Help computer constantly getting mal/???? alerts.

spike9 · Apr 13, 2008

I think I'm infected with something. My computer seems to be running slower then usual and spysweeper keeps blocking stuff as soon as computer is turned on. When I check the quarentine there is usually some kind of mal/???? in there that I promptly delete. I've got Spysweeper, Avast and SuperAntispysweeper running they usually come up with somethingwhen I run a sweep, but I don't seem to be able to get rid of whatever is infecting my computer. I've tried the latest version of vundufix and it doesn't pick up anything.

Thanks in advance.

Peter

Highjackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:07 PM, on 13/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys\WUSB300N\WLService.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\DiskTrix\SystemBooster2\SystemBooster.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\CH Products\Control Manager\CMCtlCtr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Peter Rowntree\Desktop\Anti-virus\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SystemBoosterXP] "C:\Program Files\DiskTrix\SystemBooster2\SystemBooster.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [bend logo clock film] "C:\Documents and Settings\All Users\Application Data\Frag great bend logo\Move Soft.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\IGN\Download Manager\DLM.exe" /windowsstart /startifwork
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [RemoteCenter] "C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [DaleWindow] C:\DOCUME~1\PETERR~1\APPLIC~1\EQINTE~1\Storedead.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CM Control Center.lnk = C:\Program Files\CH Products\Control Manager\CMCtlCtr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://remote.tsb.gc.ca/CACHE/webvpn/stc/1/binaries/stcweb.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.1.99.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15031/CTPID.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WUSB300NSvc - Unknown owner - C:\Program Files\Linksys\WUSB300N\WLService.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 11416 bytes

Cookiegal · Apr 24, 2008

Hi and welcome to TSG,

Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

Combofix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

spike9 · Apr 26, 2008

Thanks,

Here are the logs and one question, should I disconnect from the interent and turn off my anti virus and spyware detectors? That is what I did before running combofix.

Peter

Part 1: Combofix log

ComboFix 08-04-24.1 - Peter Rowntree 2008-04-26 13:05:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1307 [GMT -4:00]
Running from: D:\My Documents\Downloads\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Peter Rowntree\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\'
C:\WINDOWS\system32\_003696_.tmp.dll
C:\WINDOWS\system32\_003848_.tmp.dll
C:\WINDOWS\system32\_003849_.tmp.dll
C:\WINDOWS\system32\_003850_.tmp.dll
C:\WINDOWS\system32\_003851_.tmp.dll
C:\WINDOWS\system32\_003858_.tmp.dll
C:\WINDOWS\system32\_003859_.tmp.dll
C:\WINDOWS\system32\_003860_.tmp.dll
C:\WINDOWS\system32\_003861_.tmp.dll
C:\WINDOWS\system32\_003863_.tmp.dll
C:\WINDOWS\system32\_003864_.tmp.dll
C:\WINDOWS\system32\_003867_.tmp.dll
C:\WINDOWS\system32\_003868_.tmp.dll
C:\WINDOWS\system32\_003871_.tmp.dll
C:\WINDOWS\system32\_003872_.tmp.dll
C:\WINDOWS\system32\_003874_.tmp.dll
C:\WINDOWS\system32\_003875_.tmp.dll
C:\WINDOWS\system32\_003877_.tmp.dll
C:\WINDOWS\system32\_003882_.tmp.dll
C:\WINDOWS\system32\_003884_.tmp.dll
C:\WINDOWS\system32\_003887_.tmp.dll
C:\WINDOWS\system32\_003889_.tmp.dll
C:\WINDOWS\system32\_003890_.tmp.dll
C:\WINDOWS\system32\_003891_.tmp.dll
C:\WINDOWS\system32\_003892_.tmp.dll
C:\WINDOWS\system32\_003893_.tmp.dll
C:\WINDOWS\system32\_003896_.tmp.dll
C:\WINDOWS\system32\_003898_.tmp.dll
C:\WINDOWS\system32\_003899_.tmp.dll
C:\WINDOWS\system32\_003900_.tmp.dll
C:\WINDOWS\system32\_003904_.tmp.dll
C:\WINDOWS\system32\pskill.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4

((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-22 21:19 . 2008-04-22 21:20 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-04-22 21:19 . 2008-04-22 21:19 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-04-22 21:17 . 2008-04-22 21:17 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-22 21:17 . 2008-04-23 18:48 <DIR> d-------- C:\Documents and Settings\Peter Rowntree\Contacts
2008-04-22 21:13 . 2008-04-22 21:15 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-22 21:03 . 2008-04-23 20:53 <DIR> d-------- C:\Program Files\Windows Live
2008-04-22 21:03 . 2008-04-22 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-18 10:58 . 2008-04-26 13:10 4,958,588 --a------ C:\WINDOWS\{00000002-00000000-0000000B-00001102-00000004-20021102}.BAK
2008-04-17 19:34 . 2008-04-17 19:34 <DIR> d-------- C:\Program Files\CCleaner
2008-04-13 13:03 . 2008-04-13 13:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-12 19:10 . 2008-04-12 19:10 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-12 12:54 . 2008-04-12 12:55 <DIR> d-------- C:\Program Files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 00:00 --------- d-----w C:\Documents and Settings\Peter Rowntree\Application Data\Eq Inter Rect
2008-04-17 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Frag great bend logo
2008-04-06 23:22 --------- d-----w C:\Program Files\Java
2008-03-23 03:25 --------- d-----w C:\Documents and Settings\Peter Rowntree\Application Data\LimeWire
2008-03-21 01:08 --------- d-----w C:\Program Files\Eq Inter Rect
2008-03-19 02:01 --------- d-----w C:\Program Files\LimeWire
2008-03-16 20:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-12 23:52 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-04 02:14 --------- d-----w C:\Program Files\Logitech
2008-03-04 02:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-02-28 01:50 --------- d-----w C:\Program Files\iTunes
2008-02-28 01:50 --------- d-----w C:\Program Files\iPod
2008-02-28 01:46 --------- d-----w C:\Program Files\QuickTime
2008-02-26 18:38 --------- d-----w C:\Program Files\GoFlight
2008-02-26 17:58 --------- d-----w C:\Program Files\Your Company Name
2008-02-26 17:58 --------- d-----w C:\Program Files\FS2004SDK
2008-02-26 00:39 --------- d-----w C:\Program Files\Google
2007-12-08 04:39 22,328 ----a-w C:\Documents and Settings\Peter Rowntree\Application Data\PnkBstrK.sys
2007-10-17 00:03 267,592 ----a-w C:\Program Files\Uninstall Ask Toolbar.dll
2007-01-01 15:03 90 --sh--w C:\WINDOWS\cnerolf.bin
2006-02-11 03:18 90 --sh--w C:\WINDOWS\cnerolf.dat
2006-05-25 00:16 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 20:38 1957888]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 19:23 102400]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 13:57 1103480]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-13 22:13 67128]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"AtiTrayTools"="C:\Program Files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.exe" [2007-10-21 16:06 566784]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe" [2004-08-17 16:07 143360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-04 21:57 1481968]
"DaleWindow"="C:\DOCUME~1\PETERR~1\APPLIC~1\EQINTE~1\Storedead.exe" [2008-03-20 21:07 402944]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 19:06 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"CTHelper"="CTHELPER.EXE" [2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 02:00 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"SystemBoosterXP"="C:\Program Files\DiskTrix\SystemBooster2\SystemBooster.exe" [2006-11-30 18:16 637440]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"AtiPTA"="atiptaxx.exe" [2006-02-21 21:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 16:49 69632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Launch LGDCore"="C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 18:57 2095640]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 18:43 2051096]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 21:56 5367664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 03:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
CM Control Center.lnk - C:\Program Files\CH Products\Control Manager\CMCtlCtr.exe [2006-02-09 20:20:32 539136]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-13 22:13:49 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-12-18 21:51:25 784912]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 11:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2003-05-29 11:00 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"K:\\Program Files\\Lead Pursuit\\Battlefield Operations\\FalconAF.exe"=
"C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\FSFDT\\FSCopilot\\FSInnUI.exe"=
"C:\\Program Files\\FSFDT\\FSInn\\FSInnFW.exe"=
"K:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"K:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\DiskTrix\\SystemBooster2\\SystemBooster.exe"=
"K:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe"=
"K:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"K:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\KAV\\kis\\setup.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.sys [2007-10-16 04:42]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-30 01:53]
R2 PfDetNT;PfDetNT;C:\WINDOWS\system32\drivers\PfModNT.sys [2006-08-11 15:56]
R2 WUSB300NSvc;WUSB300NSvc;"C:\Program Files\Linksys\WUSB300N\WLService.exe" "WUSB300N.exe" []
R3 chdrvr01;CH Control Manager Driver 1;C:\WINDOWS\system32\DRIVERS\chdrvr01.sys [2005-07-30 05:19]
R3 chdrvr02;CH Control Manager Driver 2;C:\WINDOWS\system32\DRIVERS\chdrvr02.sys [2005-05-17 02:07]
R3 chdrvr03;CH Control Manager Driver 3;C:\WINDOWS\system32\DRIVERS\chdrvr03.sys [2005-05-17 02:06]
R3 gfvknt;GoFlight Virtual HID Keyboard;C:\WINDOWS\system32\DRIVERS\gfvknt.sys [2003-07-27 22:49]
R3 NPUSB;NPUSB;C:\WINDOWS\system32\DRIVERS\npusb.sys [2006-12-06 18:20]
S2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ousbehci.sys [2002-09-01 08:19]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINDOWS\system32\DRIVERS\CSVirtA.sys [2007-11-02 10:40]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2002-09-01 08:19]
S3 PciCon;PciCon;F:\PciCon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 17:00:00 C:\WINDOWS\Tasks\AA0AA8CE91B12466.job"
- c:\docume~1\peterr~1\applic~1\eqinte~1\Lite Balm More.exe
"2008-04-09 11:08:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-26 16:49:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-01-17 12:13:00 C:\WINDOWS\Tasks\Defrag Job #00.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2007-01-17 14:30:00 C:\WINDOWS\Tasks\Defrag Job #01.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2007-01-17 15:00:00 C:\WINDOWS\Tasks\Defrag Job #02.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2007-01-17 16:30:00 C:\WINDOWS\Tasks\Defrag Job #03.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2007-01-17 18:00:00 C:\WINDOWS\Tasks\Defrag Job #04.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2008-03-23 04:11:00 C:\WINDOWS\Tasks\Defrag Job #1.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2008-03-23 06:00:00 C:\WINDOWS\Tasks\Defrag Job #2.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2008-03-23 07:00:00 C:\WINDOWS\Tasks\Defrag Job #3.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2008-03-23 09:00:00 C:\WINDOWS\Tasks\Defrag Job #4.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2008-03-23 10:00:00 C:\WINDOWS\Tasks\Defrag Job #5.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2008-04-22 02:00:03 C:\WINDOWS\Tasks\wrSpySweeper_0EB3D6B9D3B84E7EA69BA154770B25C1.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_0EB3D6B9D3B84E7EA69BA154770B25C1
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\raphook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Cisco Systems\SSL VPN Client\Agent.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
.
**************************************************************************
.
Completion time: 2008-04-26 13:19:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-26 17:18:40

Pre-Run: 39,325,597,696 bytes free
Post-Run: 39,520,198,656 bytes free

278 --- E O F --- 2008-04-24 00:55:05

spike9 · Apr 26, 2008

PS I forgot to install the recovery console before I ran Combofix, I have now installed it.

Part 2: Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:37 PM, on 26/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys\WUSB300N\WLService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\DiskTrix\SystemBooster2\SystemBooster.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CH Products\Control Manager\CMCtlCtr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SystemBoosterXP] "C:\Program Files\DiskTrix\SystemBooster2\SystemBooster.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\IGN\Download Manager\DLM.exe" /windowsstart /startifwork
O4 - HKCU\..\Run: [LDM] "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [RemoteCenter] "C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [DaleWindow] C:\DOCUME~1\PETERR~1\APPLIC~1\EQINTE~1\Storedead.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CM Control Center.lnk = C:\Program Files\CH Products\Control Manager\CMCtlCtr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://remote.tsb.gc.ca/CACHE/webvpn/stc/1/binaries/stcweb.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.1.99.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15031/CTPID.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WUSB300NSvc - Unknown owner - C:\Program Files\Linksys\WUSB300N\WLService.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 12872 bytes

Cookiegal · Apr 27, 2008

Open Notepad and copy and paste the text in the code box below into it:
Code:
File::
C:\Program Files\Uninstall Ask Toolbar.dll
C:\WINDOWS\Tasks\AA0AA8CE91B12466.job

Folder::
C:\Documents and Settings\Peter Rowntree\Application Data\Eq Inter Rect
C:\Documents and Settings\All Users\Application Data\Frag great bend logo
C:\Program Files\Eq Inter Rect

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DaleWindow"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"C:\\WINDOWS\\system32\\rundll32.exe"=-
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=-
 
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

spike9 · Apr 27, 2008

Combofix log:

ComboFix 08-04-24.1 - Peter Rowntree 2008-04-27 11:35:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1302 [GMT -4:00]
Running from: C:\Documents and Settings\Peter Rowntree\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Peter Rowntree\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\Uninstall Ask Toolbar.dll
C:\WINDOWS\Tasks\AA0AA8CE91B12466.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Frag great bend logo
C:\Documents and Settings\Peter Rowntree\Application Data\Eq Inter Rect
C:\Documents and Settings\Peter Rowntree\Application Data\Eq Inter Rect\0
C:\Documents and Settings\Peter Rowntree\Application Data\Eq Inter Rect\Storedead.exe
C:\Documents and Settings\Peter Rowntree\Application Data\Eq Inter Rect\zvmxsotr.exe
C:\Program Files\Eq Inter Rect
C:\Program Files\Uninstall Ask Toolbar.dll
C:\WINDOWS\Tasks\AA0AA8CE91B12466.job

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-22 21:19 . 2008-04-22 21:20 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-04-22 21:19 . 2008-04-22 21:19 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-04-22 21:17 . 2008-04-22 21:17 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-22 21:17 . 2008-04-23 18:48 <DIR> d-------- C:\Documents and Settings\Peter Rowntree\Contacts
2008-04-22 21:13 . 2008-04-22 21:15 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-22 21:03 . 2008-04-23 20:53 <DIR> d-------- C:\Program Files\Windows Live
2008-04-22 21:03 . 2008-04-22 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-18 10:58 . 2008-04-27 11:39 4,958,588 --a------ C:\WINDOWS\{00000002-00000000-0000000B-00001102-00000004-20021102}.BAK
2008-04-17 19:34 . 2008-04-17 19:34 <DIR> d-------- C:\Program Files\CCleaner
2008-04-13 13:03 . 2008-04-13 13:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-12 19:10 . 2008-04-12 19:10 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-12 12:54 . 2008-04-12 12:55 <DIR> d-------- C:\Program Files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 23:22 --------- d-----w C:\Program Files\Java
2008-03-23 03:25 --------- d-----w C:\Documents and Settings\Peter Rowntree\Application Data\LimeWire
2008-03-19 02:01 --------- d-----w C:\Program Files\LimeWire
2008-03-16 20:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-12 23:52 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-04 02:14 --------- d-----w C:\Program Files\Logitech
2008-03-04 02:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-02-28 01:50 --------- d-----w C:\Program Files\iTunes
2008-02-28 01:50 --------- d-----w C:\Program Files\iPod
2008-02-28 01:46 --------- d-----w C:\Program Files\QuickTime
2007-12-08 04:39 22,328 ----a-w C:\Documents and Settings\Peter Rowntree\Application Data\PnkBstrK.sys
2007-01-01 15:03 90 --sh--w C:\WINDOWS\cnerolf.bin
2006-02-11 03:18 90 --sh--w C:\WINDOWS\cnerolf.dat
2006-05-25 00:16 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 20:38 1957888]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 19:23 102400]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 13:57 1103480]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-13 22:13 67128]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"AtiTrayTools"="C:\Program Files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.exe" [2007-10-21 16:06 566784]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe" [2004-08-17 16:07 143360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-04 21:57 1481968]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 19:06 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"CTHelper"="CTHELPER.EXE" [2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 02:00 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"SystemBoosterXP"="C:\Program Files\DiskTrix\SystemBooster2\SystemBooster.exe" [2006-11-30 18:16 637440]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"AtiPTA"="atiptaxx.exe" [2006-02-21 21:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 16:49 69632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Launch LGDCore"="C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 18:57 2095640]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 18:43 2051096]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 21:56 5367664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 03:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
CM Control Center.lnk - C:\Program Files\CH Products\Control Manager\CMCtlCtr.exe [2006-02-09 20:20:32 539136]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-13 22:13:49 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-12-18 21:51:25 784912]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 11:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2003-05-29 11:00 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"K:\\Program Files\\Lead Pursuit\\Battlefield Operations\\FalconAF.exe"=
"C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\FSFDT\\FSCopilot\\FSInnUI.exe"=
"C:\\Program Files\\FSFDT\\FSInn\\FSInnFW.exe"=
"K:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"C:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"K:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\DiskTrix\\SystemBooster2\\SystemBooster.exe"=
"K:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe"=
"K:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"K:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\KAV\\kis\\setup.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.sys [2007-10-16 04:42]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-30 01:53]
R2 PfDetNT;PfDetNT;C:\WINDOWS\system32\drivers\PfModNT.sys [2006-08-11 15:56]
R2 WUSB300NSvc;WUSB300NSvc;"C:\Program Files\Linksys\WUSB300N\WLService.exe" "WUSB300N.exe" []
R3 chdrvr01;CH Control Manager Driver 1;C:\WINDOWS\system32\DRIVERS\chdrvr01.sys [2005-07-30 05:19]
R3 chdrvr02;CH Control Manager Driver 2;C:\WINDOWS\system32\DRIVERS\chdrvr02.sys [2005-05-17 02:07]
R3 chdrvr03;CH Control Manager Driver 3;C:\WINDOWS\system32\DRIVERS\chdrvr03.sys [2005-05-17 02:06]
R3 gfvknt;GoFlight Virtual HID Keyboard;C:\WINDOWS\system32\DRIVERS\gfvknt.sys [2003-07-27 22:49]
R3 NPUSB;NPUSB;C:\WINDOWS\system32\DRIVERS\npusb.sys [2006-12-06 18:20]
S2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ousbehci.sys [2002-09-01 08:19]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINDOWS\system32\DRIVERS\CSVirtA.sys [2007-11-02 10:40]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2002-09-01 08:19]
S3 PciCon;PciCon;F:\PciCon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 11:08:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-27 01:49:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-01-17 12:13:00 C:\WINDOWS\Tasks\Defrag Job #00.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2007-01-17 14:30:00 C:\WINDOWS\Tasks\Defrag Job #01.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2007-01-17 15:00:00 C:\WINDOWS\Tasks\Defrag Job #02.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2007-01-17 16:30:00 C:\WINDOWS\Tasks\Defrag Job #03.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2007-01-17 18:00:00 C:\WINDOWS\Tasks\Defrag Job #04.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2008-03-23 04:11:00 C:\WINDOWS\Tasks\Defrag Job #1.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2008-03-23 06:00:00 C:\WINDOWS\Tasks\Defrag Job #2.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2008-03-23 07:00:00 C:\WINDOWS\Tasks\Defrag Job #3.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2008-03-23 09:00:00 C:\WINDOWS\Tasks\Defrag Job #4.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2008-03-23 10:00:00 C:\WINDOWS\Tasks\Defrag Job #5.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2008-04-22 02:00:03 C:\WINDOWS\Tasks\wrSpySweeper_0EB3D6B9D3B84E7EA69BA154770B25C1.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_0EB3D6B9D3B84E7EA69BA154770B25C1
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\raphook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Cisco Systems\SSL VPN Client\Agent.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
.
**************************************************************************
.
Completion time: 2008-04-27 11:49:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 15:48:23
ComboFix2.txt 2008-04-26 17:19:49

Pre-Run: 39,476,637,696 bytes free
Post-Run: 39,450,914,816 bytes free

236 --- E O F --- 2008-04-24 00:55:05

spike9 · Apr 27, 2008

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:42 PM, on 27/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys\WUSB300N\WLService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\DiskTrix\SystemBooster2\SystemBooster.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\CH Products\Control Manager\CMCtlCtr.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SystemBoosterXP] "C:\Program Files\DiskTrix\SystemBooster2\SystemBooster.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\IGN\Download Manager\DLM.exe" /windowsstart /startifwork
O4 - HKCU\..\Run: [LDM] "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [RemoteCenter] "C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CM Control Center.lnk = C:\Program Files\CH Products\Control Manager\CMCtlCtr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://remote.tsb.gc.ca/CACHE/webvpn/stc/1/binaries/stcweb.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.1.99.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15031/CTPID.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WUSB300NSvc - Unknown owner - C:\Program Files\Linksys\WUSB300N\WLService.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 12591 bytes

Cookiegal · Apr 27, 2008

Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.

To disable SpySweeper:

Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".

Open Notepad and copy and paste the text in the code box below into it:
Code:
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"C:\\WINDOWS\\system32\\rundll32.exe"=-
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=-
 
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

spike9 · Apr 27, 2008

Cookiegal,

I turned off everything in spysweeper as you instructed and tried running combofixwith the new CFScript file. Combofix only made it to stage four, at which point the computer rebooted and indicated that Windows had recovered from a serious error. There was no log file created.

Spike

Cookiegal · Apr 28, 2008

Please go to Start - Run - type in eventvwr.msc to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.

spike9 · Apr 28, 2008

Here you go alot of the stuff just keeps repeating:

Event Type: Error
Event Source: STCAgent
Event Category: None
Event ID: 2
Date: 2008-04-28
Time: 20:44
User: N/A
Computer: SPIKE
Description:
Termination reason code 10 [FAST_USER_SWITCH]

Event Type: Error
Event Source: STCAgent
Event Category: None
Event ID: 2
Date: 2008-04-27
Time: 19:16
User: N/A
Computer: SPIKE
Description:
Termination reason code 10 [FAST_USER_SWITCH]

Event Type: Error
Event Source: STCAgent
Event Category: None
Event ID: 2
Date: 2008-04-27
Time: 19:04
User: N/A
Computer: SPIKE
Description:
Termination reason code 10 [FAST_USER_SWITCH]

Event Type: Error
Event Source: STCAgent
Event Category: None
Event ID: 2
Date: 2008-04-27
Time: 18:53
User: N/A
Computer: SPIKE
Description:
Termination reason code 10 [FAST_USER_SWITCH]

Event Type: Error
Event Source: STCAgent
Event Category: None
Event ID: 2
Date: 2008-04-27
Time: 11:44
User: N/A
Computer: SPIKE
Description:
Termination reason code 10 [FAST_USER_SWITCH]

Event Type: Error
Event Source: STCAgent
Event Category: None
Event ID: 2
Date: 2008-04-27
Time: 11:10
User: N/A
Computer: SPIKE
Description:
Termination reason code 10 [FAST_USER_SWITCH]

Event Type: Error
Event Source: Windows Live Messenger
Event Category: None
Event ID: 1000
Date: 2008-04-26
Time: 18:33
User: N/A
Computer: SPIKE
Description:
The description for Event ID ( 1000 ) in Source ( Windows Live Messenger ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: msnmsgr.exe, 8.5.1302.1018, 4717a53b, sockspy.dll, 0.0.0.0, 43d904b9, 0, 0000104a.
Data:
0000: 41 00 70 00 70 00 6c 00 A.p.p.l.
0008: 69 00 63 00 61 00 74 00 i.c.a.t.
0010: 69 00 6f 00 6e 00 20 00 i.o.n. .
0018: 46 00 61 00 69 00 6c 00 F.a.i.l.
0020: 75 00 72 00 65 00 20 00 u.r.e. .
0028: 20 00 6d 00 73 00 6e 00 .m.s.n.
0030: 6d 00 73 00 67 00 72 00 m.s.g.r.
0038: 2e 00 65 00 78 00 65 00 ..e.x.e.
0040: 20 00 38 00 2e 00 35 00 .8...5.
0048: 2e 00 31 00 33 00 30 00 ..1.3.0.
0050: 32 00 2e 00 31 00 30 00 2...1.0.
0058: 31 00 38 00 20 00 34 00 1.8. .4.
0060: 37 00 31 00 37 00 61 00 7.1.7.a.
0068: 35 00 33 00 62 00 20 00 5.3.b. .
0070: 69 00 6e 00 20 00 73 00 i.n. .s.
0078: 6f 00 63 00 6b 00 73 00 o.c.k.s.
0080: 70 00 79 00 2e 00 64 00 p.y...d.
0088: 6c 00 6c 00 20 00 30 00 l.l. .0.
0090: 2e 00 30 00 2e 00 30 00 ..0...0.
0098: 2e 00 30 00 20 00 34 00 ..0. .4.
00a0: 33 00 64 00 39 00 30 00 3.d.9.0.
00a8: 34 00 62 00 39 00 20 00 4.b.9. .
00b0: 66 00 44 00 65 00 62 00 f.D.e.b.
00b8: 75 00 67 00 20 00 30 00 u.g. .0.
00c0: 20 00 61 00 74 00 20 00 .a.t. .
00c8: 6f 00 66 00 66 00 73 00 o.f.f.s.
00d0: 65 00 74 00 20 00 30 00 e.t. .0.
00d8: 30 00 30 00 30 00 31 00 0.0.0.1.
00e0: 30 00 34 00 61 00 0d 00 0.4.a...
00e8: 0a 00 ..

Event Type: Error
Event Source: STCAgent
Event Category: None
Event ID: 2
Date: 2008-04-26
Time: 18:31
User: N/A
Computer: SPIKE
Description:
Termination reason code 10 [FAST_USER_SWITCH]

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 2008-04-28
Time: 20:45
User: N/A
Computer: SPIKE
Description:
The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 2008-04-28
Time: 20:45
User: N/A
Computer: SPIKE
Description:
The Windows Media Player Network Sharing Service service depends on the Universal Plug and Play Device Host service which failed to start because of the following error:
%%0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 2008-04-28
Time: 20:44
User: N/A
Computer: SPIKE
Description:
The BDRsDrv service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 2008-04-28
Time: 20:44
User: N/A
Computer: SPIKE
Description:
The BDFsDrv service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 2008-04-28
Time: 20:44
User: N/A
Computer: SPIKE
Description:
The following boot-start or system-start driver(s) failed to load:
fasttx2k

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: fasttx2k
Event Category: None
Event ID: 4
Date: 2008-04-28
Time: 20:43
User: N/A
Computer: SPIKE
Description:
Driver detected an internal error in its data structures for .

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 5a 00 ......Z.
0008: 00 00 00 00 04 00 04 c0 .......À
0010: 02 00 00 00 c0 00 00 c0 ....À..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 2008-04-28
Time: 20:44
User: N/A
Computer: SPIKE
Description:
The Windows Media Player Network Sharing Service service depends on the Universal Plug and Play Device Host service which failed to start because of the following error:
%%0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 2008-04-28
Time: 20:44
User: N/A
Computer: SPIKE
Description:
The NEC PCI to USB Enhanced Host Controller service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 2008-04-27
Time: 20:33
User: N/A
Computer: SPIKE
Description:
The BDRsDrv service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 2008-04-27
Time: 20:33
User: N/A
Computer: SPIKE
Description:
The BDFsDrv service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 2008-04-27
Time: 19:32
User: N/A
Computer: SPIKE
Description:
The BDRsDrv service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 2008-04-27
Time: 19:32
User: N/A
Computer: SPIKE
Description:
The BDFsDrv service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 2008-04-27
Time: 19:17
User: N/A
Computer: SPIKE
Description:
The BDRsDrv service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 2008-04-27
Time: 19:17
User: N/A
Computer: SPIKE
Description:
The BDFsDrv service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 2008-04-27
Time: 19:17
User: N/A
Computer: SPIKE
Description:
The Windows Media Player Network Sharing Service service depends on the Universal Plug and Play Device Host service which failed to start because of the following error:
%%0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 2008-04-27
Time: 19:17
User: N/A
Computer: SPIKE
Description:
The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 2008-04-27
Time: 19:17
User: N/A
Computer: SPIKE
Description:
The following boot-start or system-start driver(s) failed to load:
fasttx2k

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 2008-04-27
Time: 19:17
User: N/A
Computer: SPIKE
Description:
The Windows Media Player Network Sharing Service service depends on the Universal Plug and Play Device Host service which failed to start because of the following error:
%%0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 2008-04-27
Time: 19:17
User: N/A
Computer: SPIKE
Description:
The NEC PCI to USB Enhanced Host Controller service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: fasttx2k
Event Category: None
Event ID: 4
Date: 2008-04-27
Time: 19:16
User: N/A
Computer: SPIKE
Description:
Driver detected an internal error in its data structures for .

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 5a 00 ......Z.
0008: 00 00 00 00 04 00 04 c0 .......À
0010: 02 00 00 00 c0 00 00 c0 ....À..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 2008-04-27
Time: 19:05
User: N/A
Computer: SPIKE
Description:
Error code 1000008e, parameter1 c0000005, parameter2 8056b506, parameter3 aa226c44, parameter4 00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 38 1000008
0020: 65 20 20 50 61 72 61 6d e Param
0028: 65 74 65 72 73 20 63 30 eters c0
0030: 30 30 30 30 30 35 2c 20 000005,
0038: 38 30 35 36 62 35 30 36 8056b506
0040: 2c 20 61 61 32 32 36 63 , aa226c
0048: 34 34 2c 20 30 30 30 30 44, 0000
0050: 30 30 30 30 0000

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 2008-04-27
Time: 19:04
User: N/A
Computer: SPIKE
Description:
The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 2008-04-27
Time: 19:04
User: N/A
Computer: SPIKE
Description:
The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 2008-04-27
Time: 19:03
User: N/A
Computer: SPIKE
Description:
The BDRsDrv service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 2008-04-27
Time: 19:03
User: N/A
Computer: SPIKE
Description:
The BDFsDrv service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 2008-04-27
Time: 19:03
User: N/A
Computer: SPIKE
Description:
The following boot-start or system-start driver(s) failed to load:
fasttx2k

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: fasttx2k
Event Category: None
Event ID: 4
Date: 2008-04-27
Time: 19:02
User: N/A
Computer: SPIKE
Description:
Driver detected an internal error in its data structures for .

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 5a 00 ......Z.
0008: 00 00 00 00 04 00 04 c0 .......À
0010: 02 00 00 00 c0 00 00 c0 ....À..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Cookiegal · Apr 29, 2008

Looks like some possible hardware issues there so I'm going to ask someone else to take a look.

Rollin' Rog · Apr 29, 2008

1 >> STCAgent >> related to Cisco VPN -- "error" eccurs when user logs 0ff using Fast User Switching.

--- I don't believe this is a true error.

2 >> The BDRsDrv service failed to start due to the following error:
The system cannot find the file specified.

-- relates to BitDefender; I would assume there is a damaged install or a residual startup entry that was not removed if it was uninstalled

3 >> The following boot-start or system-start driver(s) failed to load:
fasttx2k

-- not sure what to make of this one, the driver is for a Promise Raid Architecture I believe; if it is consistently repeating you would need to reinstall those Promise drivers for your RAID controller; http://www.promise.com/product/product_detail_eng.asp?segment=RAID 0/1 HBAs&product_id=128 You would need to verify the hardware model on their site for the correct drivers.

4 >> Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 2008-04-27
Time: 19:05
User: N/A
Computer: SPIKE
Description:
Error code 1000008e, parameter1 c0000005, parameter2 8056b506, parameter3 aa226c44, parameter4 00000000.

This is a BSOD. No doubt the one you mention in post 9

--- Need more info:

I can run a debugging utility on the dump files if you do this:

1 > create a new folder on the desktop and call it "dumpcheck" or whatever you like
2 > navigate to %systemroot%\minidump and copy the last few minidump files to that folder.%systemroot% is normally c:\windows. They are numbered by date. You can paste that address in address bar to get there.
3 > close the folder and right click on it and select Send to Compressed (zipped) Folder.
4 > use the "manage attachments" in the "advanced" reply window to upload that zip file here as an attachment.

This might point us to a non-system driver causing the error, if one exists for it.

Cookiegal · Apr 30, 2008

Thanks Rog.

spike9 · Apr 30, 2008

I have uninstalled the fast track raid controller as not running a raid array, also unistalled the cisco vpn client driver that showed a few errors I can reinstall the next time need it which isn't to often.

I have attached the mini dump files there were only two in the file.

Thanks for all the help both of you, hopefully we can resolve whatever problems are lurking in my machine.

Peter

Log in or Sign up

Help computer constantly getting mal/???? alerts.

spike9 Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

spike9 Thread Starter

spike9 Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

spike9 Thread Starter

spike9 Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

spike9 Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

spike9 Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

Rollin' Rog

Cookiegal Administrator Malware Specialist Coordinator

spike9 Thread Starter

Attached Files:

Dump check.zip

Sponsor

Welcome to Tech Support Guy!

In Progress i need help really bad..

In Progress StartupCheckLibrary.dll &winscomrssrv.dll Missing, help!

New Slow laptop need help

New Laptop plagued by browser hijacker....help!

New Help Please

Log in or Sign up

Help computer constantly getting mal/???? alerts.

spike9 Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

spike9 Thread Starter

spike9 Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

spike9 Thread Starter

spike9 Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

spike9 Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

spike9 Thread Starter

Cookiegal Administrator Malware Specialist Coordinator

Rollin' Rog

Cookiegal Administrator Malware Specialist Coordinator

spike9 Thread Starter

Attached Files:

Dump check.zip

Sponsor

Welcome to Tech Support Guy!

In Progress i need help really bad..

In Progress StartupCheckLibrary.dll &winscomrssrv.dll Missing, help!

New Slow laptop need help

New Laptop plagued by browser hijacker....help!

New Help Please

Useful Searches