have found out that this malware/spyware is designed to steal your private information. That includes all passwords, log ins to forums and your email details & other websites and most of all your Bank, Credit card or Paypal details.
It is vital that after you have been cleaned up you change all your passwords and it is necessary to get in touch with your Bank or other financial body to inform them that your details may ( probably have ) been stolen
It also seems to be able to steal all your emails so anything you have emailed to anybody is no longer confidential


----------



## Kadence (Nov 28, 2007)

My computer won't restart into safemode. It starts loading up the files then restarts itself


----------



## Kadence (Nov 28, 2007)

bump


----------



## Kadence (Nov 28, 2007)

The File it ends on before restarting is Drivers/JGogo.sys i think


----------



## dvk01 (Dec 14, 2002)

skip sdfix & just run combofix


----------



## Kadence (Nov 28, 2007)

done as above, here are my new logs:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 18:05:49, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.mynortonaccount.com/amsweb/default.do
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Microsoft Network Services Controller] C:\WINDOWS\system32\mmsvc32.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Spools Service Controller] C:\WINDOWS\system32\spools.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AAWTray] D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8068 bytes

ComboFix 07-12-09.1 - Administrator 2007-12-12 17:59:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1573 [GMT 0:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\MSNAPI32.DLL

.
((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.

2007-12-12 11:43 . 2007-12-12 11:44	1,393	--a------	C:\WINDOWS\imsins.BAK
2007-12-08 17:34 . 2007-12-08 17:34 d--------	C:\VundoFix Backups
2007-12-08 17:28 . 2007-12-08 17:29	3,320	--a------	C:\WINDOWS\system32\tmp.reg
2007-12-05 22:40 . 2007-12-05 22:38	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-05 22:38 . 2007-12-05 22:46 d--------	C:\Documents and Settings\Administrator\.housecall6.6
2007-12-05 22:37 . 2007-12-05 22:37 d--------	C:\WINDOWS\Sun
2007-12-05 22:37 . 2007-12-05 22:37 d--------	C:\Program Files\Java
2007-12-05 22:37 . 2007-09-24 23:31	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2007-12-05 22:36 . 2007-12-05 22:36 d--------	C:\Program Files\Common Files\Java
2007-12-05 22:29 . 2007-12-05 22:29 d--------	C:\WINDOWS\Performance
2007-12-05 22:28 . 2007-12-05 22:28 d--------	C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2007-12-05 22:18 . 2007-12-05 22:22 d--------	C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-05 22:10 . 2007-12-08 22:53	1,905	--a------	C:\WINDOWS\diagwrn.xml
2007-12-05 22:10 . 2007-12-08 22:53	1,905	--a------	C:\WINDOWS\diagerr.xml
2007-12-05 18:04 . 2007-12-05 18:04 d--------	C:\Documents and Settings\LocalService\Application Data\Xfire
2007-12-04 18:08 . 2007-12-08 22:17 d--------	C:\Program Files\Common Files\Blizzard Entertainment
2007-12-04 01:33 . 2007-12-04 01:33	823,296	--a------	C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 01:33 . 2007-12-04 01:33	823,296	--a------	C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 01:33 . 2007-12-04 01:33	802,816	--a------	C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 01:33 . 2007-12-04 01:33	682,496	--a------	C:\WINDOWS\system32\DivX.dll
2007-12-03 22:30 . 2007-12-03 22:30 d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-03 19:49 . 2007-12-03 19:49 d--------	C:\Documents and Settings\Administrator\Application Data\DivX
2007-12-02 23:34 . 2007-12-02 23:34 d--------	C:\Program Files\Windows Defender
2007-12-02 23:14 . 2007-12-02 23:14	228,603	-r-------	C:\WINDOWS\system32\spools.exe
2007-12-02 23:13 . 2007-12-02 23:14	228,603	--a------	C:\WINDOWS\system32\qqnseOQC.exe
2007-12-02 23:06 . 2007-12-02 23:06 d--------	C:\Documents and Settings\Liam\Application Data\Xfire
2007-12-02 22:50 . 2007-12-02 23:08 d--------	C:\Documents and Settings\Liam\Application Data\uTorrent
2007-12-02 22:49 . 2007-12-02 22:58 d--------	C:\Documents and Settings\Liam\Application Data\Ventrilo
2007-12-02 22:47 . 2007-12-02 22:47 d--------	C:\Program Files\Common Files\Adobe
2007-12-02 22:45 . 2007-12-02 22:46 d--------	C:\Documents and Settings\Liam\Contacts
2007-12-02 22:44 . 2007-12-02 22:45 d--------	C:\Documents and Settings\Liam\Application Data\AdobeUM
2007-12-02 22:38 . 2007-12-02 22:38 d--------	C:\Documents and Settings\Liam\Application Data\ATI
2007-12-02 21:59 . 2007-12-02 21:59	53,248	--a------	C:\WINDOWS\system32\CSVer.dll
2007-12-02 21:47 . 2007-12-02 21:47	315,392	--a------	C:\WINDOWS\HideWin.exe
2007-12-02 21:40 . 2007-12-02 21:40 d--------	C:\Intel
2007-12-02 13:26 . 2007-12-02 13:26 d--------	C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-02 13:14 . 2006-02-04 03:50	5,174	--a------	C:\WINDOWS\system32\nppt9x.vxd
2007-12-02 13:14 . 2006-02-04 03:50	4,682	--a------	C:\WINDOWS\system32\npptNT2.sys
2007-12-02 13:08 . 2007-07-30 19:19	271,224	--a------	C:\WINDOWS\system32\mucltui.dll
2007-12-02 13:08 . 2007-07-30 19:19	207,736	--a------	C:\WINDOWS\system32\muweb.dll
2007-12-02 13:08 . 2007-07-30 19:19	30,072	--a------	C:\WINDOWS\system32\mucltui.dll.mui
2007-12-02 13:05 . 2007-12-02 13:05 d--------	C:\Documents and Settings\Administrator\Application Data\InstallShield
2007-12-02 12:20 . 2007-12-02 12:20	0	--a------	C:\WINDOWS\system32\XkhcPbbt.exe
2007-12-02 12:20 . 2007-12-02 12:20	0	--a------	C:\WINDOWS\system32\EXayuyYn.exe
2007-12-02 12:19 . 2007-12-02 12:19	0	--a------	C:\WINDOWS\system32\vwaRMbGl.exe
2007-12-02 12:18 . 2007-12-02 12:18	0	--a------	C:\WINDOWS\system32\DXmijNIM.exe
2007-12-02 12:17 . 2007-12-02 12:17	0	--a------	C:\WINDOWS\system32\vRNCOWFm.exe
2007-12-02 12:17 . 2007-12-02 12:17	0	--a------	C:\WINDOWS\system32\riYdTpNs.exe
2007-12-02 12:16 . 2007-12-02 12:16	0	--a------	C:\WINDOWS\system32\olRNHAph.exe
2007-12-02 12:15 . 2007-12-02 12:15	0	--a------	C:\WINDOWS\system32\QjqpdIdd.exe
2007-12-02 12:15 . 2007-12-02 12:15	0	--a------	C:\WINDOWS\system32\pffXDFfH.exe
2007-12-02 12:14 . 2007-12-02 12:14	0	--a------	C:\WINDOWS\system32\SeXCcWoO.exe
2007-12-01 23:03 . 2007-12-01 23:03	1,156	--a------	C:\WINDOWS\mozver.dat
2007-12-01 23:01 . 2007-12-01 23:01	0	--a------	C:\WINDOWS\nsreg.dat
2007-12-01 22:43 . 2007-12-01 22:45 d--------	C:\Documents and Settings\Administrator\Application Data\Ventrilo
2007-12-01 22:40 . 2007-12-03 22:30 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-12-01 21:19 . 2007-12-01 21:21 d--hsc---	C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-01 21:18 . 2007-12-01 21:21 d--------	C:\Program Files\Windows Live
2007-12-01 21:04 . 2007-12-01 21:05	228,603	--a------	C:\WINDOWS\system32\aqHfUNWM.exe
2007-12-01 20:54 . 2007-12-01 20:54	0	--a------	C:\WINDOWS\system32\tmpuk.clk
2007-12-01 20:33 . 2007-10-12 15:14	3,734,536	--a------	C:\WINDOWS\system32\d3dx9_36.dll
2007-12-01 20:33 . 2007-07-19 18:14	3,727,720	--a------	C:\WINDOWS\system32\d3dx9_35.dll
2007-12-01 20:33 . 2007-10-12 15:14	1,374,232	--a------	C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-01 20:33 . 2007-07-19 18:14	1,358,192	--a------	C:\WINDOWS\system32\D3DCompiler_35.dll
2007-12-01 20:33 . 2007-10-02 09:56	444,776	--a------	C:\WINDOWS\system32\d3dx10_36.dll
2007-12-01 20:33 . 2007-07-19 18:14	444,776	--a------	C:\WINDOWS\system32\d3dx10_35.dll
2007-12-01 20:33 . 2007-10-22 03:39	267,272	--a------	C:\WINDOWS\system32\xactengine2_10.dll
2007-12-01 20:33 . 2007-07-20 00:57	267,112	--a------	C:\WINDOWS\system32\xactengine2_9.dll
2007-12-01 20:29 . 2007-12-01 20:29 d--------	C:\Program Files\uTorrent
2007-12-01 20:29 . 2007-12-09 21:09 d--------	C:\Documents and Settings\Administrator\Application Data\uTorrent
2007-12-01 20:20 . 2007-12-01 20:20	280	--ah-----	C:\sqmdata00.sqm
2007-12-01 20:20 . 2007-12-01 20:20	244	--ah-----	C:\sqmnoopt00.sqm
2007-12-01 20:18 . 2007-05-16 16:45	3,497,832	--a------	C:\WINDOWS\system32\d3dx9_34.dll
2007-12-01 20:18 . 2007-05-16 16:45	1,124,720	--a------	C:\WINDOWS\system32\D3DCompiler_34.dll
2007-12-01 20:18 . 2007-03-12 16:42	1,123,696	--a------	C:\WINDOWS\system32\D3DCompiler_33.dll
2007-12-01 20:18 . 2007-05-16 16:45	443,752	--a------	C:\WINDOWS\system32\d3dx10_34.dll
2007-12-01 20:18 . 2007-03-15 16:57	443,752	--a------	C:\WINDOWS\system32\d3dx10_33.dll
2007-12-01 20:18 . 2007-06-20 20:46	266,088	--a------	C:\WINDOWS\system32\xactengine2_8.dll
2007-12-01 20:18 . 2007-04-04 18:55	261,480	--a------	C:\WINDOWS\system32\xactengine2_7.dll
2007-12-01 20:18 . 2007-04-04 18:53	81,768	--a------	C:\WINDOWS\system32\xinput1_3.dll
2007-12-01 20:18 . 2007-10-22 03:37	17,928	--a------	C:\WINDOWS\system32\X3DAudio1_2.dll
2007-12-01 20:16 . 2007-12-10 23:15	107,832	--a------	C:\WINDOWS\system32\PnkBstrB.exe
2007-12-01 20:16 . 2007-12-01 20:21	66,872	--a------	C:\WINDOWS\system32\PnkBstrA.exe
2007-12-01 20:16 . 2007-12-10 23:15	22,328	--a------	C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-01 20:16 . 2007-12-01 20:16	22,328	--a------	C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
2007-12-01 20:16 . 2007-12-01 20:16	287	--a------	C:\WINDOWS\game.ini
2007-12-01 20:14 . 2007-12-01 21:18 d--------	C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-01 19:59 . 2007-12-01 19:59 d--hs----	C:\WINDOWS\ftpcache
2007-12-01 19:56 . 2004-08-03 22:58	14,848	--a------	C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-01 19:56 . 2004-08-03 22:58	14,848	--a--c---	C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-01 19:51 . 2007-12-01 19:51 d--------	C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-12-01 19:43 . 2007-12-10 23:13 d--------	C:\Documents and Settings\Administrator\Application Data\Xfire
2007-12-01 19:43 . 2007-11-29 16:29	71,603	-r-------	C:\WINDOWS\system32\mmsvc32.exe
2007-12-01 19:43 . 2004-08-03 23:08	26,496	--a--c---	C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-01 19:43 . 2007-12-12 18:03	0	--a------	C:\WINDOWS\system32\1.htm
2007-12-01 19:36 . 2007-12-01 19:36 d--------	C:\Documents and Settings\All Users\Application Data\ATI
2007-12-01 19:36 . 2007-12-01 21:25 d--------	C:\Documents and Settings\Administrator\Contacts
2007-12-01 19:36 . 2007-12-01 19:36 d--------	C:\Documents and Settings\Administrator\Application Data\ATI
2007-12-01 19:32 . 2007-12-01 21:21 d----c---	C:\WINDOWS\system32\DRVSTORE
2007-12-01 18:57 . 2007-12-01 18:57 d--------	C:\Program Files\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 11:42	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-12-12 11:42	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-05 18:05	805	----a-w	C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 18:05	123,952	----a-w	C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 18:05	10,740	----a-w	C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 18:05	---------	d-----w	C:\Program Files\Symantec
2007-12-01 17:59	---------	d-----w	C:\Program Files\Norton Internet Security
2007-12-01 14:41	---------	d-----w	C:\Program Files\Common Files\InstallShield
2007-12-01 13:52	15,939	----a-w	C:\WINDOWS\system32\drivers\AegisP.sys
2007-12-01 13:36	---------	d-----w	C:\Program Files\microsoft frontpage
2007-11-13 10:25	20,480	----a-w	C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-02 05:52	2,644,480	----a-w	C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-11-02 03:22	49,152	----a-w	C:\WINDOWS\system32\drivers\ati2erec.dll
2007-10-20 00:56	9,464	------w	C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-10-20 00:56	9,336	------w	C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-10-20 00:56	43,528	------w	C:\WINDOWS\system32\drivers\PxHelp20.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GoBack]
@={1F038B9D-83F5-4b28-BA76-8654EC297DD6}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Offline Files]

[HKEY_CLASSES_ROOT\CLSID\{1F038B9D-83F5-4b28-BA76-8654EC297DD6}]
2006-07-19 11:44	607920	-ra------	C:\Program Files\Norton GoBack\ShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-12-01 21:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 07:04]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 01:22]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 09:21 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 10:04 C:\WINDOWS\SkyTel.exe]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 12:44]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"Microsoft Network Services Controller"="C:\WINDOWS\system32\mmsvc32.exe" [2007-11-29 16:29]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"Spools Service Controller"="C:\WINDOWS\system32\spools.exe" [2007-12-02 23:14]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"AAWTray"="D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Norton GoBack.lnk - C:\Program Files\Norton GoBack\GBTray.exe [2006-07-19 11:44:30]

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
2007-08-08 15:53	88024	--a------	D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

R0 GBDevice;GBDevice;C:\WINDOWS\system32\drivers\GBDevice.sys
R0 GoBack2K;GoBack2K;C:\WINDOWS\system32\drivers\GoBack2K.sys
R0 uGuru;uGuru;C:\WINDOWS\system32\Drivers\uGuru.sys
R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
R2 GBFSHook;GBFSHook;C:\WINDOWS\system32\drivers\GBFSHook.sys
R3 AtiHdmiService;ATI Function Driver for HDMI Service;C:\WINDOWS\system32\drivers\AtiHdmi.sys
R3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S3 dump_wmimmc;dump_wmimmc;\??\D:\Program Files\Lineage II\system\GameGuard\dump_wmimmc.sys
S3 Memctl;Memctl;\??\C:\Program Files\ABIT\FlashMenu\Memctl.sys

*Newly Created Service* - COMHOST 
*Newly Created Service* - GTNDIS5 
.
Contents of the 'Scheduled Tasks' folder
"2007-12-12 17:57:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-12-01 13:51:26 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Administrator.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\MSNAPI32.DLL
-> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ilotlmkcD.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 18:03:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\Program Files\Internet Explorer\iexplore.exe [3104] 0x88C2DDA0

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\mmsvc32.exe 71603 bytes executable
C:\WINDOWS\system32\spools.exe 228603 bytes executable

scan completed successfully 
hidden files: 2

**************************************************************************
.
Completion time: 2007-12-12 18:04:35 - machine was rebooted
.
--- E O F ---


----------



## Kadence (Nov 28, 2007)

i made a new log again 5 minutes later, and this is what came up:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 18:25:48, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.mynortonaccount.com/amsweb/default.do
O1 - Hosts: 82.146.60.44 postbank.de
O1 - Hosts: 82.146.60.44 www.postbank.de
O1 - Hosts: 82.146.60.44 banking.postbank.de
O1 - Hosts: 82.146.60.44 direkt.postbank.de
O1 - Hosts: 82.146.60.44 www.smile.co.uk
O1 - Hosts: 82.146.60.44 smile.co.uk
O1 - Hosts: 82.146.60.44 cahoot.com
O1 - Hosts: 82.146.60.44 www.cahoot.com
O1 - Hosts: 82.146.60.44 www.cahoot.co.uk
O1 - Hosts: 82.146.60.44 cahoot.co.uk
O1 - Hosts: 82.146.60.44 www.co-operativebank.co.uk
O1 - Hosts: 82.146.60.44 co-operativebank.co.uk
O1 - Hosts: 82.146.60.44 www.co-operativebank.com
O1 - Hosts: 82.146.60.44 co-operativebank.com
O1 - Hosts: 82.146.60.44 personal.barclays.co.uk
O1 - Hosts: 82.146.60.44 barclays.co.uk
O1 - Hosts: 82.146.60.44 ibank.barclays.co.uk
O1 - Hosts: 82.146.60.44 www.barclays.co.uk
O1 - Hosts: 82.146.60.44 barclays.touchclarity.com
O1 - Hosts: 82.146.60.44 hsbc.co.uk
O1 - Hosts: 82.146.60.44 www.hsbc.co.uk
O1 - Hosts: 82.146.60.44 hsbc.touchclarity.com
O1 - Hosts: 82.146.60.44 www1.member-hsbc-group.com
O1 - Hosts: 82.146.60.44 lloydstsb.co.uk
O1 - Hosts: 82.146.60.44 www.lloydstsb.co.uk
O1 - Hosts: 82.146.60.44 lloydstsb.com
O1 - Hosts: 82.146.60.44 www.lloydstsb.com
O1 - Hosts: 82.146.60.44 mi.lloydstsb.com
O1 - Hosts: 82.146.60.44 www.woolwich.co.uk
O1 - Hosts: 82.146.60.44 woolwich.co.uk
O1 - Hosts: 82.146.60.44 www.deutsche-bank.de
O1 - Hosts: 82.146.60.44 deutsche-bank.de
O1 - Hosts: 82.146.60.44 meine.deutsche-bank.de
O1 - Hosts: 82.146.60.44 www.anbusiness.com
O1 - Hosts: 82.146.60.44 anbusiness.com
O1 - Hosts: 82.146.60.44 www.abbeyinternational.com
O1 - Hosts: 82.146.60.44 www.barclays.com
O1 - Hosts: 82.146.60.44 barclays.com
O1 - Hosts: 82.146.60.44 ibank.internationalbanking.barclays.com
O1 - Hosts: 82.146.60.44 offshore.hsbc.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Microsoft Network Services Controller] C:\WINDOWS\system32\mmsvc32.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Spools Service Controller] C:\WINDOWS\system32\spools.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AAWTray] D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9837 bytes


----------



## Kadence (Nov 28, 2007)

are there any other programs i could use to remove this, without going into safemode? any help appreciated!


----------



## Kadence (Nov 28, 2007)

bump


----------



## dvk01 (Dec 14, 2002)

we need you to be able to get to safe mode to safely fix it

follow advice here first
http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/

reboot & try sdfix again as safe mode should work now


----------



## Kadence (Nov 28, 2007)

Your the best! I could kiss you right now. It's working at the moment. It said it had deleted trojan's. I'll use it for a day and post the logs, just to check it's still going alright. Thanks a bunch!

xx


----------



## dvk01 (Dec 14, 2002)

post the sdfix report as I need to see it before we move on to the next stage of the fix


----------



## Kadence (Nov 28, 2007)

SDFix: Version 1.117

Run by Administrator on 13/12/2007 at 21:21

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\DXMIJNIM.EXE - Deleted
C:\WINDOWS\SYSTEM32\EXAYUYYN.EXE - Deleted
C:\WINDOWS\SYSTEM32\OLRNHAPH.EXE - Deleted
C:\WINDOWS\SYSTEM32\PFFXDFFH.EXE - Deleted
C:\WINDOWS\SYSTEM32\QJQPDIDD.EXE - Deleted
C:\WINDOWS\SYSTEM32\RIYDTPNS.EXE - Deleted
C:\WINDOWS\SYSTEM32\SEXCCWOO.EXE - Deleted
C:\WINDOWS\SYSTEM32\VRNCOWFM.EXE - Deleted
C:\WINDOWS\SYSTEM32\VWARMBGL.EXE - Deleted
C:\WINDOWS\SYSTEM32\XKHCPBBT.EXE - Deleted
C:\WINDOWS\system32\1.htm - Deleted
C:\WINDOWS\system32\mmsvc32.exe - Deleted
C:\WINDOWS\system32\spools.exe - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 21:24:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\gate.exe"="C:\\WINDOWS\\system32\\gate.exe:*:Enabled:Enabled"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*isabledxpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*isablednkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*isablednkBstrB"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*isabledxpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*isabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*isabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*isabled:Windows Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"D:\\Program Files\\Activision\\iw3mp.exe"="D:\\Program Files\\Activision\\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM) "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 1 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!


----------



## Kadence (Nov 28, 2007)

bump


----------



## dvk01 (Dec 14, 2002)

I think that got most of it

* Run Kaspersky online virus scan *Kaspersky Online Scanner*.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the *"Extended database" *for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

*Note:* You have to use Internet Explorer to do the online scan.

*Post a new HiJackThis log along with the results from Kaspersky scan*

Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from 

You must use IE for the scan to work


----------



## Kadence (Nov 28, 2007)

Here is my kaspersky report

KASPERSKY ONLINE SCANNER REPORT 
Monday, December 17, 2007 3:54:23 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/12/2007
Kaspersky Anti-Virus database records: 485097

Scan Settings 
Scan using the following antivirus database extended 
Scan Archives true 
Scan Mail Bases true

Scan Target My Computer 
A:\
C:\
D:\
E:\

Scan Statistics 
Total number of scanned objects 44495 
Number of viruses found 5 
Number of infected objects 28 
Number of suspicious objects 0 
Duration of the scan process 00:55:32

Infected Object Name Virus Name Last Action 
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_9834_9C6_3409_A7F8\dfsr.db Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_9834_9C6_3409_A7F8\fsr.log Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_9834_9C6_3409_A7F8\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_9834_9C6_3409_A7F8\tmp.edb Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{00B7C956-3901-4C93-B2E0-D4B6337DC13E} Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\11.0\WMSDKNSD.XML Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007121720071218\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\temp\~DF6753.tmp Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\temp\~DF6810.tmp Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\temp\~DFC014.tmp Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\temp\~DFC0D3.tmp Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB Object is locked skipped

C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12022007-233402.log Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\MSNAPI32.DLL.vir Infected: Rootkit.Win32.Delf.j skipped

C:\SDFix\backups\backups.zip/backups/mmsvc32.exe Infected: Trojan.Win32.Inject.oh skipped

C:\SDFix\backups\backups.zip/backups/spools.exe Infected: Trojan.Win32.Inject.oh skipped

C:\SDFix\backups\backups.zip ZIP: infected - 2 skipped

C:\SDFix\backups\HOSTS Infected: Trojan.Win32.Qhost.aca skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP43\A0006686.exe Infected: Net-Worm.Win32.Nanspy.y skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP54\A0014482.exe Infected: Net-Worm.Win32.Nanspy.y skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP55\A0015554.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP55\A0015554.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP55\A0015554.exe RarSFX: infected - 2 skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP55\A0015562.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP55\A0017139.exe Infected: Net-Worm.Win32.Nanspy.y skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP56\A0017282.exe Infected: Net-Worm.Win32.Nanspy.y skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP56\A0017308.exe Infected: Net-Worm.Win32.Nanspy.y skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP56\A0017326.exe Infected: Trojan.Win32.Inject.oh skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP58\A0018450.exe Infected: Trojan.Win32.Inject.oh skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP58\A0019518.exe Infected: Trojan.Win32.Inject.oh skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP58\A0019533.exe Infected: Trojan.Win32.Inject.oh skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP58\A0019534.exe Infected: Trojan.Win32.Inject.oh skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP58\A0019543.exe Infected: Trojan.Win32.Inject.oh skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP58\A0019549.exe Infected: Trojan.Win32.Inject.oh skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP59\A0019580.DLL Infected: Rootkit.Win32.Delf.j skipped

C:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP63\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINDOWS\Internet Logs\SPOONHEAD.ldb Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\aqHfUNWM.exe Infected: Net-Worm.Win32.Nanspy.y skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped

C:\WINDOWS\system32\gate.exe Infected: Trojan.Win32.Inject.oh skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\MUlXiukp.exe Infected: Trojan.Win32.Inject.oh skipped

C:\WINDOWS\system32\qPSQDCmQ.exe Infected: Trojan.Win32.Inject.oh skipped

C:\WINDOWS\system32\qqnseOQC.exe Infected: Net-Worm.Win32.Nanspy.y skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\XtIJVFcn.exe Infected: Trojan.Win32.Inject.oh skipped

C:\WINDOWS\Temp\ZLT0320c.TMP Object is locked skipped

C:\WINDOWS\Temp\ZLT04784.TMP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{111CE2F5-86B0-4FD9-A59C-A39A958A5559}\RP63\change.log Object is locked skipped

Scan process completed.

and my hijackthis log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:57:12, on 17/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\ALCFDRTM.EXE
D:\Program Files\Xfire\xfire.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.mynortonaccount.com/amsweb/default.do
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/200015205/kavwebscan_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5963 bytes

Thanks!


----------



## Kadence (Nov 28, 2007)

bump


----------



## ~Candy~ (Jan 27, 2001)

No need to keep bumping, Derek is on a different time zone. I'm sure he'll get to you the next time he logs in  Please remember, we all have REAL LIVES here as well


----------



## dvk01 (Dec 14, 2002)

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\WINDOWS\system32\aqHfUNWM.exe
C:\WINDOWS\system32\gate.exe
C:\WINDOWS\system32\MUlXiukp.exe
C:\WINDOWS\system32\qPSQDCmQ.exe
C:\WINDOWS\system32\qqnseOQC.exe
C:\WINDOWS\system32\XtIJVFcn.exe
```
save the notepad file to your desktop and name it CFScript.txt
download the attached CFScript.txt to your desktop

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## Kadence (Nov 28, 2007)

Attached are the required logs:


----------



## dvk01 (Dec 14, 2002)

we either missed one or they are recreating

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\WINDOWS\system32\AQYwSued.exe
```
save the notepad file to your desktop and name it CFScript.txt
download the attached CFScript.txt to your desktop

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## Kadence (Nov 28, 2007)

Heres the new logs:


----------



## dvk01 (Dec 14, 2002)

that looks ok now

Please download  ATF Cleaner by Atribune

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Then: 
If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Then: 
If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.

Please *download* the *OTMoveIt by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt.exe* to run it.
press cleanup & it will search for and delete/uninstall all the tools we have used to fix your problems and all their backup folders and then delete itself when you next reboot

then 
Turn off system restore by following instructions here 
http://www.thespykiller.co.uk/index.php?page=8
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point. Now Empty Recycle bin on desktop

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place


----------

