AVG constantly popping up with warning

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

deltabluesy

Thread Starter
Joined
Jan 24, 2009
Messages
39
AVG free edition shows popup window with warning re: C:\WINDOWS\system32\atl7.dll TrojanHorseBackdoor.Generic10.AMEC

I would very much appreciate some help with this.

thankyou.
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Hi, Welcome to TSG!!


Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
 

deltabluesy

Thread Starter
Joined
Jan 24, 2009
Messages
39
Here is my logfile from HiJackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:33 PM, on 1/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&vv=600&lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.2.13
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 205.238.40.2 test3201.winmx.com test3205.winmx.com
O1 - Hosts: 205.238.40.2 test3202.winmx.com test3206.winmx.com
O1 - Hosts: 205.238.40.1 test3203.winmx.com test3207.winmx.com
O1 - Hosts: 82.43.224.20 test3204.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.2 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 82.43.224.20 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O2 - BHO: (no name) - {2C5CF3FF-EBAE-47CE-A195-0BFD99A84317} - C:\WINDOWS\system32\atl7.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Tod\Desktop\RRT.exe auto
O4 - HKLM\..\Run: [NvSvc] C:\WINDOWS\system32\nvsvc32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 10407 bytes

Thanks so much for your help on this Cheeseball81!
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Download the HostsXpert 4.2 - Hosts File Manager.
  • Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
  • Run HostsXpert 4.2 - Hosts File Manager from its new home
  • Click on "File Handling".
  • Click on "Restore MS Hosts File".
  • Click OK on the Confirmation box.
  • Click on "Make Read Only?"
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.



Download ComboFix from Here to your Desktop.

**Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results"
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again after combofix has finished
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running
Double click on combofix.exe & follow the prompts.​
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns
 

deltabluesy

Thread Starter
Joined
Jan 24, 2009
Messages
39
Hi,

Thanks again, very much for your help. I downloaded HostsExperts4.2 and followed your instructions. I didn't see an OK on a confirmation box and didn't understand how I should proceed on your last instruction with regards to the note at the end: "If you were using a custom Hosts file you will need to replace any of those entries yourself." - I don't know how to tell if I'm using a custom Hosts file or not. I guess I need more detailed instruction on this.

And as for the Combofix. I downloaded that to my desktop, disabled all my malware programs AVG 7.5 free, Spyware Doctor, Ad-Aware 2007 free (has no immunization), TrojanHunter doesn't have any shields, neither does killbox or vundoFix (all free versions). The combofix wouldn't run - instead i get a microsof error report stating that "prep.com has encountered a problem and needs to close. Do I need to disable windows security? firewall is off, but immunization is on and i'm not sure how to disable that...assuming this may be the problem.

I thank you very much again for your help and patience in helping me out. It is very much appreciated...believe me!
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
You're using a custom one if you've created a file that maps the IP addresses to host names. Have you? I was thinking no. So it's safe to run Hoster.

Will Combofix run in Safe Mode?
 

deltabluesy

Thread Starter
Joined
Jan 24, 2009
Messages
39
ok, i tried the hostsxpert 4.2 again but after pressing ok on the confirm box it came up with Error:cannot create file C:\WINDOWS\system32\DRIVERS\ETC\hosts
combofix worked in safe mode but i could not install the recovery files as I could not access the internet in my safe mode option. Here is the notepad of that combofix text:
ComboFix 09-02-01.01 - Tod 2009-02-01 21:38:10.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.348 [GMT -5:00]
Running from: c:\documents and settings\Tod\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Tod\Cookies\cyqur.scr
c:\documents and settings\Tod\Cookies\hacowow.pif
c:\documents and settings\Tod\Cookies\ivexaxujik.dat
c:\documents and settings\Tod\Local Settings\Temporary Internet Files\asykikugo.reg
c:\documents and settings\Tod\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Tod\Local Settings\Temporary Internet Files\opufedu.dat
c:\documents and settings\Tod\Local Settings\Temporary Internet Files\ywona.lib
c:\windows\system32\chkntfs.dll
c:\windows\system32\cleanmgr.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
.
((((((((((((((((((((((((( Files Created from 2009-01-02 to 2009-02-02 )))))))))))))))))))))))))))))))
.
2009-02-01 20:00 . 2009-02-01 20:00 168,960 --a------ c:\windows\system32\gdi.dll
2009-02-01 15:46 . 2009-02-01 15:50 <DIR> d-------- c:\program files\HostsXpert
2009-02-01 15:44 . 2009-02-01 15:44 353,485 --a------ c:\program files\HostsXpert.zip
2009-01-24 00:19 . 2009-01-24 00:19 <DIR> d-------- c:\program files\Trend Micro
2009-01-24 00:01 . 2009-01-24 00:01 812,344 --a------ c:\program files\HJTInstall.exe
2009-01-21 13:44 . 2003-03-18 20:05 95,744 --a------ c:\windows\system32\atl7.dll
2009-01-20 18:00 . 2009-01-22 10:34 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-20 09:06 . 2009-01-23 23:06 <DIR> d-------- c:\windows\system32\Adobe
2009-01-19 21:48 . 2009-01-20 20:59 <DIR> d-------- c:\documents and settings\Tod\Application Data\cogad
2009-01-17 01:50 . 2009-01-17 19:09 2 --a------ C:\1218649415
2009-01-15 17:35 . 2009-01-15 17:35 16,244 --a------ c:\windows\system32\rrt_is.wav
2009-01-15 17:35 . 2009-01-15 17:35 7,302 --a------ c:\windows\system32\rrt_vf.wav
2009-01-15 17:35 . 2009-01-15 17:35 7,148 --a------ c:\windows\system32\rrt_tv.wav
2009-01-15 17:35 . 2009-01-15 17:35 6,282 --a------ c:\windows\system32\rrt_tn.wav
2009-01-14 11:39 . 2009-01-14 11:39 168,960 --a------ c:\windows\system32\fxssend.dll
2009-01-14 11:39 . 2009-01-14 11:39 168,960 --a------ c:\windows\system32\fxscover.dll
2009-01-08 01:39 . 2009-01-08 01:39 <DIR> d-------- c:\documents and settings\Tod\Application Data\TrojanHunter
2009-01-08 01:07 . 2009-01-08 01:08 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-01-08 01:07 . 2009-01-08 01:07 18,389,344 --a------ c:\program files\TrojanHunterSetup.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 02:36 --------- d-----w c:\documents and settings\Tod\Application Data\AVG7
2009-02-02 02:36 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2009-02-02 02:22 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-01 04:49 --------- d-----w c:\program files\Spyware Doctor
2009-01-20 04:02 --------- d-----w c:\program files\Google
2009-01-14 16:39 360,320 ----a-w c:\windows\system32\drivers\tcpip.sys
2009-01-14 16:39 140,288 ----a-w c:\windows\system32\sfc_os.dll
2009-01-14 16:39 1,129,472 ----a-w c:\windows\explorer.exe
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-06 21:24 13,307,640 ----a-w c:\program files\sdstart.exe
2008-11-06 15:35 13,596,592 ----a-w c:\program files\sdsetup.exe
2008-11-06 02:58 18,424 ----a-w c:\documents and settings\Tod\Application Data\ijogaf.scr
2008-11-06 02:58 18,265 ----a-w c:\documents and settings\All Users\Application Data\iwesoj.scr
2008-11-06 02:58 18,031 ----a-w c:\windows\ozexecuc.sys
2008-11-06 02:58 15,550 ----a-w c:\program files\Common Files\mytyxetuf.bat
2008-11-06 02:58 14,465 ----a-w c:\windows\system32\upadoryjux.exe
2008-11-06 02:58 11,739 ----a-w c:\documents and settings\Tod\Application Data\emykugiq.com
2008-11-06 02:58 11,398 ----a-w c:\windows\inas.reg
2008-11-06 02:58 10,444 ----a-w c:\documents and settings\Tod\Application Data\omefewogoz.com
2008-11-06 02:58 10,169 ----a-w c:\windows\abihoj.com
2008-10-28 16:23 13,217,011 ----a-w c:\program files\waveagent-setup.exe
2008-01-30 20:02 21,364,592 ----a-w c:\program files\aaw2007.exe
2008-01-30 18:09 4,850,928 ----a-w c:\program files\aawsepersonal.exe
2007-10-27 18:56 9,301,896 ----a-w c:\program files\wintax.exe
2007-05-19 14:39 13,825,601 ----a-w c:\program files\FreePrimo32Setup.exe
2007-03-29 17:04 19,755,560 ----a-w c:\program files\avg75free_446a965.exe
2006-09-19 16:56 7,098,145 ----a-w c:\program files\converter.exe
2006-09-18 20:47 3,072 ----a-w c:\program files\RemoveWGA.dll
2006-09-17 22:12 19,672 ----a-w c:\documents and settings\Tod\Application Data\GDIPFONTCACHEV1.DAT
2006-09-17 18:38 572,483 ----a-w c:\program files\tefv.exe
2006-07-16 21:27 8,404,736 ----a-w c:\program files\ewido-setup_4.0.0.172b.exe
2006-07-16 18:44 61,074,638 ----a-w c:\program files\Steinberg.Nuendo.v3.2.0.1128.MERRY.XMAS-H2O.part2.rar
2006-07-16 18:36 1,033,440 ----a-w c:\program files\wrar36b2.exe
2006-07-16 18:23 100,431,872 ----a-w c:\program files\Steinberg.Nuendo.v3.2.0.1128.MERRY.XMAS-H2O.part1.rar
2006-07-16 15:20 2,173,488 ----a-w c:\program files\spysubtract.exe
2006-07-16 15:15 313,281 ----a-w c:\program files\cwshredder.zip
2006-04-04 21:26 18,488,203 ----a-w c:\program files\ftmp7demo.exe
2006-04-04 21:18 18,488,203 ----a-w c:\program files\HFMC6.EXE
2006-02-07 18:52 10,703,680 ----a-w c:\program files\NDP1.1sp1-KB867460-X86.exe
2006-02-07 18:48 24,265,736 ----a-w c:\program files\dotnetfx.exe
2005-12-29 04:51 5,037,072 ----a-w c:\program files\spybotsd14.exe
2005-11-10 15:39 34,412,848 ----a-w c:\program files\iTunesSetup.exe
2005-11-01 00:28 369,896 ----a-w c:\program files\WindowsXP-KB888240-x86-ENU.exe
2005-10-27 18:00 20,921,040 ----a-w c:\program files\AdbeRdr705_enu_full.exe
2005-09-29 01:50 28,672 ----a-w c:\program files\Peer-Cache-Patch-1.1.exe
2005-09-29 01:05 823,296 ----a-w c:\program files\winmx353.exe
2005-09-28 17:16 558,240 ----a-w c:\program files\GoogleToolbarInstaller.exe
2004-03-11 17:27 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.
------- Sigcheck -------
2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 05:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2002-08-29 00:58 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys
2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 c:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\ServicePackFiles\i386\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 05:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\system32\dllcache\tcpip.sys
2009-01-14 11:39 360320 a8a6c5b80cb4b619d1a41892eee69e11 c:\windows\system32\drivers\tcpip.sys
2009-01-14 11:39 1129472 e3b2e5b34a7aecc268885a4a7aafd255 c:\windows\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2002-08-29 02:41 1004032 a82b28bfc2e4455fe43022a498c0ef0a c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-03 23:56 1032192 a0732187050030ae399b241436565e64 c:\windows\$NtUninstallKB938828$\explorer.exe
2004-08-03 23:56 1032192 a0732187050030ae399b241436565e64 c:\windows\ServicePackFiles\i386\explorer.exe
2008-04-13 19:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
2009-01-14 11:39 1129472 e3b2e5b34a7aecc268885a4a7aafd255 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C5CF3FF-EBAE-47CE-A195-0BFD99A84317}]
2003-03-18 20:05 95744 --a------ c:\windows\system32\atl7.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-19 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-07 1400944]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-29 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-10 155648]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-11-06 1168264]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-23 219136]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
D-Link AirPlus G Configuration Utility.lnk - c:\program files\D-Link AirPlus G\AirPlus.exe [2005-09-27 294912]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
--a------ 2007-12-11 03:59 307200 c:\program files\Syncrosoft\POS\H2O\cledx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\C-drive files\\C-drive files\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Documents and Settings\\Tod\\Desktop\\WinMX.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
R0 domvtnft;domvtnft;c:\windows\system32\drivers\domvtnft.sys [2001-08-23 23424]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-11-06 356920]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2006-07-16 33792]
S3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;c:\windows\system32\drivers\DLKRTS.SYS [2007-09-29 45568]
S3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\drivers\mrv8k51.sys [2005-09-27 256896]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-PowerBar - (no file)
HKLM-Run-LogitechVideoRepair - c:\program files\Logitech\Video\ISStart.exe
HKLM-Run-RRT-Auto - c:\documents and settings\Tod\Desktop\RRT.exe
HKLM-Run-NvSvc - c:\windows\system32\nvsvc32.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?id=2&vv=600&lc=1033
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 21:41:25
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ????<[email protected]?h??????w????h???Z??w(???*[email protected][email protected]???b?????????????????????????,??????????????????????w????g??w0??w????*[email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected]?8[email protected]
scanning hidden files ...

**************************************************************************
.
Completion time: 2009-02-01 21:46:09
ComboFix-quarantined-files.txt 2009-02-02 02:44:50
Pre-Run: 4,192,415,744 bytes free
Post-Run: 5,022,027,776 bytes free
202 --- E O F --- 2009-01-13 22:13:42

And here is the new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:02 PM, on 2/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&vv=600&lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.2.13
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {2C5CF3FF-EBAE-47CE-A195-0BFD99A84317} - C:\WINDOWS\system32\atl7.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Tod\Desktop\RRT.exe auto
O4 - HKLM\..\Run: [NvSvc] C:\WINDOWS\system32\nvsvc32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 7071 bytes

Thanks again for all your help Cheeseball81
Much appreciated!
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
No problem. Do this next:

Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply with a new hijackthis log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
 

deltabluesy

Thread Starter
Joined
Jan 24, 2009
Messages
39
Hi,
I saw that the MBAM found the file and removed it but I'm still getting these AVG threat detected windows coming up every time I open up a new internet explorer window even after this operation. "While openning file: C:\WINDOWS\system 32\atl7.dll etc.

Okay, here is the MBAM logfile:
Malwarebytes' Anti-Malware 1.33
Database version: 1714
Windows 5.1.2600 Service Pack 2
2/1/2009 11:30:34 PM
mbam-log-2009-02-01 (23-30-34).txt
Scan type: Quick Scan
Objects scanned: 50031
Time elapsed: 10 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2c5cf3ff-ebae-47ce-a195-0bfd99a84317} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{2c5cf3ff-ebae-47ce-a195-0bfd99a84317} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2c5cf3ff-ebae-47ce-a195-0bfd99a84317} (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\Tod\Application Data\cogad (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\atl7.dll (Trojan.BHO.H) -> Delete on reboot.

And here is the new HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:35 PM, on 2/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&vv=600&lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.2.13
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {2C5CF3FF-EBAE-47CE-A195-0BFD99A84317} - C:\WINDOWS\system32\atl7.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Tod\Desktop\RRT.exe auto
O4 - HKLM\..\Run: [NvSvc] C:\WINDOWS\system32\nvsvc32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 7164 bytes

Thanks again for your continued support on this!
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Open Notepad and copy and paste the text in the quote box below into it:



File::
C:\WINDOWS\system32\atl7.dll


Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

O2 - BHO: (no name) - {2C5CF3FF-EBAE-47CE-A195-0BFD99A84317} - C:\WINDOWS\system32\atl7.dll

Reboot, post a new Hijack This log.
 

deltabluesy

Thread Starter
Joined
Jan 24, 2009
Messages
39
Hi Cheeseball81,

Crossing my fingers, I don't seem to be getting the AVG popups when openning internet explorer windows as I used to after following your last series of instructions. Thankyou so much!
I followed your instructions with regard to the HJT checking the box next to the file you pointed out in your last instruction. However, initially I just pressed scan instead of scan and produce logfile. I rebooted and had no way of retrieving a logfile of that scan. Should I do another HJT scan at this point and send you that logfile? Sorry about that error on my part!

Here is the combofix logfile:

ComboFix 09-02-02.03 - Tod 2009-02-02 17:45:30.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.315 [GMT -5:00]
Running from: c:\documents and settings\Tod\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tod\Desktop\James\CFScript.txt
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
FILE ::
c:\windows\system32\atl7.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\msiexec.dll
c:\windows\system32\atl7.dll . . . . failed to delete
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-02 to 2009-02-02 )))))))))))))))))))))))))))))))
.
2009-02-02 17:45 . 2009-02-02 17:45 168,960 --a------ c:\windows\system32\gpresult.dll
2009-02-01 23:14 . 2009-02-01 23:14 <DIR> d-------- c:\documents and settings\Tod\Application Data\Malwarebytes
2009-02-01 23:13 . 2009-02-01 23:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-01 23:13 . 2009-02-01 23:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-01 23:13 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-01 23:13 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-01 21:55 . 2009-02-01 21:55 168,960 --a------ c:\windows\system32\freecell.dll
2009-02-01 21:46 . 2009-02-01 21:46 168,960 --a------ c:\windows\system32\logagent.dll
2009-02-01 20:00 . 2009-02-01 20:00 168,960 --a------ c:\windows\system32\gdi.dll
2009-02-01 15:46 . 2009-02-01 22:14 <DIR> d-------- c:\program files\HostsXpert
2009-02-01 15:44 . 2009-02-01 15:44 353,485 --a------ c:\program files\HostsXpert.zip
2009-01-24 00:19 . 2009-01-24 00:19 <DIR> d-------- c:\program files\Trend Micro
2009-01-24 00:01 . 2009-01-24 00:01 812,344 --a------ c:\program files\HJTInstall.exe
2009-01-21 13:44 . 2003-03-18 20:05 95,744 --a------ c:\windows\system32\atl7.dll
2009-01-20 18:00 . 2009-01-22 10:34 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-20 09:06 . 2009-01-23 23:06 <DIR> d-------- c:\windows\system32\Adobe
2009-01-17 01:50 . 2009-01-17 19:09 2 --a------ C:\1218649415
2009-01-15 17:35 . 2009-01-15 17:35 16,244 --a------ c:\windows\system32\rrt_is.wav
2009-01-15 17:35 . 2009-01-15 17:35 7,302 --a------ c:\windows\system32\rrt_vf.wav
2009-01-15 17:35 . 2009-01-15 17:35 7,148 --a------ c:\windows\system32\rrt_tv.wav
2009-01-15 17:35 . 2009-01-15 17:35 6,282 --a------ c:\windows\system32\rrt_tn.wav
2009-01-14 11:39 . 2009-01-14 11:39 168,960 --a------ c:\windows\system32\fxssend.dll
2009-01-14 11:39 . 2009-01-14 11:39 168,960 --a------ c:\windows\system32\fxscover.dll
2009-01-08 01:39 . 2009-01-08 01:39 <DIR> d-------- c:\documents and settings\Tod\Application Data\TrojanHunter
2009-01-08 01:07 . 2009-01-08 01:08 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-01-08 01:07 . 2009-01-08 01:07 18,389,344 --a------ c:\program files\TrojanHunterSetup.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 22:52 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-02 19:20 --------- d-----w c:\documents and settings\Tod\Application Data\AVG7
2009-02-02 14:22 --------- d-----w c:\program files\Spyware Doctor
2009-02-02 02:36 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2009-01-20 04:02 --------- d-----w c:\program files\Google
2009-01-14 16:39 360,320 ----a-w c:\windows\system32\drivers\tcpip.sys
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-06 21:24 13,307,640 ----a-w c:\program files\sdstart.exe
2008-11-06 15:35 13,596,592 ----a-w c:\program files\sdsetup.exe
2008-11-06 02:58 18,424 ----a-w c:\documents and settings\Tod\Application Data\ijogaf.scr
2008-11-06 02:58 18,265 ----a-w c:\documents and settings\All Users\Application Data\iwesoj.scr
2008-11-06 02:58 18,031 ----a-w c:\windows\ozexecuc.sys
2008-11-06 02:58 15,550 ----a-w c:\program files\Common Files\mytyxetuf.bat
2008-11-06 02:58 11,739 ----a-w c:\documents and settings\Tod\Application Data\emykugiq.com
2008-11-06 02:58 11,398 ----a-w c:\windows\inas.reg
2008-11-06 02:58 10,444 ----a-w c:\documents and settings\Tod\Application Data\omefewogoz.com
2008-11-06 02:58 10,169 ----a-w c:\windows\abihoj.com
2008-10-28 16:23 13,217,011 ----a-w c:\program files\waveagent-setup.exe
2008-01-30 20:02 21,364,592 ----a-w c:\program files\aaw2007.exe
2008-01-30 18:09 4,850,928 ----a-w c:\program files\aawsepersonal.exe
2007-10-27 18:56 9,301,896 ----a-w c:\program files\wintax.exe
2007-05-19 14:39 13,825,601 ----a-w c:\program files\FreePrimo32Setup.exe
2007-03-29 17:04 19,755,560 ----a-w c:\program files\avg75free_446a965.exe
2006-09-19 16:56 7,098,145 ----a-w c:\program files\converter.exe
2006-09-18 20:47 3,072 ----a-w c:\program files\RemoveWGA.dll
2006-09-17 22:12 19,672 ----a-w c:\documents and settings\Tod\Application Data\GDIPFONTCACHEV1.DAT
2006-09-17 18:38 572,483 ----a-w c:\program files\tefv.exe
2006-07-16 21:27 8,404,736 ----a-w c:\program files\ewido-setup_4.0.0.172b.exe
2006-07-16 18:44 61,074,638 ----a-w c:\program files\Steinberg.Nuendo.v3.2.0.1128.MERRY.XMAS-H2O.part2.rar
2006-07-16 18:36 1,033,440 ----a-w c:\program files\wrar36b2.exe
2006-07-16 18:23 100,431,872 ----a-w c:\program files\Steinberg.Nuendo.v3.2.0.1128.MERRY.XMAS-H2O.part1.rar
2006-07-16 15:20 2,173,488 ----a-w c:\program files\spysubtract.exe
2006-07-16 15:15 313,281 ----a-w c:\program files\cwshredder.zip
2006-04-04 21:26 18,488,203 ----a-w c:\program files\ftmp7demo.exe
2006-04-04 21:18 18,488,203 ----a-w c:\program files\HFMC6.EXE
2006-02-07 18:52 10,703,680 ----a-w c:\program files\NDP1.1sp1-KB867460-X86.exe
2006-02-07 18:48 24,265,736 ----a-w c:\program files\dotnetfx.exe
2005-12-29 04:51 5,037,072 ----a-w c:\program files\spybotsd14.exe
2005-11-10 15:39 34,412,848 ----a-w c:\program files\iTunesSetup.exe
2005-11-01 00:28 369,896 ----a-w c:\program files\WindowsXP-KB888240-x86-ENU.exe
2005-10-27 18:00 20,921,040 ----a-w c:\program files\AdbeRdr705_enu_full.exe
2005-09-29 01:50 28,672 ----a-w c:\program files\Peer-Cache-Patch-1.1.exe
2005-09-29 01:05 823,296 ----a-w c:\program files\winmx353.exe
2005-09-28 17:16 558,240 ----a-w c:\program files\GoogleToolbarInstaller.exe
2004-03-11 17:27 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.
------- Sigcheck -------
2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 05:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2002-08-29 00:58 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys
2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 c:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\ServicePackFiles\i386\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 05:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\system32\dllcache\tcpip.sys
2009-01-14 11:39 360320 a8a6c5b80cb4b619d1a41892eee69e11 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C5CF3FF-EBAE-47CE-A195-0BFD99A84317}]
2003-03-18 20:05 95744 --a------ c:\windows\system32\atl7.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [BU]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-19 39408]
"PowerBar"="" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-07 1400944]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-29 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-10 155648]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [BU]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-11-06 1168264]
"RRT-Auto"="c:\documents and settings\Tod\Desktop\RRT.exe" [BU]
"NvSvc"="c:\windows\system32\nvsvc32.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-23 219136]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
D-Link AirPlus G Configuration Utility.lnk - c:\program files\D-Link AirPlus G\AirPlus.exe [2005-09-27 294912]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
--a------ 2007-12-11 03:59 307200 c:\program files\Syncrosoft\POS\H2O\cledx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\C-drive files\\C-drive files\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Documents and Settings\\Tod\\Desktop\\WinMX.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
R0 domvtnft;domvtnft;c:\windows\system32\drivers\domvtnft.sys [2001-08-23 23424]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-11-06 356920]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2006-07-16 33792]
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;c:\windows\system32\drivers\DLKRTS.SYS [2007-09-29 45568]
R3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\drivers\mrv8k51.sys [2005-09-27 256896]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?id=2&vv=600&lc=1033
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-02 17:53:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Spyware Doctor\pctsSvc.exe
.
**************************************************************************
.
Completion time: 2009-02-02 17:57:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-02 22:56:21
ComboFix2.txt 2009-02-02 02:46:12
Pre-Run: 4,739,166,208 bytes free
Post-Run: 4,953,014,272 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
205 --- E O F --- 2009-01-13 22:13:42
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
I'm not convinced we are out of the woods just yet...
I still suspect some other files.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new Hijack This log
 

deltabluesy

Thread Starter
Joined
Jan 24, 2009
Messages
39
Hi Cheeseball81,

Ok, so here is the SDFix Report:

SDFix: Version 1.240
Run by Tod on Mon 02/02/2009 at 11:46 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :

Restoring Default Security Values
Restoring Default Hosts File
Rebooting

Checking Files :
Trojan Files Found:
C:\121864~1 - Deleted
C:\WINDOWS\ysij._sy - Deleted


Removing Temp Files
ADS Check :


Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 00:02:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :


Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"E:\\C-drive files\\C-drive files\\Program Files\\WinMX\\WinMX.exe"="E:\\C-drive files\\C-drive files\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\Documents and Settings\\Tod\\Desktop\\WinMX.exe"="C:\\Documents and Settings\\Tod\\Desktop\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Disabled:Microsoft Fax Console"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Tue 14 Mar 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Tue 14 Mar 2006 4,348 ...H. --- "C:\Documents and Settings\Tod\My Documents\My Music\License Backup\drmv1key.bak"
Tue 2 May 2006 20 A..H. --- "C:\Documents and Settings\Tod\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 14 Mar 2006 400 ...H. --- "C:\Documents and Settings\Tod\My Documents\My Music\License Backup\drmv2key.bak"
Tue 2 May 2006 1,536 A..H. --- "C:\Documents and Settings\Tod\My Documents\My Music\License Backup\drmv2lic.bak"
Finished!

And here is the HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:41 AM, on 2/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&vv=600&lc=1033
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.2.13
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {2C5CF3FF-EBAE-47CE-A195-0BFD99A84317} - C:\WINDOWS\system32\atl7.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Tod\Desktop\RRT.exe auto
O4 - HKLM\..\Run: [NvSvc] C:\WINDOWS\system32\nvsvc32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 7093 bytes

Thanks again for all your help. You have been tirelessly diligent.
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
You're welcome. Let's try this again:

Open Notepad and copy and paste the text in the quote box below into it:



File::
C:\WINDOWS\system32\atl7.dll
c:\documents and settings\Tod\Application Data\ijogaf.scr
c:\documents and settings\All Users\Application Data\iwesoj.scr
c:\windows\ozexecuc.sys
c:\program files\Common Files\mytyxetuf.bat
c:\documents and settings\Tod\Application Data\emykugiq.com
c:\windows\inas.reg
c:\documents and settings\Tod\Application Data\omefewogoz.com
c:\windows\abihoj.com


Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".


O2 - BHO: (no name) - {2C5CF3FF-EBAE-47CE-A195-0BFD99A84317} - C:\WINDOWS\system32\atl7.dll

Reboot, post a new log
 

deltabluesy

Thread Starter
Joined
Jan 24, 2009
Messages
39
Just a note, I have Ad-Aware2009 free edition and it has been stalling when it gets to the stage of scanning (conditional) files - at that point, I must exit without success as far as being unable to delete the problem files it had detected so far in its process. This was happenning before I initially contacted you regarding the problem of the AVG threat detecting window recurring popups.

Here is the combofix log:

ComboFix 09-02-02.03 - Tod 2009-02-03 15:06:21.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.312 [GMT -5:00]
Running from: c:\documents and settings\Tod\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tod\Desktop\James\CFScript.txt
AV: AVG 7.5.552 *On-access scanning disabled* (Outdated)
FILE ::
c:\documents and settings\All Users\Application Data\iwesoj.scr
c:\documents and settings\Tod\Application Data\emykugiq.com
c:\documents and settings\Tod\Application Data\ijogaf.scr
c:\documents and settings\Tod\Application Data\omefewogoz.com
c:\program files\Common Files\mytyxetuf.bat
c:\windows\abihoj.com
c:\windows\inas.reg
c:\windows\ozexecuc.sys
c:\windows\system32\atl7.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\iwesoj.scr
c:\documents and settings\Tod\Application Data\emykugiq.com
c:\documents and settings\Tod\Application Data\ijogaf.scr
c:\documents and settings\Tod\Application Data\omefewogoz.com
c:\program files\Common Files\mytyxetuf.bat
c:\windows\abihoj.com
c:\windows\inas.reg
c:\windows\ozexecuc.sys
c:\windows\system32\atl7.dll . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.
2009-02-02 23:41 . 2009-02-02 23:41 <DIR> d-------- c:\windows\ERUNT
2009-02-02 23:21 . 2009-02-03 00:07 <DIR> d-------- C:\SDFix
2009-02-02 17:45 . 2009-02-02 17:45 168,960 --a------ c:\windows\system32\gpresult.dll
2009-02-01 23:14 . 2009-02-01 23:14 <DIR> d-------- c:\documents and settings\Tod\Application Data\Malwarebytes
2009-02-01 23:13 . 2009-02-01 23:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-01 23:13 . 2009-02-01 23:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-01 23:13 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-01 23:13 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-01 21:55 . 2009-02-01 21:55 168,960 --a------ c:\windows\system32\freecell.dll
2009-02-01 21:46 . 2009-02-01 21:46 168,960 --a------ c:\windows\system32\logagent.dll
2009-02-01 20:00 . 2009-02-01 20:00 168,960 --a------ c:\windows\system32\gdi.dll
2009-02-01 15:46 . 2009-02-01 22:14 <DIR> d-------- c:\program files\HostsXpert
2009-02-01 15:44 . 2009-02-01 15:44 353,485 --a------ c:\program files\HostsXpert.zip
2009-01-24 00:19 . 2009-01-24 00:19 <DIR> d-------- c:\program files\Trend Micro
2009-01-24 00:01 . 2009-01-24 00:01 812,344 --a------ c:\program files\HJTInstall.exe
2009-01-21 13:44 . 2003-03-18 20:05 95,744 --a------ c:\windows\system32\atl7.dll
2009-01-20 18:00 . 2009-01-22 10:34 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-20 09:06 . 2009-01-23 23:06 <DIR> d-------- c:\windows\system32\Adobe
2009-01-15 17:35 . 2009-01-15 17:35 16,244 --a------ c:\windows\system32\rrt_is.wav
2009-01-15 17:35 . 2009-01-15 17:35 7,302 --a------ c:\windows\system32\rrt_vf.wav
2009-01-15 17:35 . 2009-01-15 17:35 7,148 --a------ c:\windows\system32\rrt_tv.wav
2009-01-15 17:35 . 2009-01-15 17:35 6,282 --a------ c:\windows\system32\rrt_tn.wav
2009-01-14 11:39 . 2009-01-14 11:39 168,960 --a------ c:\windows\system32\fxssend.dll
2009-01-14 11:39 . 2009-01-14 11:39 168,960 --a------ c:\windows\system32\fxscover.dll
2009-01-08 01:39 . 2009-01-08 01:39 <DIR> d-------- c:\documents and settings\Tod\Application Data\TrojanHunter
2009-01-08 01:07 . 2009-02-03 10:49 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-01-08 01:07 . 2009-01-08 01:07 18,389,344 --a------ c:\program files\TrojanHunterSetup.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 20:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-03 16:18 --------- d-----w c:\documents and settings\Tod\Application Data\AVG7
2009-02-03 13:51 --------- d-----w c:\program files\Spyware Doctor
2009-02-02 02:36 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2009-01-20 04:02 --------- d-----w c:\program files\Google
2009-01-14 16:39 360,320 ----a-w c:\windows\system32\drivers\tcpip.sys
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-06 21:24 13,307,640 ----a-w c:\program files\sdstart.exe
2008-11-06 15:35 13,596,592 ----a-w c:\program files\sdsetup.exe
2008-10-28 16:23 13,217,011 ----a-w c:\program files\waveagent-setup.exe
2008-01-30 20:02 21,364,592 ----a-w c:\program files\aaw2007.exe
2008-01-30 18:09 4,850,928 ----a-w c:\program files\aawsepersonal.exe
2007-10-27 18:56 9,301,896 ----a-w c:\program files\wintax.exe
2007-05-19 14:39 13,825,601 ----a-w c:\program files\FreePrimo32Setup.exe
2007-03-29 17:04 19,755,560 ----a-w c:\program files\avg75free_446a965.exe
2006-09-19 16:56 7,098,145 ----a-w c:\program files\converter.exe
2006-09-18 20:47 3,072 ----a-w c:\program files\RemoveWGA.dll
2006-09-17 22:12 19,672 ----a-w c:\documents and settings\Tod\Application Data\GDIPFONTCACHEV1.DAT
2006-09-17 18:38 572,483 ----a-w c:\program files\tefv.exe
2006-07-16 21:27 8,404,736 ----a-w c:\program files\ewido-setup_4.0.0.172b.exe
2006-07-16 18:44 61,074,638 ----a-w c:\program files\Steinberg.Nuendo.v3.2.0.1128.MERRY.XMAS-H2O.part2.rar
2006-07-16 18:36 1,033,440 ----a-w c:\program files\wrar36b2.exe
2006-07-16 18:23 100,431,872 ----a-w c:\program files\Steinberg.Nuendo.v3.2.0.1128.MERRY.XMAS-H2O.part1.rar
2006-07-16 15:20 2,173,488 ----a-w c:\program files\spysubtract.exe
2006-07-16 15:15 313,281 ----a-w c:\program files\cwshredder.zip
2006-04-04 21:26 18,488,203 ----a-w c:\program files\ftmp7demo.exe
2006-04-04 21:18 18,488,203 ----a-w c:\program files\HFMC6.EXE
2006-02-07 18:52 10,703,680 ----a-w c:\program files\NDP1.1sp1-KB867460-X86.exe
2006-02-07 18:48 24,265,736 ----a-w c:\program files\dotnetfx.exe
2005-12-29 04:51 5,037,072 ----a-w c:\program files\spybotsd14.exe
2005-11-10 15:39 34,412,848 ----a-w c:\program files\iTunesSetup.exe
2005-11-01 00:28 369,896 ----a-w c:\program files\WindowsXP-KB888240-x86-ENU.exe
2005-10-27 18:00 20,921,040 ----a-w c:\program files\AdbeRdr705_enu_full.exe
2005-09-29 01:50 28,672 ----a-w c:\program files\Peer-Cache-Patch-1.1.exe
2005-09-29 01:05 823,296 ----a-w c:\program files\winmx353.exe
2005-09-28 17:16 558,240 ----a-w c:\program files\GoogleToolbarInstaller.exe
2004-03-11 17:27 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.
------- Sigcheck -------
2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 05:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2002-08-29 00:58 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB893066$\tcpip.sys
2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 c:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\ServicePackFiles\i386\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 05:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\system32\dllcache\tcpip.sys
2009-01-14 11:39 360320 a8a6c5b80cb4b619d1a41892eee69e11 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C5CF3FF-EBAE-47CE-A195-0BFD99A84317}]
2003-03-18 20:05 95744 --a------ c:\windows\system32\atl7.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [BU]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-19 39408]
"PowerBar"="" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-07 1400944]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-29 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-10 155648]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [BU]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-11-06 1168264]
"RRT-Auto"="c:\documents and settings\Tod\Desktop\RRT.exe" [BU]
"NvSvc"="c:\windows\system32\nvsvc32.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-23 219136]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
D-Link AirPlus G Configuration Utility.lnk - c:\program files\D-Link AirPlus G\AirPlus.exe [2005-09-27 294912]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
--a------ 2007-12-11 03:59 307200 c:\program files\Syncrosoft\POS\H2O\cledx.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\C-drive files\\C-drive files\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Documents and Settings\\Tod\\Desktop\\WinMX.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
R0 domvtnft;domvtnft;c:\windows\system32\drivers\domvtnft.sys [2001-08-23 23424]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-11-06 356920]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2006-07-16 33792]
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;c:\windows\system32\drivers\DLKRTS.SYS [2007-09-29 45568]
R3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\drivers\mrv8k51.sys [2005-09-27 256896]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?id=2&vv=600&lc=1033
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 15:15:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\windows\system32\devldr32.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\ewido anti-spyware 4.0\guard.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\fxssvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2009-02-03 15:23:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-03 20:21:35
ComboFix2.txt 2009-02-02 22:57:41
ComboFix3.txt 2009-02-02 02:46:12
Pre-Run: 4,977,860,608 bytes free
Post-Run: 4,456,738,816 bytes free
218 --- E O F --- 2009-01-13 22:13:42

And here is the HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:50:01 PM, on 2/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&vv=600&lc=1033
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.2.13
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {2C5CF3FF-EBAE-47CE-A195-0BFD99A84317} - C:\WINDOWS\system32\atl7.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Tod\Desktop\RRT.exe auto
O4 - HKLM\..\Run: [NvSvc] C:\WINDOWS\system32\nvsvc32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 7121 bytes

Thanks again for your continued support on this!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top