There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
access audio avg avg 8 bios blue screen boot browser bsod computer crash css dell desktop driver drivers dvd email error excel explorer firefox firefox 3 freeze gimp graphics hard drive hardware help please hijackthis hjt hjt log install internet internet explorer itunes javascript keyboard laptop log malware monitor network networking openoffice outlook outlook 2003 outlook express password popups problem router seo slow sound sp3 spyware startup trojan usb video virtumonde virus vista vundo windows windows xp winxp wireless youtube
Malware Removal & HijackThis Logs
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Vundo again - at least I think it is!


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

 
Thread Tools
Airiddh's Avatar
Junior Member with 5 posts.
  
Join Date: May 2008
Experience: Beginner
11-May-2008, 06:54 PM #1
Question Vundo again - at least I think it is!
Hi

I've started getting loads of pop ups, desktop disappearing and my IE is running so slow its almost unusable. I ran several anti virus / spyware programs and vundo was detected. I then ran fix vundo and that didn't defect it - even tho the other programs had! I just ran another scan and no viruses were found - but I'm stll getting the pop ups and my system is still slow - its taken me over an hour to manage to post this!

I'm not COMPLETELY pc illitrate but not that savvy either so I really need a step by step type of help if anyone can provide it.

Here's the HIJack This log that I've just done

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:21:24, on 11/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\alg.exe
D:\Downloads\downloaded programs\New Folder\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdatePPShortCut] "C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerProducer" update "Software\CyberLink\PowerProducer\5.0"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [3874dd83] rundll32.exe "C:\WINDOWS\system32\clwrwmae.dll",b
O4 - HKLM\..\Run: [BM3b47ee1f] Rundll32.exe "C:\WINDOWS\system32\noiymlgr.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1206808934410
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1206808915145
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=19588
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 7421 bytes


I know there are a few other threads with ppl having what appears to be the same problem but I thought i'd better be sure!

Any help greatly appreciated - its driving me nuts!
dvk01's Avatar
Moderator with 24,389 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
14-May-2008, 10:10 AM #2
step 1

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.cmd to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
__________________
Derek
Microsoft MVP/Windows - Security
For help with spyware or hijackers thespykiller

please help me by donating to help keep the Hedgehog Rescue Centre running
We Care about Animals and the Environment
Airiddh's Avatar
Junior Member with 5 posts.
  
Join Date: May 2008
Experience: Beginner
14-May-2008, 06:38 PM #3
Many thanks for getting back to me!

Here is the SDFix log:

SDFix: Version 1.182
Run by JeanMarie on 14/05/2008 at 23:02

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\JEANMA~1\Desktop\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 23:17:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"
"C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"="C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe:*:Enabled:Run VNC Viewer"
"C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"="C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe:*:Enabled:winvnc4.exe"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Kazaa Lite K++\\Kazaa.kpp"="C:\\Program Files\\Kazaa Lite K++\\Kazaa.kpp:*:Enabled:Kazaa"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\DOCUME~1\JEANMA~1\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 2 Apr 2008 74 A..H. --- "C:\Program Files\GlobalSCAPE\CuteFTP\cuteftp.sys"
Sat 29 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 14 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cbaf0df394fa14ff9f2c9298f5d2398a\ BIT3.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\ BIT8.tmp"

Finished!


and here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:27:37, on 14/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\Downloads\downloaded programs\New Folder\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\system32\lcqcashg.dll (file missing)
O2 - BHO: (no name) - {6B1B7B98-4182-4620-83DB-07063621783C} - C:\WINDOWS\system32\cbXNHYsR.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {BEB39587-6D58-4A98-A50E-C672033D7D10} - C:\WINDOWS\system32\jkkIYrOG.dll (file missing)
O2 - BHO: {997e2395-ad60-ef38-6094-e4f04e39bf4c} - {c4fb93e4-0f4e-4906-83fe-06da5932e799} - C:\WINDOWS\system32\xdmtavmi.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdatePPShortCut] "C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerProducer" update "Software\CyberLink\PowerProducer\5.0"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [3874dd83] rundll32.exe "C:\WINDOWS\system32\sxdtmlgt.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1206808934410
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1206808915145
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=19588
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: pmnlmkkk - pmnlmkkk.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7419 bytes


I ran AVG full version late last night and it seems to be blocking the pop ups for the moment so I can at least open the intenet again! It detected 54 threats last night but when I ran it this morning it didn't detect any. However later on it flashed up a threat warning. It seems to be after I go on the web that the problems start to occur.

Thanks again!
dvk01's Avatar
Moderator with 24,389 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
15-May-2008, 06:02 PM #4
next

Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
__________________
Derek
Microsoft MVP/Windows - Security
For help with spyware or hijackers thespykiller

please help me by donating to help keep the Hedgehog Rescue Centre running
We Care about Animals and the Environment
Airiddh's Avatar
Junior Member with 5 posts.
  
Join Date: May 2008
Experience: Beginner
19-May-2008, 06:43 PM #5
Hi

Thanx - sorry for the delay!

Here is the Combofix log

ComboFix 08-05-19.4 - JeanMarie 2008-05-19 23:24:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.70 [GMT 1:00]
Running from: C:\Documents and Settings\JeanMarie\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\avaixcbj.ini
C:\WINDOWS\system32\cfhbiyhk.ini
C:\WINDOWS\system32\ddxnouge.ini
C:\WINDOWS\system32\eamwrwlc.ini
C:\WINDOWS\system32\efootghr.ini
C:\WINDOWS\system32\fwfbfqet.ini
C:\WINDOWS\system32\GOrYIkkj.ini
C:\WINDOWS\system32\GOrYIkkj.ini2
C:\WINDOWS\system32\gqvtqvsk.ini
C:\WINDOWS\system32\hknsprto.ini
C:\WINDOWS\system32\IOUwvGgh.ini2
C:\WINDOWS\system32\llvhiibc.ini
C:\WINDOWS\system32\lvjoikcw.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nevtkawl.ini
C:\WINDOWS\system32\paodibji.ini
C:\WINDOWS\system32\RsYHNXbc.ini
C:\WINDOWS\system32\RsYHNXbc.ini2
C:\WINDOWS\system32\tglmtdxs.ini
C:\WINDOWS\system32\yFgjlnmp.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.

2008-05-18 15:49 . 2008-05-18 21:43 <DIR> d-------- C:\Documents and Settings\JeanMarie\Application Data\Canon
2008-05-16 19:19 . 2008-05-16 19:21 <DIR> d-------- C:\Documents and Settings\JeanMarie\Application Data\Snapfish
2008-05-14 22:39 . 2008-05-14 22:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-13 23:32 . 2008-05-15 12:39 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-13 23:29 . 2008-05-13 23:29 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-13 23:29 . 2008-05-13 23:29 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-05-13 23:29 . 2008-05-13 23:29 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-13 23:28 . 2008-05-19 22:22 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-13 23:28 . 2008-05-13 23:28 <DIR> d-------- C:\Program Files\AVG
2008-05-13 23:28 . 2008-05-14 01:01 <DIR> d-------- C:\Documents and Settings\JeanMarie\Application Data\AVGTOOLBAR
2008-05-13 23:28 . 2008-05-13 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-13 23:28 . 2008-05-13 23:28 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-13 22:53 . 2008-05-13 22:53 121 --a------ C:\WINDOWS\bdagent.INI
2008-05-13 19:34 . 2008-05-13 19:34 <DIR> d-------- C:\Program Files\BitDefender
2008-05-13 19:33 . 2008-05-13 22:54 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-05-07 00:45 . 2008-05-13 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-07 00:22 . 2008-05-13 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-05 20:07 . 2008-05-19 23:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-05 20:06 . 2008-05-19 13:34 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-05 20:06 . 2008-05-05 20:06 <DIR> d-------- C:\Documents and Settings\JeanMarie\Application Data\PC Tools
2008-05-05 20:06 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-05 20:06 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-05 20:06 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-05 20:06 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-01 23:58 . 2008-05-01 23:58 <DIR> d-------- C:\Program Files\Pegasys Inc
2008-04-30 23:21 . 2008-05-01 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-30 23:14 . 2008-05-01 23:10 <DIR> d-------- C:\Program Files\XoftSpySE
2008-04-28 19:33 . 2008-05-13 23:20 109,727 --a------ C:\WINDOWS\BM3b47ee1f.xml
2008-04-27 20:48 . 2008-04-27 20:48 <DIR> d-------- C:\Program Files\WinAVI Video Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-05-18 11:31 --------- d-----w C:\Documents and Settings\JeanMarie\Application Data\ImgBurn
2008-04-27 21:48 --------- d-----w C:\Program Files\Jasc Software Inc
2008-04-26 21:49 --------- d-----w C:\Documents and Settings\JeanMarie\Application Data\uTorrent
2008-04-09 15:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-09 15:28 --------- d-----w C:\Program Files\Lavasoft
2008-04-09 15:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 15:21 --------- d-----w C:\Documents and Settings\JeanMarie\Application Data\CyberLink
2008-04-08 11:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-08 11:37 --------- d-----w C:\Documents and Settings\JeanMarie\Application Data\GlobalSCAPE
2008-04-08 11:33 --------- d-----w C:\Program Files\GlobalSCAPE
2008-04-07 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-04-07 22:16 --------- d-----w C:\Program Files\CyberLink
2008-04-05 21:09 --------- d-----w C:\Documents and Settings\JeanMarie\Application Data\LEAPS
2008-04-05 20:44 --------- d-----w C:\Documents and Settings\JeanMarie\Application Data\Pegasys Inc
2008-04-05 20:35 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-05 20:24 53,248 ----a-w C:\WINDOWS\system32\GenSvcInst.exe
2008-04-05 20:24 33,408 ----a-w C:\WINDOWS\system32\drivers\CDRBSDRV.SYS
2008-04-05 20:24 118,784 ----a-w C:\WINDOWS\system32\bgsvcgen.exe
2008-04-05 20:24 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-04 23:43 --------- d-----w C:\Program Files\BitTorrent
2008-04-04 18:34 --------- d-----w C:\Program Files\Symantec
2008-04-04 18:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-04 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-03 20:42 --------- d-----w C:\Program Files\ImgBurn
2008-04-03 20:20 --------- d-----w C:\Program Files\DVDFab HD Decrypter 4
2008-04-03 20:11 --------- d-----w C:\Program Files\QuickTime
2008-04-03 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-04-03 20:10 --------- d-----w C:\Program Files\Kodak
2008-04-03 20:09 --------- d-----w C:\Program Files\Common Files\Kodak
2008-04-03 20:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-04-02 22:08 --------- d-----w C:\Program Files\ahead
2008-04-01 23:41 --------- d-----w C:\Documents and Settings\JeanMarie\Application Data\Jasc Software Inc
2008-04-01 23:34 --------- d-----w C:\Program Files\Kazaa Lite K++
2008-04-01 23:34 --------- d-----w C:\Documents and Settings\JeanMarie\Application Data\Kazaa Lite
2008-04-01 23:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-01 22:18 --------- d-----w C:\Program Files\uTorrent
2008-04-01 22:18 --------- d-----w C:\Program Files\DVD Shrink
2008-04-01 22:17 --------- d-----w C:\Program Files\DVD Decrypter
2008-03-29 17:53 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-29 17:39 --------- d-----w C:\Program Files\MSBuild
2008-03-29 17:32 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-29 17:31 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-29 17:30 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-29 17:29 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-29 17:28 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-29 16:51 --------- d-----w C:\Program Files\Java
2008-03-29 16:49 --------- d-----w C:\Program Files\Common Files\Java
2008-03-29 13:52 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-26 08:09 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 09:20 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 13:10 633,344 ----a-w C:\WINDOWS\system32\gpprefcl.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B1B7B98-4182-4620-83DB-07063621783C}]
C:\WINDOWS\system32\cbXNHYsR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-13 23:28 2051328 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BEB39587-6D58-4A98-A50E-C672033D7D10}]
C:\WINDOWS\system32\jkkIYrOG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4fb93e4-0f4e-4906-83fe-06da5932e799}]
C:\WINDOWS\system32\xdmtavmi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-13 23:28 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-13 23:28 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-10-02 09:22 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-05-21 16:35 4608 C:\WINDOWS\system32\carpserv.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-03 21:11 77824]
"UpdatePPShortCut"="C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-02-21 21:04 222504]
"CLMLServer"="C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" [2007-09-27 23:10 122880]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-09-29 16:53 2680104]
"CLJ"="0 (0x0)" []
"3874dd83"="C:\WINDOWS\system32\sxdtmlgt.dll" [ ]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-13 23:28 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 03:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-07-23 08:26:34 757760]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlmkkk]
pmnlmkkk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kazaa Lite K++\\Kazaa.kpp"=
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-05-13 23:29]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-13 23:28]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-13 23:28]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-13 23:28]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-13 23:29]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-02-26 06:54]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-19 22:29:29 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-05-17 02:00:05 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 23:29:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CLJ = 63

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-05-19 23:32:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-19 22:32:40

Pre-Run: 15,324,119,040 bytes free
Post-Run: 16,073,564,160 bytes free

222 --- E O F --- 2008-05-16 02:05:21



HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:42:27, on 19/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
D:\Downloads\downloaded programs\New Folder\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {6B1B7B98-4182-4620-83DB-07063621783C} - C:\WINDOWS\system32\cbXNHYsR.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {BEB39587-6D58-4A98-A50E-C672033D7D10} - C:\WINDOWS\system32\jkkIYrOG.dll (file missing)
O2 - BHO: {997e2395-ad60-ef38-6094-e4f04e39bf4c} - {c4fb93e4-0f4e-4906-83fe-06da5932e799} - C:\WINDOWS\system32\xdmtavmi.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdatePPShortCut] "C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerProducer" update "Software\CyberLink\PowerProducer\5.0"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKLM\..\Run: [3874dd83] rundll32.exe "C:\WINDOWS\system32\sxdtmlgt.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1206808934410
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1206808915145
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=19588
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: pmnlmkkk - pmnlmkkk.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7139 bytes

Thanx!
dvk01's Avatar
Moderator with 24,389 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
20-May-2008, 02:51 PM #6
download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
Attached Files
File Type: txt CFScript.txt (498 Bytes, 12 views)
__________________
Derek
Microsoft MVP/Windows - Security
For help with spyware or hijackers thespykiller

please help me by donating to help keep the Hedgehog Rescue Centre running
We Care about Animals and the Environment
Airiddh's Avatar
Junior Member with 5 posts.
  
Join Date: May 2008
Experience: Beginner
20-May-2008, 05:47 PM #7
Hi thanx

Combofix log:

ComboFix 08-05-19.4 - JeanMarie 2008-05-20 22:32:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.75 [GMT 1:00]
Running from: C:\Documents and Settings\JeanMarie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JeanMarie\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM3b47ee1f.xml
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM3b47ee1f.xml

.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-19 23:55 . 2008-05-20 22:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-19 23:55 . 2008-05-20 22:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-18 15:49 . 2008-05-18 21:43 <DIR> d-------- C:\Documents and Settings\JeanMarie\Application Data\Canon
2008-05-16 19:19 . 2008-05-16 19:21 <DIR> d-------- C:\Documents and Settings\JeanMarie\Application Data\Snapfish
2008-05-14 22:39 . 2008-05-14 22:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-13 23:32 . 2008-05-15 12:39 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-13 23:29 . 2008-05-13 23:29 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-13 23:29 . 2008-05-13 23:29 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-05-13 23:29 . 2008-05-13 23:29 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-13 23:28 . 2008-05-20 19:26 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-13 23:28 . 2008-05-13 23:28 <DIR> d-------- C:\Program Files\AVG
2008-05-13 23:28 . 2008-05-14 01:01 <DIR> d-------- C:\Documents and Settings\JeanMarie\Application Data\AVGTOOLBAR
2008-05-13 23:28 . 2008-05-13 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-13 23:28 . 2008-05-13 23:28 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-13 22:53 . 2008-05-13 22:53 121 --a------ C:\WINDOWS\bdagent.INI
2008-05-13 19:34 . 2008-05-13 19:34 <DIR> d-------- C:\Program Files\BitDefender
2008-05-13 19:33 . 2008-05-13 22:54 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-05-07 00:45 . 2008-05-13 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-07 00:22 . 2008-05-13 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-05 20:07 . 2008-05-19 23:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-05 20:06 . 2008-05-19 13:34 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-05 20:06 . 2008-05-05 20:06 <DIR> d-------- C:\Documents and Settings\JeanMarie\Application Data\PC Tools
2008-05-05 20:06 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-05 20:06 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-05 20:06 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-05 20:06 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-01 23:58 . 2008-05-01 23:58 <DIR> d-------- C:\Program Files\Pegasys Inc
2008-04-30 23:21 . 2008-05-01 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-30 23:14 . 2008-05-01 23:10 <DIR> d-------- C:\Program Files\XoftSpySE
2008-04-27 20:48 . 2008-04-27 20:48 <DIR> d-------- C:\Program Files\WinAVI Video Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-05-18 11:31 --------- d-----w C:\Documents and Settings\JeanMarie\Application Data\ImgBurn
2008-04-27 21:48 --------- d-----w C:\Program Files\Jasc Software Inc
2008-04-26 21:49 --------- d-----w C:\Documents and Settings\JeanMarie\Application Data\uTorrent
2008-04-09 15:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-09 15:28 --------- d-----w C:\Program Files\Lavasoft
2008-04-09 15:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 15:21 --------- d-----w C:\Documents and Settings\JeanMarie\Application Data\CyberLink
2008-04-08 11:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-08 11:37 --------- d-----w C:\Documents and Settings\JeanMarie\Application Data\GlobalSCAPE
2008-04-08 11:33 --------- d-----w C:\Program Files\GlobalSCAPE
2008-04-07 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-04-07 22:16 --------- d-----w C:\Program Files\CyberLink
2008-04-05 21:09 --------- d-----w C:\Documents and Settings\JeanMarie\Application Data\LEAPS
2008-04-05 20:44 --------- d-----w C:\Documents and Settings\JeanMarie\Application Data\Pegasys Inc
2008-04-05 20:35 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-05 20:24 53,248 ----a-w C:\WINDOWS\system32\GenSvcInst.exe
2008-04-05 20:24 33,408 ----a-w C:\WINDOWS\system32\drivers\CDRBSDRV.SYS
2008-04-05 20:24 118,784 ----a-w C:\WINDOWS\system32\bgsvcgen.exe
2008-04-05 20:24 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-04 23:43 --------- d-----w C:\Program Files\BitTorrent
2008-04-04 18:34 --------- d-----w C:\Program Files\Symantec
2008-04-04 18:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-04 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-03 20:42 --------- d-----w C:\Program Files\ImgBurn
2008-04-03 20:20 --------- d-----w C:\Program Files\DVDFab HD Decrypter 4
2008-04-03 20:11 --------- d-----w C:\Program Files\QuickTime
2008-04-03 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-04-03 20:10 --------- d-----w C:\Program Files\Kodak
2008-04-03 20:09 --------- d-----w C:\Program Files\Common Files\Kodak
2008-04-03 20:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-04-02 22:08 --------- d-----w C:\Program Files\ahead
2008-04-01 23:41 --------- d-----w C:\Documents and Settings\JeanMarie\Application Data\Jasc Software Inc
2008-04-01 23:34 --------- d-----w C:\Program Files\Kazaa Lite K++
2008-04-01 23:34 --------- d-----w C:\Documents and Settings\JeanMarie\Application Data\Kazaa Lite
2008-04-01 23:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-01 22:18 --------- d-----w C:\Program Files\uTorrent
2008-04-01 22:18 --------- d-----w C:\Program Files\DVD Shrink
2008-04-01 22:17 --------- d-----w C:\Program Files\DVD Decrypter
2008-03-29 17:53 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-29 17:39 --------- d-----w C:\Program Files\MSBuild
2008-03-29 17:32 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-29 17:31 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-29 17:30 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-29 17:29 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-29 17:28 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-29 16:51 --------- d-----w C:\Program Files\Java
2008-03-29 16:49 --------- d-----w C:\Program Files\Common Files\Java
2008-03-29 13:52 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-26 08:09 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 09:20 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 13:10 633,344 ----a-w C:\WINDOWS\system32\gpprefcl.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-19_23.32.11.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-19 22:29:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 18:23:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-13 23:28 2051328 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-13 23:28 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-13 23:28 2051328]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-10-02 09:22 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-05-21 16:35 4608 C:\WINDOWS\system32\carpserv.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-03 21:11 77824]
"UpdatePPShortCut"="C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-02-21 21:04 222504]
"CLMLServer"="C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" [2007-09-27 23:10 122880]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2007-09-29 16:53 2680104]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-13 23:28 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 03:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-07-23 08:26:34 757760]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kazaa Lite K++\\Kazaa.kpp"=
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-05-13 23:29]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-13 23:28]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-13 23:28]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-13 23:28]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-13 23:29]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-02-26 06:54]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 19:09:05 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-05-17 02:00:05 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 22:34:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-20 22:35:57
ComboFix-quarantined-files.txt 2008-05-20 21:35:53
ComboFix2.txt 2008-05-19 22:32:50

Pre-Run: 16,056,893,440 bytes free
Post-Run: 16,048,459,776 bytes free

188 --- E O F --- 2008-05-16 02:05:21


HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:46:24, on 20/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
D:\Downloads\downloaded programs\New Folder\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdatePPShortCut] "C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerProducer" update "Software\CyberLink\PowerProducer\5.0"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1206808934410
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1206808915145
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=19588
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6660 bytes

thanx
dvk01's Avatar
Moderator with 24,389 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
21-May-2008, 02:09 AM #8
should be clear now

*Follow these steps to uninstall Combofix and tools used in the removal of malware*
* Click *START* then *RUN*
* Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.
[img] http://i189.photobucket.com/albums/z...CF_Cleanup.png [/img]


then
Turn off system restore by following instructions here
for XP http://www.thespykiller.co.uk/index.php?page=8
or for Vista http://www.bleepingcomputer.com/tuto...torial143.html

That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable system restore & create a new restore point. Now Empty Recycle bin on desktop

go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place
__________________
Derek
Microsoft MVP/Windows - Security
For help with spyware or hijackers thespykiller

please help me by donating to help keep the Hedgehog Rescue Centre running
We Care about Animals and the Environment
dvk01's Avatar
Moderator with 24,389 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
21-May-2008, 02:09 AM #9
should be clear now

*Follow these steps to uninstall Combofix and tools used in the removal of malware*
* Click *START* then *RUN*
* Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.


then

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
press cleanup & it will download a list then search for and when you say yes to the pop,up prompt it will delete/uninstall all the tools we have used to fix your problems and all their backup folders and then delete itself when you next reboot


then
Turn off system restore by following instructions here
for XP http://www.thespykiller.co.uk/index.php?page=8
or for Vista http://www.bleepingcomputer.com/tuto...torial143.html

That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable system restore & create a new restore point. Now Empty Recycle bin on desktop

go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place
__________________
Derek
Microsoft MVP/Windows - Security
For help with spyware or hijackers thespykiller

please help me by donating to help keep the Hedgehog Rescue Centre running
We Care about Animals and the Environment
Airiddh's Avatar