Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: Removing relevant knowledge


(!)

klaustrophobia's Avatar
klaustrophobia klaustrophobia is offline
Junior Member with 12 posts.
THREAD STARTER
 
Join Date: Mar 2009
Experience: Beginner
17-Mar-2009, 08:04 AM
Removing relevant knowledge
Dear Forum users

I have ended up with the spy programme relevant knowledge on my computer and would appreciate any help in removing this properly!

This programme has installed itself on my computer. This must have happened while downloading files from P2P networks.

I have deleted all the downloads in question and am now trying to nget rid of this spyprogramme also.

I have carried out the hjt scan as recommended and i am attaching the scan log in this messgae...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:49:09, on 17/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101760&l=dis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RelevantKnowledge] C:\program files\relevantknowledge\rlvknlg.exe -boot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Mozilla Firefox
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 4174 bytes


Thank you for your consideration!
km2357's Avatar
km2357 km2357 is offline km2357 is authorized to help remove malware.
Malware Removal Specialist with 686 posts.
 
Join Date: Aug 2007
Experience: Intermediate
17-Mar-2009, 03:02 PM
Hello and welcome to Tech Support Guy.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

I will be back as soon as possible with your first instructions!
km2357's Avatar
km2357 km2357 is offline km2357 is authorized to help remove malware.
Malware Removal Specialist with 686 posts.
 
Join Date: Aug 2007
Experience: Intermediate
17-Mar-2009, 03:07 PM
Step # 1: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.



Step # 2: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include the Uninstall List,C:\ComboFix.txt and a fresh HiJackThis Log in your next reply.

Use multiple posts if you can't fit everything into one post.
klaustrophobia's Avatar
klaustrophobia klaustrophobia is offline
Junior Member with 12 posts.
THREAD STARTER
 
Join Date: Mar 2009
Experience: Beginner
18-Mar-2009, 09:19 PM
Thanks for this detailed reply

I have in the mean while downloaded adaware and it has detected the programme relevant knowledge and deleted 3 files as well as a large number of cookies.

I seem to be alright for the moment.


I would really like to know if this has done the job or not
I have carried out both scans and i am attaching the log files

Combo fix log


ComboFix 09-03-18.01 - Kalus 2009-03-19 2:01:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.34.1033.18.1014.653 [GMT 0:00]
Running from: c:\documents and settings\Kalus\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\e100bmsg.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 )))))))))))))))))))))))))))))))
.

2009-03-17 14:27 . 2009-03-17 14:27 <DIR> d-------- c:\program files\BitTorrent
2009-03-17 14:27 . 2009-03-18 03:25 <DIR> d-------- c:\documents and settings\Kalus\Application Data\BitTorrent
2009-03-17 14:08 . 2009-03-09 19:06 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-17 13:01 . 2009-03-17 13:01 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-03-17 13:01 . 2009-03-09 19:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-17 12:57 . 2009-03-17 12:57 <DIR> d-------- c:\program files\Lavasoft
2009-03-17 12:57 . 2009-03-17 13:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-17 12:57 . 2009-03-17 12:57 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-17 08:46 . 2009-03-17 08:46 <DIR> d-------- c:\program files\Trend Micro
2009-03-15 23:53 . 2009-03-15 23:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-15 23:48 . 2009-03-15 23:48 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-15 23:48 . 2009-03-15 23:48 <DIR> d-------- c:\program files\Adobe Media Player
2009-03-15 11:14 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-03-15 11:14 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-03-15 11:14 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-03-15 11:14 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-03-10 20:13 . 2009-03-19 01:03 <DIR> d-------- c:\program files\DNA
2009-03-10 20:13 . 2009-03-10 20:13 <DIR> d-------- c:\program files\AskSearch
2009-03-10 20:13 . 2009-03-19 02:04 <DIR> d-------- c:\documents and settings\Kalus\Application Data\DNA
2009-03-10 20:02 . 2009-03-10 20:02 1,971,118 --a------ C:\MVI_1701.mp3
2009-03-10 20:01 . 2009-03-10 21:21 <DIR> d-------- c:\program files\DoremiSoft
2009-03-10 19:26 . 2009-03-10 19:26 <DIR> d-------- c:\documents and settings\Kalus\Application Data\avidemux
2009-03-10 19:24 . 2009-03-10 21:27 <DIR> d-------- c:\program files\Avidemux 2.4
2009-03-10 19:09 . 2009-03-10 21:22 <DIR> d-------- c:\program files\AviSynth 2.5
2009-03-10 18:44 . 2007-03-16 21:10 499,712 --a------ c:\windows\system32\MSVCP71.DLL
2009-03-10 18:44 . 2007-03-16 21:10 348,160 --a------ c:\windows\system32\MSVCR71.DLL
2009-03-10 18:43 . 2001-08-23 17:00 1,700,352 --a------ c:\windows\system32\gdiplus.dll
2009-03-10 18:43 . 2002-01-05 14:40 487,424 --a------ c:\windows\system32\msvcp70.dll
2009-03-10 18:43 . 2005-11-25 21:46 421,888 --a------ c:\windows\system32\RealMediaSplitter.ax
2009-03-10 18:43 . 2002-01-05 15:37 344,064 --a------ c:\windows\system32\msvcr70.dll
2009-03-10 18:31 . 2009-03-10 18:31 <DIR> d-------- C:\OutputFolder
2009-03-10 18:30 . 2009-03-10 18:30 170 --a------ c:\windows\system32\test.aok
2009-03-10 18:29 . 2009-03-10 18:42 <DIR> d-------- c:\program files\Ultra MP4 Video Converter
2009-03-10 18:29 . 2007-04-12 14:19 129,024 --a------ c:\windows\system32\AVERM.dll
2009-03-10 18:29 . 2006-09-26 13:57 28,672 --a------ c:\windows\system32\AVEQT.dll
2009-03-10 18:05 . 2009-03-10 18:38 <DIR> d-------- c:\program files\Any Video Converter
2009-03-10 18:05 . 2009-03-10 18:38 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Any Video Converter
2009-03-10 17:50 . 2009-03-10 17:50 <DIR> d-------- c:\program files\directx
2009-03-10 17:50 . 2001-10-19 14:40 1,683,792 --a------ c:\windows\system32\wmvcore2.dll
2009-03-10 17:50 . 2001-10-19 14:40 665,424 --a------ c:\windows\system32\wmv8dmoe.dll
2009-03-10 17:50 . 2001-10-19 14:39 572,752 --a------ c:\windows\system32\wmvdmoe.dll
2009-03-10 17:50 . 2001-10-19 14:40 438,608 --a------ c:\windows\system32\wmv8dmod.dll
2009-03-10 17:50 . 2001-10-19 02:05 285,184 --a------ c:\windows\system32\wmidx2.ocx
2009-03-10 17:50 . 2009-03-10 17:50 156,910 --a------ c:\windows\WMSysPr8.prx
2009-03-10 17:48 . 2009-03-10 17:48 <DIR> d-------- c:\documents and settings\Kalus\WINDOWS
2009-03-10 17:48 . 2002-08-02 16:32 299,520 --a------ c:\windows\uninst.exe
2009-03-09 08:09 . 2009-03-09 08:09 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Nero
2009-03-09 08:01 . 2009-03-09 08:01 <DIR> d-------- c:\program files\Nero
2009-03-09 08:01 . 2009-03-09 08:01 <DIR> d-------- c:\program files\Common Files\Nero
2009-03-09 08:01 . 2009-03-09 08:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-03-08 13:46 . 2009-03-08 13:46 <DIR> d-------- C:\CucusoftOutput
2009-03-08 13:45 . 2009-03-08 13:45 <DIR> d-------- c:\program files\Cucusoft
2009-03-08 13:28 . 2009-03-08 13:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\SlySoft
2009-03-08 13:26 . 2009-03-08 13:26 <DIR> d-------- c:\program files\SlySoft
2009-03-07 16:15 . 2009-03-07 16:26 <DIR> d-------- c:\documents and settings\Kalus\Application Data\dvdcss
2009-03-07 14:56 . 2009-03-07 14:56 <DIR> d-------- c:\documents and settings\Kalus\Application Data\vlc
2009-03-07 14:53 . 2009-03-07 14:53 <DIR> d-------- c:\program files\VideoLAN
2009-03-07 14:51 . 2009-03-07 14:58 <DIR> d-------- c:\program files\Audacity 1.3 Beta
2009-03-07 14:43 . 2009-03-10 23:07 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Audacity
2009-03-06 14:06 . 2009-03-06 14:06 <DIR> dr------- c:\program files\Skype
2009-03-06 14:06 . 2009-03-06 15:28 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Skype
2009-03-06 14:05 . 2009-03-06 14:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-03-06 12:00 . 2009-03-15 12:01 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-05 16:02 . 2009-03-16 12:40 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-05 12:36 . 2009-03-05 12:36 <DIR> d-------- c:\program files\Microsoft Works
2009-03-05 12:35 . 2009-03-05 12:35 <DIR> d-------- c:\program files\Microsoft.NET
2009-03-05 12:33 . 2009-03-05 12:33 <DIR> dr-h----- C:\MSOCache
2009-03-05 12:33 . 2009-03-05 12:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-05 12:29 . 2009-03-05 12:29 <DIR> d-------- c:\program files\Rainlendar
2009-03-05 12:29 . 2009-03-05 12:34 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Rainlendar
2009-03-05 12:29 . 2008-10-16 01:00 1,499,136 -----c--- c:\windows\system32\dllcache\shdocvw.dll
2009-03-05 12:29 . 2008-10-16 01:00 666,112 -----c--- c:\windows\system32\dllcache\wininet.dll
2009-03-05 12:29 . 2008-10-16 01:00 619,520 -----c--- c:\windows\system32\dllcache\urlmon.dll
2009-03-05 12:14 . 2009-03-05 12:15 <DIR> d-------- c:\program files\Winamp
2009-03-05 12:14 . 2009-03-05 12:17 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Winamp
2009-03-05 12:12 . 2008-06-13 11:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-05 12:11 . 2009-03-05 12:11 0 --a------ c:\windows\nsreg.dat
2009-03-05 12:05 . 2009-02-09 11:13 1,846,784 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-03-05 12:03 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-05 12:03 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-05 12:03 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-05 12:03 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-05 12:01 . 2009-03-19 01:06 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-05 12:01 . 2009-03-05 12:04 <DIR> d-------- c:\documents and settings\Kalus\Application Data\AVGTOOLBAR
2009-03-05 12:01 . 2008-12-12 17:01 3,067,904 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-03-05 12:01 . 2009-03-05 12:01 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-05 12:01 . 2009-03-05 12:01 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-05 12:01 . 2009-03-05 12:01 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-05 12:00 . 2009-03-05 12:00 <DIR> d-------- c:\program files\AVG
2009-03-05 12:00 . 2009-03-05 12:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-05 11:58 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-05 11:58 . 2008-05-08 14:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-03-05 11:57 . 2008-12-11 10:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-03-05 11:57 . 2008-05-01 14:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-03-05 11:53 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-05 11:52 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-03-05 11:48 . 2008-04-11 19:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-03-05 11:37 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-03-04 18:09 . 2009-03-11 13:51 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-04 17:52 . 2006-02-07 08:40 151,552 --a------ c:\windows\system32\igfxres.dll
2009-03-04 17:48 . 2005-03-04 00:00 157,696 --a------ c:\windows\system32\drivers\e100b325.sys
2009-03-04 17:48 . 2005-03-04 00:00 157,696 --a--c--- c:\windows\system32\dllcache\e100b325.sys
2009-03-04 17:48 . 2005-03-04 00:00 126,976 --a------ c:\windows\system32\Prounstl.exe
2009-03-04 17:48 . 2005-03-04 00:00 23,040 --a------ c:\windows\system32\IntelNic.dll
2009-03-04 17:48 . 2005-03-04 00:00 5,110 --a------ c:\windows\system32\e100b325.din
2009-03-04 17:47 . 2009-03-04 17:47 <DIR> d-------- c:\program files\Synaptics
2009-03-04 17:46 . 2008-04-14 00:15 172,416 --a------ c:\windows\system32\drivers\kmixer.sys
2009-03-04 17:46 . 2008-04-14 00:15 172,416 --a--c--- c:\windows\system32\dllcache\kmixer.sys
2009-03-04 17:46 . 2008-04-14 00:45 60,800 --a------ c:\windows\system32\drivers\sysaudio.sys
2009-03-04 17:46 . 2008-04-14 00:45 60,800 --a--c--- c:\windows\system32\dllcache\sysaudio.sys
2009-03-04 17:46 . 2008-04-14 00:09 7,552 --a------ c:\windows\system32\drivers\MSKSSRV.sys
2009-03-04 17:46 . 2008-04-14 00:09 7,552 --a--c--- c:\windows\system32\dllcache\mskssrv.sys
2009-03-04 17:46 . 2008-04-14 00:09 5,376 --a------ c:\windows\system32\drivers\MSPCLOCK.sys
2009-03-04 17:46 . 2008-04-14 00:09 5,376 --a--c--- c:\windows\system32\dllcache\mspclock.sys
2009-03-04 17:46 . 2008-04-14 00:09 4,992 --a------ c:\windows\system32\drivers\MSPQM.sys
2009-03-04 17:46 . 2008-04-14 00:09 4,992 --a--c--- c:\windows\system32\dllcache\mspqm.sys
2009-03-04 17:46 . 2008-04-14 00:15 2,944 --a------ c:\windows\system32\drivers\drmkaud.sys
2009-03-04 17:46 . 2008-04-14 00:15 2,944 --a--c--- c:\windows\system32\dllcache\drmkaud.sys
2009-03-04 17:45 . 2006-09-27 00:00 2,732,032 --a------ c:\windows\system32\NETw3r32.dll
2009-03-04 17:45 . 2006-09-27 00:00 1,709,696 --a------ c:\windows\system32\drivers\NETw3x32.sys
2009-03-04 17:45 . 2006-01-09 00:00 561,664 --a------ c:\windows\system32\drivers\CHDAud.sys
2009-03-04 17:45 . 2006-09-27 00:00 561,152 --a------ c:\windows\system32\NETw3c32.dll
2009-03-04 17:45 . 2006-01-09 00:00 61,952 --a------ c:\windows\system32\CHDAudPropShortcut.exe
2009-03-04 17:45 . 2006-01-09 00:00 24,064 --a------ c:\windows\system32\CHdAudprop.dll
2009-03-04 17:45 . 2006-01-09 00:00 5,120 --a------ c:\windows\system32\CHdAudPropres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-04 14:19 --------- d-----w c:\program files\microsoft frontpage
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-03-10 321344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-01-13 761946]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-05 1932568]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-01-09 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Kalus\Start Menu\Programs\Startup\
Rainlendar.lnk - c:\program files\Rainlendar\Rainlendar.exe [2005-03-25 118784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\Mozilla Firefox
Mozilla Firefox (Safe Mode).lnk - c:\program files\Mozilla Firefox\firefox.exe [2009-03-05 307704]
Mozilla Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2009-03-05 307704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-05 12:01 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavaso ft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-17 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-05 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-05 107912]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-05 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-05 298264]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2009-03-04 20160]
.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Kalus\Application Data\Mozilla\Firefox\Profiles\hhq1yrl8.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-19 02:03:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-19 2:05:08
ComboFix-quarantined-files.txt 2009-03-19 02:05:05

Pre-Run: 7,105,273,856 bytes free
Post-Run: 9,324,453,888 bytes free

216 --- E O F --- 2009-03-11 16:30:20

Log from HJT
(add and remove programs)

Ad-Aware
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Media Player
Adobe MPEG Encoder
AVG 8.5
Conexant HD Audio
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word 2007
Microsoft Office Word 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.7)
Rainlendar (remove only)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Skype™ 4.0
Soft Data Fax Modem with SmartCP
Synaptics Pointing Device Driver
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 0.9.8a
Winamp
Windows XP Service Pack 3
WinRAR archiver


Many thanks

Klaus

Last edited by klaustrophobia; 18-Mar-2009 at 10:18 PM..
km2357's Avatar
km2357 km2357 is offline km2357 is authorized to help remove malware.
Malware Removal Specialist with 686 posts.
 
Join Date: Aug 2007
Experience: Intermediate
19-Mar-2009, 01:54 AM
We still have some more to do before I can give you the all-clean.


IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitTorrent

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).



Seems your missing an important part of your operating system. Let's get it reinstalled in case you ever need it.
Nothing is going to change on your computer other than we are going to reinstall the Recovery Console.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop. If you are using Windows XP Service Pack 3 (SP3), then select the Service Pack 2 download. If you are using Windows XP Media Center, then you should select the Windows XP Pro Service Pack 2 download. If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information.

Click on the Start button.

Click on the Run menu option.

In the Open: field type the following: sysdm.cpl and then click on the OK button.

A screen will appear showing information about your installation. Under the System: category you should see your Windows version and the installed Service Pack.

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click and drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'No'.



  • When the tool is finished, it will produce a report for you.



Step # 1: Run CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code:
    KILLALL::
    
    Folder::
    
    c:\program files\BitTorrent
    c:\documents and settings\Kalus\Application Data\BitTorrent
    c:\program files\DNA
    c:\documents and settings\Kalus\Application Data\DNA
    
    Registry::
    
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BitTorrent DNA"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
    "c:\\Program Files\\DNA\\btdna.exe"=-
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.







    Note: This CFScript is for use on klaustrophobia's computer only! Do not use it on your computer.

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next post/reply, I need to see the following:

1. Recovery Console Log
2. The ComboFix Log that appears after Step 1 has been completed.
3. A fresh HiJackThis Log taken after Step 1 has been completed.
klaustrophobia's Avatar
klaustrophobia klaustrophobia is offline
Junior Member with 12 posts.
THREAD STARTER
 
Join Date: Mar 2009
Experience: Beginner
20-Mar-2009, 03:48 AM
Hello KM

Carried out all the procedures as described
I reinstalled the recovery console however i failed to save log, now i,m not sure where it went (not on desktop)

I am attaching the Combo fix log and the HJT log

Combofix log


ComboFix 09-03-18.01 - Kalus 2009-03-20 7:30:31.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.34.1033.18.1014.651 [GMT 0:00]
Running from: c:\documents and settings\Kalus\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kalus\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kalus\Application Data\DNA
c:\documents and settings\Kalus\Application Data\DNA\dht.dat
c:\documents and settings\Kalus\Application Data\DNA\dht.dat.old
c:\documents and settings\Kalus\Application Data\DNA\dna.lng
c:\documents and settings\Kalus\Application Data\DNA\resume.dat
c:\documents and settings\Kalus\Application Data\DNA\resume.dat.old
c:\documents and settings\Kalus\Application Data\DNA\rss.dat
c:\documents and settings\Kalus\Application Data\DNA\rss.dat.old
c:\documents and settings\Kalus\Application Data\DNA\settings.dat
c:\documents and settings\Kalus\Application Data\DNA\settings.dat.old
c:\program files\DNA
c:\program files\DNA\btdna.exe
c:\program files\DNA\DNAcpl.cpl
c:\program files\DNA\plugins\npbtdna.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 )))))))))))))))))))))))))))))))
.

2009-03-17 13:01 . 2009-03-19 11:36 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-03-17 12:57 . 2009-03-19 11:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-17 08:46 . 2009-03-17 08:46 <DIR> d-------- c:\program files\Trend Micro
2009-03-15 23:53 . 2009-03-15 23:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-15 23:48 . 2009-03-15 23:48 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-15 23:48 . 2009-03-15 23:48 <DIR> d-------- c:\program files\Adobe Media Player
2009-03-15 11:14 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-03-15 11:14 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-03-15 11:14 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-03-15 11:14 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-03-10 20:13 . 2009-03-10 20:13 <DIR> d-------- c:\program files\AskSearch
2009-03-10 20:02 . 2009-03-10 20:02 1,971,118 --a------ C:\MVI_1701.mp3
2009-03-10 20:01 . 2009-03-10 21:21 <DIR> d-------- c:\program files\DoremiSoft
2009-03-10 19:26 . 2009-03-10 19:26 <DIR> d-------- c:\documents and settings\Kalus\Application Data\avidemux
2009-03-10 19:24 . 2009-03-10 21:27 <DIR> d-------- c:\program files\Avidemux 2.4
2009-03-10 19:09 . 2009-03-10 21:22 <DIR> d-------- c:\program files\AviSynth 2.5
2009-03-10 18:44 . 2007-03-16 21:10 499,712 --a------ c:\windows\system32\MSVCP71.DLL
2009-03-10 18:44 . 2007-03-16 21:10 348,160 --a------ c:\windows\system32\MSVCR71.DLL
2009-03-10 18:43 . 2001-08-23 17:00 1,700,352 --a------ c:\windows\system32\gdiplus.dll
2009-03-10 18:43 . 2002-01-05 14:40 487,424 --a------ c:\windows\system32\msvcp70.dll
2009-03-10 18:43 . 2005-11-25 21:46 421,888 --a------ c:\windows\system32\RealMediaSplitter.ax
2009-03-10 18:43 . 2002-01-05 15:37 344,064 --a------ c:\windows\system32\msvcr70.dll
2009-03-10 18:31 . 2009-03-10 18:31 <DIR> d-------- C:\OutputFolder
2009-03-10 18:30 . 2009-03-10 18:30 170 --a------ c:\windows\system32\test.aok
2009-03-10 18:29 . 2009-03-10 18:42 <DIR> d-------- c:\program files\Ultra MP4 Video Converter
2009-03-10 18:29 . 2007-04-12 14:19 129,024 --a------ c:\windows\system32\AVERM.dll
2009-03-10 18:29 . 2006-09-26 13:57 28,672 --a------ c:\windows\system32\AVEQT.dll
2009-03-10 18:05 . 2009-03-10 18:38 <DIR> d-------- c:\program files\Any Video Converter
2009-03-10 18:05 . 2009-03-10 18:38 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Any Video Converter
2009-03-10 17:50 . 2009-03-10 17:50 <DIR> d-------- c:\program files\directx
2009-03-10 17:50 . 2001-10-19 14:40 1,683,792 --a------ c:\windows\system32\wmvcore2.dll
2009-03-10 17:50 . 2001-10-19 14:40 665,424 --a------ c:\windows\system32\wmv8dmoe.dll
2009-03-10 17:50 . 2001-10-19 14:39 572,752 --a------ c:\windows\system32\wmvdmoe.dll
2009-03-10 17:50 . 2001-10-19 14:40 438,608 --a------ c:\windows\system32\wmv8dmod.dll
2009-03-10 17:50 . 2001-10-19 02:05 285,184 --a------ c:\windows\system32\wmidx2.ocx
2009-03-10 17:50 . 2009-03-10 17:50 156,910 --a------ c:\windows\WMSysPr8.prx
2009-03-10 17:48 . 2009-03-10 17:48 <DIR> d-------- c:\documents and settings\Kalus\WINDOWS
2009-03-10 17:48 . 2002-08-02 16:32 299,520 --a------ c:\windows\uninst.exe
2009-03-09 08:09 . 2009-03-09 08:09 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Nero
2009-03-09 08:01 . 2009-03-09 08:01 <DIR> d-------- c:\program files\Nero
2009-03-09 08:01 . 2009-03-09 08:01 <DIR> d-------- c:\program files\Common Files\Nero
2009-03-09 08:01 . 2009-03-09 08:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-03-08 13:46 . 2009-03-08 13:46 <DIR> d-------- C:\CucusoftOutput
2009-03-08 13:45 . 2009-03-08 13:45 <DIR> d-------- c:\program files\Cucusoft
2009-03-08 13:28 . 2009-03-08 13:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\SlySoft
2009-03-08 13:26 . 2009-03-08 13:26 <DIR> d-------- c:\program files\SlySoft
2009-03-07 16:15 . 2009-03-07 16:26 <DIR> d-------- c:\documents and settings\Kalus\Application Data\dvdcss
2009-03-07 14:56 . 2009-03-07 14:56 <DIR> d-------- c:\documents and settings\Kalus\Application Data\vlc
2009-03-07 14:53 . 2009-03-07 14:53 <DIR> d-------- c:\program files\VideoLAN
2009-03-07 14:51 . 2009-03-07 14:58 <DIR> d-------- c:\program files\Audacity 1.3 Beta
2009-03-07 14:43 . 2009-03-10 23:07 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Audacity
2009-03-06 14:06 . 2009-03-06 14:06 <DIR> dr------- c:\program files\Skype
2009-03-06 14:06 . 2009-03-06 15:28 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Skype
2009-03-06 14:05 . 2009-03-06 14:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-03-06 12:00 . 2009-03-19 12:01 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-05 16:02 . 2009-03-16 12:40 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-05 12:36 . 2009-03-05 12:36 <DIR> d-------- c:\program files\Microsoft Works
2009-03-05 12:35 . 2009-03-05 12:35 <DIR> d-------- c:\program files\Microsoft.NET
2009-03-05 12:33 . 2009-03-05 12:33 <DIR> dr-h----- C:\MSOCache
2009-03-05 12:33 . 2009-03-05 12:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-05 12:29 . 2009-03-05 12:29 <DIR> d-------- c:\program files\Rainlendar
2009-03-05 12:29 . 2009-03-05 12:34 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Rainlendar
2009-03-05 12:29 . 2008-10-16 01:00 1,499,136 -----c--- c:\windows\system32\dllcache\shdocvw.dll
2009-03-05 12:29 . 2008-10-16 01:00 666,112 -----c--- c:\windows\system32\dllcache\wininet.dll
2009-03-05 12:29 . 2008-10-16 01:00 619,520 -----c--- c:\windows\system32\dllcache\urlmon.dll
2009-03-05 12:14 . 2009-03-05 12:15 <DIR> d-------- c:\program files\Winamp
2009-03-05 12:14 . 2009-03-05 12:17 <DIR> d-------- c:\documents and settings\Kalus\Application Data\Winamp
2009-03-05 12:12 . 2008-06-13 11:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-05 12:11 . 2009-03-05 12:11 0 --a------ c:\windows\nsreg.dat
2009-03-05 12:05 . 2009-02-09 11:13 1,846,784 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-03-05 12:03 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-05 12:03 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-05 12:03 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-05 12:03 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-05 12:01 . 2009-03-19 11:35 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-05 12:01 . 2009-03-05 12:04 <DIR> d-------- c:\documents and settings\Kalus\Application Data\AVGTOOLBAR
2009-03-05 12:01 . 2008-12-12 17:01 3,067,904 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-03-05 12:01 . 2009-03-05 12:01 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-05 12:01 . 2009-03-05 12:01 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-05 12:01 . 2009-03-05 12:01 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-05 12:00 . 2009-03-05 12:00 <DIR> d-------- c:\program files\AVG
2009-03-05 12:00 . 2009-03-05 12:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-05 11:58 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-05 11:58 . 2008-05-08 14:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-03-05 11:57 . 2008-12-11 10:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-03-05 11:57 . 2008-05-01 14:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-03-05 11:53 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-05 11:52 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-03-05 11:48 . 2008-04-11 19:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-03-05 11:37 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-03-04 18:09 . 2009-03-11 13:51 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-04 17:52 . 2006-02-07 08:40 151,552 --a------ c:\windows\system32\igfxres.dll
2009-03-04 17:48 . 2005-03-04 00:00 157,696 --a------ c:\windows\system32\drivers\e100b325.sys
2009-03-04 17:48 . 2005-03-04 00:00 157,696 --a--c--- c:\windows\system32\dllcache\e100b325.sys
2009-03-04 17:48 . 2005-03-04 00:00 126,976 --a------ c:\windows\system32\Prounstl.exe
2009-03-04 17:48 . 2005-03-04 00:00 23,040 --a------ c:\windows\system32\IntelNic.dll
2009-03-04 17:48 . 2005-03-04 00:00 5,110 --a------ c:\windows\system32\e100b325.din
2009-03-04 17:47 . 2009-03-04 17:47 <DIR> d-------- c:\program files\Synaptics
2009-03-04 17:46 . 2008-04-14 00:15 172,416 --a------ c:\windows\system32\drivers\kmixer.sys
2009-03-04 17:46 . 2008-04-14 00:15 172,416 --a--c--- c:\windows\system32\dllcache\kmixer.sys
2009-03-04 17:46 . 2008-04-14 00:45 60,800 --a------ c:\windows\system32\drivers\sysaudio.sys
2009-03-04 17:46 . 2008-04-14 00:45 60,800 --a--c--- c:\windows\system32\dllcache\sysaudio.sys
2009-03-04 17:46 . 2008-04-14 00:09 7,552 --a------ c:\windows\system32\drivers\MSKSSRV.sys
2009-03-04 17:46 . 2008-04-14 00:09 7,552 --a--c--- c:\windows\system32\dllcache\mskssrv.sys
2009-03-04 17:46 . 2008-04-14 00:09 5,376 --a------ c:\windows\system32\drivers\MSPCLOCK.sys
2009-03-04 17:46 . 2008-04-14 00:09 5,376 --a--c--- c:\windows\system32\dllcache\mspclock.sys
2009-03-04 17:46 . 2008-04-14 00:09 4,992 --a------ c:\windows\system32\drivers\MSPQM.sys
2009-03-04 17:46 . 2008-04-14 00:09 4,992 --a--c--- c:\windows\system32\dllcache\mspqm.sys
2009-03-04 17:46 . 2008-04-14 00:15 2,944 --a------ c:\windows\system32\drivers\drmkaud.sys
2009-03-04 17:46 . 2008-04-14 00:15 2,944 --a--c--- c:\windows\system32\dllcache\drmkaud.sys
2009-03-04 17:45 . 2006-09-27 00:00 2,732,032 --a------ c:\windows\system32\NETw3r32.dll
2009-03-04 17:45 . 2006-09-27 00:00 1,709,696 --a------ c:\windows\system32\drivers\NETw3x32.sys
2009-03-04 17:45 . 2006-01-09 00:00 561,664 --a------ c:\windows\system32\drivers\CHDAud.sys
2009-03-04 17:45 . 2006-09-27 00:00 561,152 --a------ c:\windows\system32\NETw3c32.dll
2009-03-04 17:45 . 2006-01-09 00:00 61,952 --a------ c:\windows\system32\CHDAudPropShortcut.exe
2009-03-04 17:45 . 2006-01-09 00:00 24,064 --a------ c:\windows\system32\CHdAudprop.dll
2009-03-04 17:45 . 2006-01-09 00:00 5,120 --a------ c:\windows\system32\CHdAudPropres.dll
2009-03-04 17:44 . 2009-03-04 17:44 <DIR> d-------- c:\program files\CONEXANT
2009-03-04 17:43 . 2006-01-11 00:00 935,424 --a------ c:\windows\system32\drivers\HSX_DPV.sys
2009-03-04 17:43 . 2006-01-11 00:00 671,232 --a------ c:\windows\system32\drivers\HSX_CNXT.sys
2009-03-04 17:43 . 2006-01-11 00:00 194,048 --a------ c:\windows\system32\drivers\HSXHWAZL.sys
2009-03-04 17:43 . 2006-01-11 00:00 140,731 --a------ c:\windows\system32\drivers\HSFProf.cty
2009-03-04 17:43 . 2006-01-09 00:00 114,688 --a------ c:\windows\system32\UCI32103.dll
2009-03-04 17:39 . 2006-02-07 09:03 956,029 --a------ c:\windows\system32\ialmdd5.dll
2009-03-04 17:39 . 2006-02-07 08:55 232,733 --a------ c:\windows\system32\ialmdev5.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-04 14:19 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-01-13 761946]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-05 1932568]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-01-09 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Kalus\Start Menu\Programs\Startup\
Rainlendar.lnk - c:\program files\Rainlendar\Rainlendar.exe [2005-03-25 118784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\Mozilla Firefox
Mozilla Firefox (Safe Mode).lnk - c:\program files\Mozilla Firefox\firefox.exe [2009-03-05 307704]
Mozilla Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2009-03-05 307704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-05 12:01 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-05 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-05 107912]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-05 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-05 298264]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2009-03-04 20160]
.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Kalus\Application Data\Mozilla\Firefox\Profiles\hhq1yrl8.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 07:33:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-03-20 7:35:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-20 07:35:42
ComboFix2.txt 2009-03-20 07:19:58
ComboFix3.txt 2009-03-19 02:05:09

Pre-Run: 1,745,850,368 bytes free
Post-Run: 1,731,776,512 bytes free

230 --- E O F --- 2009-03-11 16:30:20


HJT log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:41:28, on 20/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Mozilla Firefox
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 3826 bytes


Thank you for the help !!!
km2357's Avatar
km2357 km2357 is offline km2357 is authorized to help remove malware.
Malware Removal Specialist with 686 posts.
 
Join Date: Aug 2007
Experience: Intermediate
20-Mar-2009, 02:12 PM
That's ok about the Recovery Console Log, your latest ComboFix Log no longer says you don't have Recovery Console installed, meaning you successfully installed it.


Step # 1: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Step # 2 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.


In your next post/reply, I need to see the following:

1. MalwareBytes' Log
2. A fresh HiJackThis Log
klaustrophobia's Avatar
klaustrophobia klaustrophobia is offline
Junior Member with 12 posts.
THREAD STARTER
 
Join Date: Mar 2009
Experience: Beginner
20-Mar-2009, 05:11 PM
Hello KM

Thanks again

Looks like things are working out !!

I am attaching mbam-log and HJT log

mbam-log

Malwarebytes' Anti-Malware 1.34
Database version: 1878
Windows 5.1.2600 Service Pack 3

20/03/2009 21:06:41
mbam-log-2009-03-20 (21-06-41).txt

Scan type: Quick Scan
Objects scanned: 58996
Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:07:49, on 20/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 3913 bytes


Thank you

Klaus
km2357's Avatar
km2357 km2357 is offline km2357 is authorized to help remove malware.
Malware Removal Specialist with 686 posts.
 
Join Date: Aug 2007
Experience: Intermediate
21-Mar-2009, 03:28 AM
Step # 1: Run Kaspersky Online Scan

Please make sure that all programs are closed when installing Java.
  1. Click here to visit Java's website.
  2. Scroll down to Java Runtime Environment (JRE) 6 Update 12. Click on Download.
  3. Select Windows from the drop-down list for Platform.
  4. Select Multi-language from the drop-down list for Language.
  5. Check (tick) I agree to the Java SE Runtime Environment 12 License Agreement box and click on Continue.
  6. Click on jre-6u12-windows-i586-p.exe link to download it and save this to a convenient location.
  7. Double click on jre-6u12-windows-i586-p.exe to install Java.
  8. After the Java installation has finished, please go to Kaspersky website and perform an online antivirus scan.
  9. Read through the requirements and privacy statement and click on Accept button.
  10. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  11. When the downloads have finished, click on Settings.
  12. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  13. Click on My Computer under Scan.
  14. Once the scan is complete, it will display the results. Click on View Scan Report.
  15. You will see a list of infected items there. Click on Save Report As....
  16. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  17. Please post this log in your next reply.


In your next post/reply, I need to see the following:

1.Kaspersky Log
2. A fresh HiJackThis Log
3. How is your computer doing, any problems?
km2357's Avatar
km2357 km2357 is offline km2357 is authorized to help remove malware.
Malware Removal Specialist with 686 posts.
 
Join Date: Aug 2007
Experience: Intermediate
23-Mar-2009, 02:53 PM
klaustrophobia? How are things coming along?
klaustrophobia's Avatar
klaustrophobia klaustrophobia is offline
Junior Member with 12 posts.
THREAD STARTER
 
Join Date: Mar 2009
Experience: Beginner
24-Mar-2009, 03:52 AM
Thank you
Dear Km


I will be going away for the next 11 days without acccess to the internet.

I carried out both scans, kapersky detected no threats.

Does this mean I┤m all clean?

Computer is running well.

Won┤t be looking at thread for next 11 days so Thank you very much for your help. it was most appreciated. I think you are doing a great job

All the best

Klaus

Kapersky

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, March 24, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 23, 2009 22:13:13
Records in database: 1958593
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\

Scan statistics:
Files scanned: 36513
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:34:16

No malware has been detected. The scan area is clean.

The selected area was scanned.
km2357's Avatar
km2357 km2357 is offline km2357 is authorized to help remove malware.
Malware Removal Specialist with 686 posts.
 
Join Date: Aug 2007
Experience: Intermediate
24-Mar-2009, 02:40 PM
Both Kaspersky and your latest HJT log both look good.

Since you'll be away for 11 days, I'll wait till you get back before I post my "All-Clean" speech to you and then we'll be done.

Let me know when you get back.
klaustrophobia's Avatar
klaustrophobia klaustrophobia is offline
Junior Member with 12 posts.
THREAD STARTER
 
Join Date: Mar 2009
Experience: Beginner
04-Apr-2009, 12:03 PM
all clean speech
Hey KM

I┤m ready for the all clean speach ...

km2357's Avatar
km2357 km2357 is offline km2357 is authorized to help remove malware.
Malware Removal Specialist with 686 posts.
 
Join Date: Aug 2007
Experience: Intermediate
04-Apr-2009, 04:54 PM
Welcome back.

To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /u & click OK


Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  • This will remove all restore points except the new one you just created.
.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.


Make your Internet Explorer more secure This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub frames across different domains to Prompt
  5. When all these settings have been made, click on the OK button.
  6. If it asks you if you want to save the settings, press the Yes button.
  7. Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please checkHide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK
  • Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
  • Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line Anti Malware
  • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. Click the start button on the task bar at the bottom of your screen
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then doubleclick it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok..
  • Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Please read Tony Klein's excellent article: How I got Infected in the First Place
  • Please read Understanding Spyware, Browser Hijackers, and Dialers
  • Please read Simple and easy ways to keep your computer safe and secure on the Internet
  • If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
    Opera.
    If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
  • Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/m...revention.html

If your computer is running slow, click here for instructions on how to help speed up your computer.

Good luck!


Please reply one last time so that I know you have read my post and this thread can be closed.
klaustrophobia's Avatar
klaustrophobia klaustrophobia is offline
Junior Member with 12 posts.
THREAD STARTER
 
Join Date: Mar 2009
Experience: Beginner
06-Apr-2009, 06:01 AM
All clean speach
Thanks KM

Have recieved and read your post

Will start working through the list of things to do

Thank you very much

>>Klaus
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


Tags
relevant knowledge

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!


Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑