1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Hijack this log!

Discussion in 'Virus & Other Malware Removal' started by Mucknie, Apr 13, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. Mucknie

    Mucknie Account Closed Thread Starter

    Joined:
    Dec 30, 2007
    Messages:
    72
    I got a major infection of adware,malware and spyware a few days ago. I got rid of some of it, but i need help could someone please tell me if there is anything i need to delete from my Hijack this log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:29:41 PM, on 13/04/2008
    Platform: Windows XP SP3, v.3244 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3244)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\bfeitbcz.exe
    C:\WINDOWS\system32\regsvr32.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\regsvr32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2CCEA100-B5C1-4A21-B44F-B8BFC58ECF79} - C:\WINDOWS\system32\vtUlMgFX.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [bfeitbcz] C:\WINDOWS\system32\bfeitbcz.exe
    O4 - HKLM\..\Run: [cvclcved] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\cvclcved.dll"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKLM\..\Run: [ucaaukhb] C:\WINDOWS\system32\ucaaukhb.exe
    O4 - HKLM\..\Run: [yxgrwhqt] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\yxgrwhqt.dll"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [4829703a] rundll32.exe "C:\WINDOWS\system32\blakedch.dll",b
    O4 - HKLM\..\Run: [BM4b1a43a6] Rundll32.exe "C:\WINDOWS\system32\ysyuupil.dll",s
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: aqmkgdbj - C:\WINDOWS\SYSTEM32\aqmkgdbj.dll
    O20 - Winlogon Notify: __c0041390 - C:\WINDOWS\SYSTEM32\__c0041390.dat
    O20 - Winlogon Notify: __c00F4A4D - C:\WINDOWS\SYSTEM32\__c00F4A4D.dat
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 9512 bytes

    Thanks..Mucknie... :)
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please visit this webpage for instructions on installing recovery console and downloading/running ComboFix.

    Post the log from ComboFix along with a new HijackThis log.
     
  3. Mucknie

    Mucknie Account Closed Thread Starter

    Joined:
    Dec 30, 2007
    Messages:
    72
    hijack this log:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:46:44 AM, on 15/04/2008
    Platform: Windows XP SP3, v.3244 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3244)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/se...0000097.000001cf&c=00000082.000000e6.0000026f
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: __c0041390 - C:\WINDOWS\SYSTEM32\__c0041390.dat
    O20 - Winlogon Notify: __c00F4A4D - C:\WINDOWS\SYSTEM32\__c00F4A4D.dat
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: OKAYW - Unknown owner - C:\DOCUME~1\Fung\LOCALS~1\Temp\OKAYW.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 8410 bytes


    Combofix log:

    ComboFix 08-04-13.3 - Fung 2008-04-15 10:36:04.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.579 [GMT 10:00]
    Running from: C:\Documents and Settings\Fung\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\WINDOWS\BM4b1a43a6.xml
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\system32\bpuuitin.ini
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\XFgMlUtv.ini
    C:\WINDOWS\system32\XFgMlUtv.ini2

    ----- BITS: Possible infected sites -----

    hxxp://au.download.windowsuõj
    .
    ((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
    .

    2008-04-14 19:30 . 2008-04-14 19:30 0 --a------ C:\WINDOWS\system32\OPINVJPM
    2008-04-14 14:11 . 2008-04-14 14:11 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
    2008-04-14 14:10 . 2008-04-14 14:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    2008-04-14 14:07 . 2008-04-14 14:07 <DIR> d-------- C:\Program Files\Sunbelt Software
    2008-04-14 13:24 . 2008-04-15 10:15 <DIR> d-------- C:\Documents and Settings\Fung\Application Data\AVG7
    2008-04-14 13:23 . 2008-04-14 13:23 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2008-04-14 13:23 . 2008-04-14 21:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
    2008-04-14 13:21 . 2008-04-14 13:21 <DIR> d-------- C:\Program Files\Defraggler
    2008-04-13 00:04 . 2008-04-13 00:04 <DIR> d-------- C:\Program Files\Lavasoft
    2008-04-13 00:04 . 2008-04-13 00:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-04-12 19:08 . 2008-04-14 13:00 946 ---hs---- C:\WINDOWS\system32\hcdekalb.ini
    2008-04-12 19:02 . 2008-04-12 19:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-04-12 19:02 . 2008-04-12 19:02 32,320 --a------ C:\WINDOWS\system32\__c00F4A4D.dat
    2008-04-12 16:12 . 2008-04-12 16:34 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-04-12 16:12 . 2008-04-13 00:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-12 16:12 . 2008-04-12 16:12 <DIR> d-------- C:\Documents and Settings\Fung\Application Data\SUPERAntiSpyware.com
    2008-04-12 16:12 . 2008-04-12 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-04-12 12:03 . 2008-04-12 12:03 <DIR> d-------- C:\Documents and Settings\Fung\Application Data\Sunbelt Software
    2008-04-11 23:42 . 2008-04-11 23:42 <DIR> d-------- C:\Documents and Settings\Fung\Application Data\Grisoft
    2008-04-11 23:28 . 2008-04-11 23:28 <DIR> d-------- C:\Program Files\Trend Micro
    2008-04-11 23:25 . 2008-04-11 23:25 <DIR> d-------- C:\Program Files\CCleaner
    2008-04-11 23:25 . 2007-05-30 22:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2008-04-11 22:52 . 2008-04-11 22:52 <DIR> d-------- C:\Program Files\filehippo.com
    2008-04-11 19:41 . 2008-04-11 19:41 102,400 --a------ C:\Documents and Settings\All Users\Application Data\yxgrwhqt.dll
    2008-04-11 19:40 . 2008-04-11 19:40 32,320 --a------ C:\WINDOWS\system32\__c0041390.dat
    2008-04-11 19:21 . 2008-04-14 13:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-04-10 21:23 . 2008-04-12 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-04-10 19:26 . 2008-04-11 22:15 <DIR> d-------- C:\VundoFix Backups
    2008-04-10 19:15 . 2008-04-10 19:15 32,320 --a------ C:\WINDOWS\system32\__c001ACB4.dat
    2008-04-10 18:44 . 2008-04-10 18:44 106,496 --a------ C:\Documents and Settings\All Users\Application Data\cvclcved.dll
    2008-04-10 18:30 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
    2008-04-09 19:12 . 2008-04-09 21:15 <DIR> d-------- C:\WINDOWS\system32\Adobe
    2008-03-30 13:37 . 2008-03-30 13:37 <DIR> d-------- C:\Maths

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-15 00:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-04-13 11:03 11,376 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2008-04-13 06:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-04-03 08:39 --------- d-----w C:\Documents and Settings\Fung\Application Data\LimeWire
    2008-03-11 11:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes
    2008-03-08 23:14 --------- d-----w C:\Program Files\Java
    2008-03-07 10:18 --------- d-----w C:\Program Files\Common Files\Real
    2008-02-28 08:57 --------- d-----w C:\Program Files\Windows Live
    2008-02-28 08:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
    2008-02-23 01:03 --------- d-----w C:\Program Files\iTunes
    2008-02-23 01:03 --------- d-----w C:\Program Files\iPod
    2008-02-23 01:02 --------- d-----w C:\Program Files\QuickTime
    2008-02-21 06:43 --------- d-----w C:\Program Files\ffdshow
    2008-02-21 06:21 --------- d-----w C:\Documents and Settings\Fung\Application Data\Pegasys Inc
    2008-02-21 06:19 33,408 ----a-w C:\WINDOWS\system32\drivers\CDRBSDRV.SYS
    2008-01-22 07:39 72,382 ----a-w C:\WINDOWS\BricoPackUninst.cmd
    2008-01-22 07:39 5,265 ----a-w C:\WINDOWS\BricoPackFoldersDelete.cmd
    2007-02-06 14:23 32 ----a-r C:\Documents and Settings\All Users\hash.dat
    .

    ------- Sigcheck -------

    2006-06-23 21:25 664576 64ce26db72810b30f7855ea51e1df836 C:\WINDOWS\$hf_mig$\KB918899\SP2QFE\wininet.dll
    2006-09-14 18:31 664576 d207370287cf769aebebf03837784963 C:\WINDOWS\$hf_mig$\KB922760\SP2QFE\wininet.dll
    2006-10-24 01:34 664576 231ef4179acabe486376b5ca893f1076 C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\wininet.dll
    2007-01-05 00:05 665088 3ffa1573fc274e5aa7467d03941c45ee C:\WINDOWS\$hf_mig$\KB928090\SP2QFE\wininet.dll
    2007-02-20 19:52 665600 b258c922d22deec880b60720531d7627 C:\WINDOWS\$hf_mig$\KB931768\SP2QFE\wininet.dll
    2007-04-18 22:46 665600 4261ba03afd659de04f0a17dfbdd454d C:\WINDOWS\$hf_mig$\KB933566\SP2QFE\wininet.dll
    2007-06-27 00:35 665600 e1a3dd68b5380b360a7310a64d9bb188 C:\WINDOWS\$hf_mig$\KB937143\SP2QFE\wininet.dll
    2007-08-22 22:55 665600 a1bc17eb3758d73c3938b2318820f5b4 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\wininet.dll
    2007-10-11 15:57 666112 80d660a49e0d118144423099b2a9f5da C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\wininet.dll
    2007-10-11 16:13 659456 2005ad86a22aee68e21ee59f9ccb77f2 C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
    2007-10-30 23:32 699904 dd2fd1ee96c994f2cb4bb3f375fcb83b C:\WINDOWS\ServicePackFiles\i386\wininet.dll
    2007-10-30 23:32 699904 dd2fd1ee96c994f2cb4bb3f375fcb83b C:\WINDOWS\system32\wininet.dll

    2007-10-30 23:32 975872 833587fa90595d04c94c92dd1170aded C:\WINDOWS\explorer.exe
    2007-06-13 21:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
    2007-06-13 20:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
    2007-10-30 23:32 975872 833587fa90595d04c94c92dd1170aded C:\WINDOWS\ServicePackFiles\i386\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2007-10-30 23:32 15360]
    "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 18:25 1961984]
    "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 10:34 5724184]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "@"="C:\Program Files\Internet Explorer\iexplore.exe" [2007-10-30 23:32 832512]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 11:07 208952]
    "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 11:07 455168]
    "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 11:07 455168]
    "RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
    "InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-14 12:06 1397760]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28 49152]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 22:25 28160 C:\WINDOWS\KHALMNPR.Exe]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:25 144784]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 22:13 385024]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 12:10 267048]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-14 13:23 579072]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-10-30 23:32 15360]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-14 13:23 219136]

    C:\Documents and Settings\Fung\Start Menu\Programs\Startup\
    RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 08:05:02 630784]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0041390]
    __c0041390.dat 2008-04-11 19:40 32320 C:\WINDOWS\system32\__c0041390.dat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F4A4D]
    __c00F4A4D.dat 2008-04-12 19:02 32320 C:\WINDOWS\system32\__c00F4A4D.dat

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\Logitech\\SetPoint\\logitechconnect.exe"=
    "C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PowerDVD.exe"=
    "C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\Hpqdirec.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\HP Print Screen\\prnsys.exe"=
    "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqthb08.exe"=
    "C:\\Program Files\\WinRAR\\WinRAR.exe"=
    "C:\\Program Files\\Logitech\\SetPoint\\quicktour.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
    "C:\\Program Files\\NETGEAR\\WG311v3\\wlancfg5.exe"=
    "C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\OLRSubmission\\OLRSubmission.exe"=
    "C:\\Program Files\\CCleaner\\CCleaner.exe"=
    "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
    "C:\\Program Files\\ASUS\\ASUSUpdate\\Update.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

    R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-04-14 14:11]
    S3 OKAYW;OKAYW;C:\DOCUME~1\Fung\LOCALS~1\Temp\OKAYW.exe []
    S3 PPJoyBus;Parallel Port Joystick Bus device driver;C:\WINDOWS\system32\drivers\PPJoyBus.sys [2004-10-24 08:11]
    S3 PPortJoystick;Parallel Port Joystick device driver;C:\WINDOWS\system32\drivers\PPortJoy.sys [2004-10-24 08:11]
    S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
    S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2007-02-15 14:14]
    S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2007-10-30 18:02]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3167a35f-b4ec-11db-a028-0011d86bf966}]
    \Shell\Auto\command - setup.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a77afb1-1b0c-11dc-a1b9-00173162af7c}]
    \Shell\Auto\command - setup.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8312a896-5a00-11dc-a2f0-00173162af7c}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87b8af0a-6d77-11db-9f4f-0011d86bf966}]
    \Shell\Auto\command - setup.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0798787-b0f7-11dc-a3c8-00173162af7c}]
    \Shell\Auto\command - E:\setup.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b32e8b6e-60d7-11db-9f2e-0011d86bf966}]
    \Shell\Auto\command - setup.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3cd465b-b04c-11dc-a3c7-00173162af7c}]
    \Shell\Auto\command - G:\setup.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-15 10:40:15
    Windows 5.1.2600 Service Pack 3, v.3244 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\__c0041390.dat
    -> C:\WINDOWS\system32\__c00F4A4D.dat
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\ati2evxx.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2008-04-15 10:41:59 - machine was rebooted [Fung]
    ComboFix-quarantined-files.txt 2008-04-15 00:41:55

    Pre-Run: 101,248,823,296 bytes free
    Post-Run: 101,247,995,904 bytes free
    .
    2008-04-09 12:20:37 --- E O F ---


    Will this eventually help repair my search engines because everytime i search something and click on the link im taken to sites such as: hren.com xsearch, and search-daily...
    Plz help!
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Open Notepad and copy and paste the text in the quote box below into it:

    Save the file to you desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]

    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.



    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Select Files to Delete choose: Select All
    • Click the Empty Selected button.

    Click Exit on the Main menu to close the program.



    Download (save and select your desktop to save it to) SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive and all other fixed drives..
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
    • Click Close to exit the program.


    Please perform a scan with Kaspersky Webscan Online Virus Scanner
    • Read the Requirements and Privacy statement, then select "Accept".
    • A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
    • Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
    • When the download is complete it will say ready, click "Next".
    • Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
    • Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
    • Click "OK".
    • Under "Select a target to scan", click on "My Computer".
    • When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.


    Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!
     
  5. Mucknie

    Mucknie Account Closed Thread Starter

    Joined:
    Dec 30, 2007
    Messages:
    72
    Combofix keeps crashing on restart, it just freezes for like 20 mins.

    Everything's working fine the only problem is, that my securtiy centre is locked, if you can help me unlock it everyting wil lbe 100 % (y) :cool:
     
  6. Mucknie

    Mucknie Account Closed Thread Starter

    Joined:
    Dec 30, 2007
    Messages:
    72
    Sorry for that....My bad actually, EVERYTHING IS FINE. my pc is 99.9%...

    The .1 is that in my seucrity centre, under the anti-virus tab it says i have more than one anti-virus program installed, all i've got is AVG...????
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      [b]C:\WINDOWS\system32\__c00F4A4D.dat
      C:\WINDOWS\system32\hcdekalb.ini
      C:\WINDOWS\system32\__c0041390.dat
      C:\Documents and Settings\All Users\Application Data\yxgrwhqt.dll
      C:\WINDOWS\system32\__c001ACB4.dat
      C:\Documents and Settings\All Users\Application Data\cvclcved.dll
      C:\WINDOWS\system32\OPINVJPM
      [/b]
    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Select Files to Delete choose: Select All
    • Click the Empty Selected button.

    Click Exit on the Main menu to close the program.



    Download (save and select your desktop to save it to) SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive and all other fixed drives..
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
    • Click Close to exit the program.


    Please perform a scan with Kaspersky Webscan Online Virus Scanner
    • Read the Requirements and Privacy statement, then select "Accept".
    • A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
    • Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
    • When the download is complete it will say ready, click "Next".
    • Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
    • Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
    • Click "OK".
    • Under "Select a target to scan", click on "My Computer".
    • When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.


    Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!
     
  8. Mucknie

    Mucknie Account Closed Thread Starter

    Joined:
    Dec 30, 2007
    Messages:
    72
    Otmoveit log:
    File/Folder C:\WINDOWS\system32\__c00F4A4D.dat not found.
    File/Folder C:\WINDOWS\system32\hcdekalb.ini not found.
    File/Folder C:\WINDOWS\system32\__c0041390.dat not found.
    File/Folder C:\Documents and Settings\All Users\Application Data\yxgrwhqt.dll not found.
    File/Folder C:\WINDOWS\system32\__c001ACB4.dat not found.
    File/Folder C:\Documents and Settings\All Users\Application Data\cvclcved.dll not found.
    C:\WINDOWS\system32\OPINVJPM moved successfully.

    OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04212008_150121


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 04/21/2008 at 04:03 PM

    Application Version : 4.0.1154

    Core Rules Database Version : 3444
    Trace Rules Database Version: 1436

    Scan type : Complete Scan
    Total Scan Time : 00:49:16

    Memory items scanned : 381
    Memory threats detected : 0
    Registry items scanned : 5324
    Registry threats detected : 0
    File items scanned : 31394
    File threats detected : 5

    Trojan.Unclassified-Packed/Suspicious
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0093785.DLL

    Trojan.Unclassified/AffiliateBundle
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095012.DLL

    Adware.Vundo-Variant/E
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095023.DLL

    Trojan.Unclassified/Multi-Dropper
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095024.EXE

    Adware.Vundo-Variant/Small-A
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095025.DLL

    kapersky log:

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Monday, April 21, 2008 9:17:54 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 3, v.3244 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 22/04/2008
    Kaspersky Anti-Virus database records: 720722
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 94159
    Number of viruses found: 3
    Number of infected objects: 7
    Number of suspicious objects: 0
    Duration of the scan process: 02:42:58

    Infected Object Name / Virus Name / Last Action
    C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\Fung\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Fung\Local Settings\Application Data\Identities\{85CF58BC-D31A-47C8-8C7F-B11A5538F59C}\Microsoft\Outlook Express\Outbox.dbx/[From "jelly bean" <[email protected]>][Date Wed, 23 Jan 2008 20:20:34 +1100]/keyfinder.rar/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:pSWTool.Win32.RAS.g skipped
    C:\Documents and Settings\Fung\Local Settings\Application Data\Identities\{85CF58BC-D31A-47C8-8C7F-B11A5538F59C}\Microsoft\Outlook Express\Outbox.dbx/[From "jelly bean" <[email protected]>][Date Wed, 23 Jan 2008 20:20:34 +1100]/keyfinder.rar/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:pSWTool.Win32.RAS.a skipped
    C:\Documents and Settings\Fung\Local Settings\Application Data\Identities\{85CF58BC-D31A-47C8-8C7F-B11A5538F59C}\Microsoft\Outlook Express\Outbox.dbx/[From "jelly bean" <[email protected]>][Date Wed, 23 Jan 2008 20:20:34 +1100]/keyfinder.rar/keyfinder.exe/data.rar Infected: not-a-virus:pSWTool.Win32.RAS.a skipped
    C:\Documents and Settings\Fung\Local Settings\Application Data\Identities\{85CF58BC-D31A-47C8-8C7F-B11A5538F59C}\Microsoft\Outlook Express\Outbox.dbx/[From "jelly bean" <[email protected]>][Date Wed, 23 Jan 2008 20:20:34 +1100]/keyfinder.rar/keyfinder.exe Infected: not-a-virus:pSWTool.Win32.RAS.a skipped
    C:\Documents and Settings\Fung\Local Settings\Application Data\Identities\{85CF58BC-D31A-47C8-8C7F-B11A5538F59C}\Microsoft\Outlook Express\Outbox.dbx/[From "jelly bean" <[email protected]>][Date Wed, 23 Jan 2008 20:20:34 +1100]/keyfinder.rar Infected: not-a-virus:pSWTool.Win32.RAS.a skipped
    C:\Documents and Settings\Fung\Local Settings\Application Data\Identities\{85CF58BC-D31A-47C8-8C7F-B11A5538F59C}\Microsoft\Outlook Express\Outbox.dbx MailMSOutlook5: infected - 5 skipped
    C:\Documents and Settings\Fung\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Fung\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Fung\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Fung\Local Settings\History\History.IE5\MSHist012008042120080422\index.dat Object is locked skipped
    C:\Documents and Settings\Fung\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Fung\ntuser.dat Object is locked skipped
    C:\Documents and Settings\Fung\NTUSER.DAT.LOG Object is locked skipped
    C:\Documents and Settings\Fung\UserData\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP139\A0078295.exe Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP139\A0078304.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP139\A0079154.exe Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP139\A0081232.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP139\A0084209.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP140\A0086230.exe Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP142\A0088222.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095008.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095009.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095010.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095011.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095013.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095014.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095015.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095017.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095018.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095019.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095020.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095021.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095029.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP153\A0095031.dll Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP169\change.log Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP22\A0037930.exe Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP24\A0037936.exe Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP48\A0048184.exe Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP50\A0048489.exe Object is locked skipped
    C:\System Volume Information\_restore{92156243-A130-4AB9-8B6F-70A500A3EB22}\RP78\A0054017.exe Infected: not-a-virus:Downloader.Win32.VDown.a skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\drivers\etc\Hosts.bak Object is locked skipped
    C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
    C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    The remainder of the infected items are in your Outlook sent.

    I would suggest you empty that and the deleted items folder.


    Follow these steps to uninstall Combofix and tools used in the removal of malware
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]


    It's a good idea to Flush your System Restore after removing malware:
    Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405



    Now you should Clean up your PC


    Here are some additional links for you to check out to help you with your computer security.

    How did I get infected in the first place.

    Good free tools and advice on how to tighten your security settings.

    Security Help Tools
     
  10. Mucknie

    Mucknie Account Closed Thread Starter

    Joined:
    Dec 30, 2007
    Messages:
    72
    In my security centre under the Anti-Virus tab it STILL says i have more than 1 anti-virus program installed?? all i've got is AVG 7.0!!

    Also could u plz answer a few of my questions relating to AVG?

    1. When a message saying "Threat Detected" pops up on AVG, and the choices are "Move to Vault, Ignore and Close, Which one should i choose???
    I dont know if i should choose "Move to Vault" because the file path seems like its an important file such as C:\WINDOWS\system32 ??? if i move it to the vault will it cause ANY damage...??

    THANKS....
     
  11. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Move to Vault is what you should select.

    Please post a new hijackthis log.
     
  12. Mucknie

    Mucknie Account Closed Thread Starter

    Joined:
    Dec 30, 2007
    Messages:
    72
    Also, I dont know why but on startup AVG always runs a complete scan, and its says the file found is "hosts" and the result is "change/infection" what is wrong with this????

    Hijack this Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:19:34 AM, on 24/04/2008
    Platform: Windows XP SP3, v.3244 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3244)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/se...0000097.000001cf&c=00000082.000000e6.0000026f
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: OKAYW - Unknown owner - C:\DOCUME~1\Fung\LOCALS~1\Temp\OKAYW.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 7316 bytes
     
  13. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Click Start - Run - and type in:

    services.msc

    Click OK.

    In the services window find:

    OKAYW

    Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK.
    Exit the Services utility.


    Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


    Download the HostsXpert 4.2 - Hosts File Manager.
    • Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
    • Run HostsXpert 4.2 - Hosts File Manager from its new home
    • Click on the Make Writable? button.
    • Click on "File Handling".
    • Click on "Restore MS Hosts File".
    • Click OK on the Confirmation box.
    • Click on "Make Read Only?"
    • Click the X to exit the program.
    • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
     
  14. Mucknie

    Mucknie Account Closed Thread Starter

    Joined:
    Dec 30, 2007
    Messages:
    72
    Nup...that didn't work.... i THINK the hosts problem is fixed.. But the Anti- Virus tab is still dodgy... I dont know if its the security centre OR if its actually my OLD Norton wasn't properly uninstalled... BTW i have a little browser problem :
    When i fully load an online video such as Youtube and i might accidently click "back" or something, when i come back to the video I have to reload it again... This becomes REALLY frustrating especially when its a long video... This never used to happen before but suddenly this problem appeared.
     
  15. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Solved Hijack
  1. genubi
    Replies:
    0
    Views:
    306
  2. bj nick
    Replies:
    0
    Views:
    689
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/703233

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice