Another trojan help thread...

pepsi_max2k · Jul 5, 2007

Yes, it happened to me too. One .exe, numerous trojans and infinite scans later I'm hopefully over the worst, but am looking for advice to make sure the pc's clean.

Basically, one of my pc's got infected with all sorts of stuff (we won't go into how, it's embarrassing, though not that kinda embarrassing...). and when i say the whole pc started moaning at me, i'm not talking figuratively either

So far I've run avg, twice (latest updates), spybot s&d (thrice, latest updates though an error about probs with "Trojans.sbi"), ad-aware, SUPERAntiSpyware, tried installing prevx (complained about no net connection, and i'm not connecting again until i have to, working from a laptop atm), a few specific trojan removers (vundo and virtumonde from symantec, vundofix from possibly round here) and anything else i could think of at the time but may have forgotten...

spybot came up with stuff like
TagASaurus
Virtumonde
Win32.Small.ddx
Zedo
Tradedoubler
MediaPlex
and about 10 others. most were all cookies but one (tagasaurus, win32 or virtumonde) had a load of .exes in c:/windows and system32.

while avg said it removed
xc36.exe
xc60.exe

and i manually stopped a few processes, mgrs.exe being one, winwin.exe, can't remember the others... also manually deleted mgrs.exe from C:/windows/ and msconfig's startup list. iexplorer was running a lot too, no window visible but complained about being offline too (i use ff fwiw). also have 6 svchost.exe's running... i think that's normal?

I would post a hijackthis scan about now but i just ran it and got the very myspace-esque error of "an unexpected error has occured at proceduer: modMain_CheckOther1Item() Error #5 - Invalid procedure call or argument." oh... wait... it's done something... will paste in a sec... edit: hijackthis_v2 ran without problems. i've commented anything not blatently obvious, if it helps...

What advice can anyone give me? Doesn't look like there's any problem processes running anymore, and it feels as responsive as ever, no scans are picking up anything anymore, but you lot seem to know more about this stuff than i do (last real virus i had was 4 years ago on a brand new install.... windows ).

Logfile of HijackThis v1.99.1
Scan saved at 16:00:39, on 05/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe AVG Anti-Virus
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe AVG
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe AVG
C:\WINDOWS\system32\nvsvc32.exe Nvidia Control Panel
C:\WINDOWS\system32\ctfmon.exe It's good, but i forget what it is,,,
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe AVG
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inaudible.co.uk/ Good
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll ???
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP AVG
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup Nvidia
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install Good, forget what
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Second Copy] "C:\Program Files\SecCopy\SecCopy.exe" /InitialWait=2
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe again, good
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: AutoHotkey.lnk = C:\Program Files\AutoHotkey\AutoHotkey.exe Good, hotkey program
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm Good, stream downloader
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm as above
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) ???
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) ???
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe good, stream downloader
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120314097031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159808290953
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab game adict ;o)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL msnmsg
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL msnmsg
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll err... good?
O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing) ???
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll ???
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe damn you apple, i remove this every day...
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe nvidia
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe" -f (file missing) prevx av, i presume good
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe good, sys info tool
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe as above
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing) good, remote destop

Click to expand...

pepsi_max2k · Jul 5, 2007

*bump* no one see anything dodgy?

pepsi_max2k · Jul 5, 2007

edit to remove repeat of above

Cookiegal · Jul 6, 2007

I've merged your threads together. Please do not start more than one for the same problem.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click OK.

Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

pepsi_max2k · Jul 6, 2007

thanks. thought people were just ignoring the thing, then it dissapeared on to page 3... anyway, i'd already tried the vundofix, two different versions, symantec one saying no vundo files were found.

having found the hijackthis analyzer on the prevx site ( http://www.prevx.com/hijackthis.asp ) it came back saying nothing bad was found. further scans with avg / spybot / adaware / superantispywear have found nothing, no weird looking processes and nothing else seems awry so hopefully i've got rid of everything

Cookiegal · Jul 6, 2007

There are often other files lingering.

Download ComboFix to your Desktop.

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done properly a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Perform the following actions in Safe Mode.

Double click combofix.exe and follow the prompts.

When finished, it will produce a log for you. Post that log and a new HijackThis log in your next reply

Note: Do not mouseclick combofix's window while it's running as that may cause it to stall

pepsi_max2k · Jul 6, 2007

only problem i see below is the mgrs.exe hkey entry for startup, as it's still listed in msconfig's startup files but i've got it unticked so it's not running. i guess i could just delete the key with regedit?

also included contents of ComboFix-quarantined-files.txt at end cos, well, i dunno how important it is

is it safe to delete all the files / qoobox folder now? thx.

"Administrator" - 2007-07-06 19:11:01 - ComboFix 07-07-04.4 - Service Pack 2 [SAFE MODE]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\TEMP

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\nm

((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))

2007-07-06 19:10 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-05 21:53 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-05 21:48 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-07-05 01:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-05 01:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-05 01:16 <DIR> d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-05 01:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-05 01:14 <DIR> d-------- C:\VundoFix Backups
2007-07-04 23:55 77,312 --a------ C:\WINDOWS\ua2.dll
2007-07-04 23:13 1 --a------ C:\WINDOWS\system32\krx240.dat
2007-07-04 23:13 <DIR> d-------- C:\Program Files\Web Button Maker Deluxe
2007-07-04 23:13 <DIR> d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\Kristanix Software
2007-07-04 14:00 <DIR> d-------- C:\Program Files\VideoMach-4.0.4
2007-07-04 13:52 <DIR> d-------- C:\Program Files\Avidemux 2.4
2007-07-04 13:52 <DIR> d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\gtk-2.0
2007-07-03 19:09 4 --a------ C:\loadcounter.dat
2007-06-12 15:48 <DIR> d-------- C:\Program Files\FileZilla
2007-06-11 15:24 90,624 --a------ C:\WINDOWS\system32\pnc32301.dll
2007-06-11 15:24 85,504 --a------ C:\WINDOWS\system32\encdnet.dll
2007-06-11 15:24 82,398 --a------ C:\WINDOWS\c96unins.exe
2007-06-11 15:24 72,704 --a------ C:\WINDOWS\system32\ra3228_8.dll
2007-06-11 15:24 140,288 --a------ C:\WINDOWS\system32\ra3214_4.dll
2007-06-11 15:24 13,824 --a------ C:\WINDOWS\system32\ra32dnet.dll
2007-06-11 15:24 <DIR> d-------- C:\Program Files\Cool Edit 96

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-05 21:41:14 -------- d-----w C:\Program Files\SmartFTP Client 2.0
2007-07-05 21:36:28 -------- d-----w C:\Program Files\HighMAT CD Writing Wizard
2007-06-13 17:23:10 -------- d-----w C:\Program Files\TrackMania Nations ESWC
2007-05-30 20:59:50 -------- d-----w C:\Program Files\WinTV
2007-05-19 14:09:00 -------- d-----w C:\Program Files\Microsoft Bootvis
2007-05-19 13:47:02 15,104 ----a-w C:\WINDOWS\system32\drivers\usbscan.sys
2007-05-19 11:01:58 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-19 11:01:36 -------- d-----w C:\Program Files\MSXML 6.0
2007-05-18 20:59:42 -------- d-----w C:\Program Files\Sony
2007-05-18 20:56:55 -------- d-----w C:\Program Files\ePSXe
2007-05-18 16:41:13 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-18 16:39:32 -------- d-----w C:\Program Files\The Sir. Community
2007-05-18 11:58:05 -------- d-----w C:\Program Files\HiDownload
2007-05-17 19:50:45 -------- d-----w C:\Program Files\Napster
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-15 16:14:46 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-05-13 21:09:35 -------- d-----w C:\Program Files\rawwritewin-0.7
2007-05-13 21:09:27 -------- d-----w C:\Program Files\Putty
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-19 12:26:00 86,016 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-04-19 12:26:00 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-04-19 12:26:00 7,700,480 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-04-19 12:26:00 581,632 ----a-w C:\WINDOWS\system32\nvhwvid.dll
2007-04-19 12:26:00 5,644,288 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-04-19 12:26:00 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-04-19 12:26:00 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-04-19 12:26:00 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-04-19 12:26:00 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-04-19 12:26:00 4,543,616 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-04-19 12:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-04-19 12:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-04-19 12:26:00 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll
2007-04-19 12:26:00 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll
2007-04-19 12:26:00 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll
2007-04-19 12:26:00 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll
2007-04-19 12:26:00 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll
2007-04-19 12:26:00 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll
2007-04-19 12:26:00 323,584 ----a-w C:\WINDOWS\system32\nvrshe.dll
2007-04-19 12:26:00 323,584 ----a-w C:\WINDOWS\system32\nvrsar.dll
2007-04-19 12:26:00 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll
2007-04-19 12:26:00 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll
2007-04-19 12:26:00 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll
2007-04-19 12:26:00 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll
2007-04-19 12:26:00 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll
2007-04-19 12:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll
2007-04-19 12:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll
2007-04-19 12:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll
2007-04-19 12:26:00 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll
2007-04-19 12:26:00 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll
2007-04-19 12:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll
2007-04-19 12:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll
2007-04-19 12:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll
2007-04-19 12:26:00 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll
2007-04-19 12:26:00 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll
2007-04-19 12:26:00 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-19 12:26:00 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll
2007-04-19 12:26:00 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll
2007-04-19 12:26:00 278,528 ----a-w C:\WINDOWS\system32\nvrsfr.dll
2007-04-19 12:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrsit.dll
2007-04-19 12:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrses.dll
2007-04-19 12:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrsel.dll
2007-04-19 12:26:00 270,336 ----a-w C:\WINDOWS\system32\nvrsde.dll
2007-04-19 12:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrspt.dll
2007-04-19 12:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrsnl.dll
2007-04-19 12:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrsesm.dll
2007-04-19 12:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsru.dll
2007-04-19 12:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsptb.dll
2007-04-19 12:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsja.dll
2007-04-19 12:26:00 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll
2007-04-19 12:26:00 253,952 ----a-w C:\WINDOWS\system32\nvrshu.dll
2007-04-19 12:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrstr.dll
2007-04-19 12:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrssl.dll
2007-04-19 12:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrssk.dll
2007-04-19 12:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrspl.dll
2007-04-19 12:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrsno.dll
2007-04-19 12:26:00 245,760 ----a-w C:\WINDOWS\system32\nvrssv.dll
2007-04-19 12:26:00 245,760 ----a-w C:\WINDOWS\system32\nvrsda.dll
2007-04-19 12:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrsfi.dll
2007-04-19 12:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrseng.dll
2007-04-19 12:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrscs.dll
2007-04-19 12:26:00 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-04-19 12:26:00 221,184 ----a-w C:\WINDOWS\system32\nvrszhc.dll
2007-04-19 12:26:00 212,992 ----a-w C:\WINDOWS\system32\nvwrsja.dll
2007-04-19 12:26:00 212,992 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-04-19 12:26:00 208,896 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-04-19 12:26:00 196,608 ----a-w C:\WINDOWS\system32\nvwrsko.dll
2007-04-19 12:26:00 167,936 ----a-w C:\WINDOWS\system32\nvwrszht.dll
2007-04-19 12:26:00 163,840 ----a-w C:\WINDOWS\system32\nvwrszhc.dll
2007-04-19 12:26:00 159,810 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-04-19 12:26:00 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-04-19 12:26:00 118,784 ----a-w C:\WINDOWS\system32\nvrszht.dll
2007-04-19 12:26:00 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-04-19 12:26:00 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-04-19 12:26:00 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-04-19 12:26:00 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-04-19 12:26:00 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2005-05-13 16:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 10:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-13 20:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-01-11 15:10:49 56 --sh--r C:\WINDOWS\system32\723E9EBC8E.sys
2005-10-07 18:14:52 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 11:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-10 08:40:45 8 --sh--r C:\WINDOWS\system32\C9DE3933CB.sys
2005-06-26 14:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2006-02-03 14:38:53 56 --sh--r C:\WINDOWS\system32\FE77CD95E7.sys
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-12-24 01:32:03 13,198 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2006-04-27 09:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 12:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02DCA195-602B-4B1F-83FF-381B7E804BDB}]
2003-03-27 07:37 208896 --a------ C:\WINDOWS\system32\HDBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-02-08 18:17 233472 --a------ C:\Program Files\Java\jre1.6.0\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-23 19:13]
"nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-01 19:19]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-09 14:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"NeroHomeFirstStart"=C:\Program Files\Common Files\Ahead\Lib\NeroScoutOptions.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"combofix"=C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingdm32]
wingdm32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Christopher^Start Menu^Programs^Startup^ATITool.lnk]
path=C:\Documents and Settings\Christopher\Start Menu\Programs\Startup\ATITool.lnk
backup=C:\WINDOWS\pss\ATITool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis True Image Monitor]
"C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Active Desktop Calendar]
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C64 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB002" /M "Stylus C64"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C64 Series (Copy 1)]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P32 "EPSON Stylus C64 Series (Copy 1)" /O6 "USB002" /M "Stylus C64"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Second Copy 2000]
"C:\Program Files\SecCopy\SecCopy.exe" /InitialWait=2

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
mgrs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TraySantaCruz]
C:\WINDOWS\system32\tbctray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\AUTORUN.EXE

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-06 19:14:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-06 19:15:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-06 19:14

--- E O F ---

Click to expand...

ComboFix-quarantined-files.txt

code
2007-07-06 19:12 352 --a------ C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf

Folder PATH listing for volume Windows
Volume serial number is 408F-2A50
C:\QOOBOX
\---Quarantine
\---Registry_backups
services_nm.reg.cf

/code

Click to expand...

EDIT: oops, forgot hjt...

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:27:56, on 06/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Christopher\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inaudible.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Second Copy] "C:\Program Files\SecCopy\SecCopy.exe" /InitialWait=2
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: AutoHotkey.lnk = C:\Program Files\AutoHotkey\AutoHotkey.exe
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6230 bytes

Click to expand...

Cookiegal · Jul 6, 2007

Click Here and download Killbox and save it to your desktop but dont run it yet.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)

Then boot to safe mode:

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

Double-click on Killbox.exe to run it.

Put a tick by Standard File Kill.

In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

C:\WINDOWS\system32\mgrs.exe

Click on the button that has the red circle with the X in the middle after you enter each file.

It will ask for confirmation to delete the file.

Click Yes.

Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.

Killbox may tell you that one or more files do not exist.

If that happens, just continue on with all the files. Be sure you don't miss any.

Next in Killbox go to Tools > Delete Temp Files

In the window that pops up, put a check by ALL the options there except these three:

XP Prefetch

Recent

History

Now click the Delete Selected Temp Files button.

Exit the Killbox.

Boot back to Windows normally and post another HijackThis log please.

Cookiegal · Jul 6, 2007

You can delete the Qoobox folder.

pepsi_max2k · Jul 6, 2007

couldn't see mgrs.exe in /system32, killbox said no file found either, and when i did have it it was in /windows and i manually deleted when i found it. but anyway... hjt below. and thanks for all the help, to think some people pay for this kinda stuff

oh anything about zone alarm stuff - i just manually uninstalled the thing after a failed install so i dont supose any of that file missing stuff is a problem. za's caused me enough problems in the past anyway... know a decent similar free firewall prog?

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:09:19, on 06/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Christopher\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inaudible.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Second Copy] "C:\Program Files\SecCopy\SecCopy.exe" /InitialWait=2
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: AutoHotkey.lnk = C:\Program Files\AutoHotkey\AutoHotkey.exe
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5797 bytes

Click to expand...

Cookiegal · Jul 6, 2007

Sorry, I assumed it was System32 as the path was not shown.

Zone Alarm should be fine as there's a bug in HijackThis where files shows as missing when they really are not.

How is everything now?

pepsi_max2k · Jul 6, 2007

>> How is everything now?

well to be fair everything seemed fine before, but no problems at all so far seems clean enough. just gotta get rid of all those new files in C: now thanks again for all the help.

Cookiegal · Jul 6, 2007

You're welcome.

Here are some final instructions for you.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on My Computer and click on Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on Start All Programs Accessories System Tools and then select System Restore.

In the System Restore wizard, select Create a restore point and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading SPYWAREBLASTER for added protection.

Read here for info on how to tighten your security.

Delete your temporary files:

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type %temp% in the Run box. The Temp folder will open. Click Edit - Select All then hit Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK (this option does not exist in IE7). Click Apply then OK.

Empty the recycle bin.

Log in or Sign up

Another trojan help thread...

pepsi_max2k Thread Starter

pepsi_max2k Thread Starter

pepsi_max2k Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

pepsi_max2k Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

pepsi_max2k Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

Cookiegal Administrator Malware Specialist Coordinator

pepsi_max2k Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

pepsi_max2k Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

Sponsor

Welcome to Tech Support Guy!

Solved Trojan attack on windows 10 and external hard drive

In Progress Terrible Trojan

Solved Trojan Virus Worry

Solved trojan/virus

New Trojan:Win32/Bitrep.B

Log in or Sign up

Another trojan help thread...

pepsi_max2k Thread Starter

pepsi_max2k Thread Starter

pepsi_max2k Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

pepsi_max2k Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

pepsi_max2k Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

Cookiegal Administrator Malware Specialist Coordinator

pepsi_max2k Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

pepsi_max2k Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

Sponsor

Welcome to Tech Support Guy!

Solved Trojan attack on windows 10 and external hard drive

In Progress Terrible Trojan

Solved Trojan Virus Worry

Solved trojan/virus

New Trojan:Win32/Bitrep.B

Useful Searches