XP IE/FF popups, .dll's and registry edits

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Strongbow03

Thread Starter
Joined
Oct 2, 2008
Messages
8
First things first, a log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:03, on 02/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ProcessTamer\ProcessTamerTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Home Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Home Wireless-G USB Wireless Network Monitor\HU200.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QXK Olive - {3396B97E-39F0-49FA-834F-14E7E771D44B} - C:\WINDOWS\dfmlxbpkqma.dll (file missing)
O2 - BHO: (no name) - {33AC7D18-DC35-4D1A-940E-AFD5FC5C3327} - C:\WINDOWS\system32\khfCrSjg.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {58679ABB-0C02-42D5-9CC3-052A545417EF} - C:\WINDOWS\system32\yayaBQJc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {9B6055F6-9C01-4612-A7A8-8854688272E4} - C:\WINDOWS\system32\rqRHyxxU.dll (file missing)
O2 - BHO: (no name) - {D63C644C-21BE-42DE-8EDF-54B3A23B89B0} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ProcessTamer.lnk = C:\Program Files\ProcessTamer\ProcessTamerTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1213111510406
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: khfCrSjg - khfCrSjg.dll (file missing)
O21 - SSODL: onfwbsak - {7C2BACA7-51C2-4225-A61C-DDE5F3C5E5CB} - C:\WINDOWS\onfwbsak.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: HU200SVC - GEMTEKS - C:\Program Files\Linksys Home Wireless-G USB Wireless Network Monitor\WLService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 8016 bytes
At the time of writing, AVG has just thrown up a warning over two files.

c:\windows\system32\nvcrnpta.dll and rqrhyxxu.dll, which are listed as "Trojan Horse Generic11.AMNU" and "Generic11.AMAS" respectively.

Some background info - I've been having trouble with similar things for a few days now - seemingly random name .dll files getting picked up, but the removal tools seem to do nothing, even when run in safe mode with no internet connection. In addition, I sometimes get error messages and warnings related to system recovery files. That hasn't happened yet today, so I cannot quote it, unfortunately.

My system has no noticable slowdown, with the titular IE/FF popups being intermittent at no fixed times or intervals. Likewise, on startup, Spybot will warn me of odd named .dll files wanted to make registry edits.

Any help welcomed.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
first

Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm
_ _ _ _

then

Please download Malwarebytes' Anti-Malware to your desktop
from http://thespykiller.co.uk/downloads/mbam-setup.exe or http://www.malwarebytes.org/affiliates/thespykiller/mbam-setup.exe

Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please include this log in your next reply.
 

Strongbow03

Thread Starter
Joined
Oct 2, 2008
Messages
8
Teatimer disabled.

Malware Log.

Malwarebytes' Anti-Malware 1.28
Database version: 1232
Windows 5.1.2600 Service Pack 3

06/10/2008 10:17:37
mbam-log-2008-10-06 (10-17-37).txt

Scan type: Quick Scan
Objects scanned: 49212
Time elapsed: 18 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 1
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{33ac7d18-dc35-4d1a-940e-afd5fc5c3327} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfcrsjg (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{33ac7d18-dc35-4d1a-940e-afd5fc5c3327} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\peltodgx.bmfr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\peltodgx.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca5df1da-5181-4190-b40b-e3fd8fb1eaed} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\onfwbsak (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\khfCrSjg.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ayfyjxgo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ogxjyfya.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iujdnpoj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jopndjui.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\knnqdhmk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kmhdqnnk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\eldm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\5PTXICKY\cntr[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\IWUSDWC0\cntr[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\W952ZUDT\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV.ooo (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV0.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV1.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\fbxrqtwn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\TmpRecentIcons\Micro Antivirus 2009.lnk (Rogue.Link) -> Quarantined and deleted successfully.
During the scan, the following alerts were produced. Linked as an attachment, may or may not be useful. Likewise, a fresh Hijack this is included.
 

Attachments

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
It looks like AVG might have blocked a lot of it from being deleted

when it pops up an alert it locks the file & I don't think it deleted them all

next step will be

Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
 

Strongbow03

Thread Starter
Joined
Oct 2, 2008
Messages
8
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14, on 06/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Home Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Home Wireless-G USB Wireless Network Monitor\HU200.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ProcessTamer\ProcessTamerTray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ProcessTamer.lnk = C:\Program Files\ProcessTamer\ProcessTamerTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1213111510406
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: HU200SVC - GEMTEKS - C:\Program Files\Linksys Home Wireless-G USB Wireless Network Monitor\WLService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 6572 bytes
and

ComboFix 08-10-05.06 - User 2008-10-06 11:57:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502 [GMT 1:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\User\Application Data\databak3.exe
C:\WINDOWS\system32\atpnrcvn.ini
C:\WINDOWS\system32\bkwmaqck.ini
C:\WINDOWS\system32\cJQBayay.ini
C:\WINDOWS\system32\cJQBayay.ini2
C:\WINDOWS\system32\kqabmtbb.ini
C:\WINDOWS\system32\oijbxopr.ini
C:\WINDOWS\system32\UxxyHRqr.ini
C:\WINDOWS\system32\UxxyHRqr.ini2
C:\WINDOWS\system32\vwmlushb.ini
C:\WINDOWS\system32\xiqkurnp.ini
C:\WINDOWS\system32\yfmgipvq.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWSDRIVER


((((((((((((((((((((((((( Files Created from 2008-09-06 to 2008-10-06 )))))))))))))))))))))))))))))))
.

2008-10-06 09:57 . 2008-10-06 09:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-06 09:57 . 2008-10-06 09:57 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-10-06 09:57 . 2008-10-06 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-06 09:57 . 2008-09-10 00:09 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-06 09:57 . 2008-09-10 00:09 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-05 16:55 . 2008-10-05 16:55 <DIR> d-------- C:\Program Files\TQ Defiler
2008-10-05 16:55 . 2008-10-05 16:55 <DIR> d-------- C:\Defiler Backups
2008-10-05 15:07 . 2007-01-01 20:03 40,960 -ra------ C:\WINDOWS\system32\psfind.dll
2008-10-05 15:02 . 2008-10-06 08:12 <DIR> d-------- C:\Program Files\THQ
2008-10-05 14:01 . 2008-10-05 14:01 <DIR> d-------- C:\Program Files\EA GAMES
2008-10-05 14:01 . 2004-08-18 04:14 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-10-03 18:20 . 2008-10-03 18:20 <DIR> d-------- C:\Program Files\Infogrames
2008-10-02 15:18 . 1995-04-19 00:00 92,208 --a------ C:\WINDOWS\system32\WING.DLL
2008-10-02 15:18 . 1995-04-19 00:00 27,136 --a------ C:\WINDOWS\system32\WAVMIX16.DLL
2008-10-02 15:18 . 1995-04-19 00:00 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
2008-10-01 14:25 . 2008-10-01 14:29 <DIR> d-------- C:\Program Files\Age of Wonders Shadow Magic
2008-09-30 15:58 . 2008-09-30 15:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-30 15:51 . 2008-09-30 15:51 <DIR> d-------- C:\Program Files\Windows Defender
2008-09-29 01:29 . 2008-09-29 01:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-29 01:29 . 2008-09-29 01:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-28 23:01 . 2008-09-28 23:01 21,840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2008-09-28 23:01 . 2008-09-28 23:01 17,212 --a------ C:\WINDOWS\system32\SIntf32.dll
2008-09-28 23:01 . 2008-09-28 23:01 12,067 --a------ C:\WINDOWS\system32\SIntf16.dll
2008-09-28 22:46 . 2008-09-28 22:46 <DIR> d-------- C:\Sierra
2008-09-28 17:03 . 2008-10-06 10:16 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-28 17:00 . 2008-10-05 13:44 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-28 17:00 . 2008-09-28 17:00 <DIR> d-------- C:\Program Files\AVG
2008-09-28 17:00 . 2008-09-28 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-28 17:00 . 2008-09-28 17:00 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-28 17:00 . 2008-09-28 17:00 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-28 17:00 . 2008-09-28 17:00 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-27 14:33 . 2008-09-27 14:33 <DIR> d-------- C:\Program Files\2K Games
2008-09-26 21:39 . 2008-09-26 21:39 <DIR> d-------- C:\Program Files\FreeCommander
2008-09-26 20:26 . 2008-09-28 17:01 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-26 20:04 . 2008-09-26 20:04 <DIR> d-------- C:\VundoFix Backups
2008-09-26 19:22 . 2008-09-26 21:24 620 --a------ C:\WINDOWS\wininit.ini
2008-09-26 18:30 . 2008-09-26 19:53 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-09-26 18:16 . 2008-09-26 16:32 385,024 --------- C:\WINDOWS\rwlfsdmk.dll_old
2008-09-21 11:14 . 2008-09-21 11:16 <DIR> d-------- C:\Documents and Settings\User\Application Data\ImgBurn
2008-09-21 10:38 . 2008-09-21 10:39 <DIR> d-------- C:\Program Files\ImgBurn
2008-09-21 01:20 . 2008-09-13 22:17 16 --a------ C:\common-key
2008-09-21 01:19 . 2008-09-13 22:17 59,624 --a------ C:\backup-creator.exe
2008-09-19 21:03 . 2008-09-19 21:03 3,911 --a------ C:\ATMA_config.ini
2008-09-19 20:40 . 2008-09-19 21:13 <DIR> d-------- C:\Program Files\Hero Editor
2008-09-19 20:40 . 2008-09-19 21:12 249,856 --------- C:\WINDOWS\Setup1.exe
2008-09-19 20:40 . 2008-09-19 21:12 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-09-19 07:48 . 2008-09-19 07:48 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-09-17 18:44 . 2008-09-27 19:02 22 --a------ C:\WINDOWS\popcinfot.dat
2008-09-17 18:40 . 2008-09-27 19:02 <DIR> d-------- C:\Program Files\Peggle Nights Deluxe
2008-09-15 23:46 . 2008-09-15 23:46 <DIR> d-------- C:\Program Files\Sirtech
2008-09-15 23:45 . 1998-10-29 17:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-09-14 03:25 . 2008-09-14 03:25 26,116 --a------ C:\myNumbers.dat
2008-09-14 03:25 . 2008-09-14 03:25 4,252 --a------ C:\WINDOWS\warp1px.drv
2008-09-14 03:23 . 2008-09-14 03:23 <DIR> d-------- C:\Warpath 21st Century
2008-09-13 20:08 . 2008-09-13 20:08 <DIR> d-------- C:\Program Files\Electronic Arts
2008-09-12 19:01 . 2008-09-12 19:01 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-07 00:12 . 2008-09-07 00:12 <DIR> d-------- C:\Program Files\ATMA V

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-06 08:46 --------- d-----w C:\Documents and Settings\User\Application Data\.purple
2008-10-06 07:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-05 14:15 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-10-02 23:47 --------- d-----w C:\Program Files\M3 GAME Manager
2008-10-01 23:11 --------- d-----w C:\Documents and Settings\User\Application Data\gtk-2.0
2008-09-29 00:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-28 20:26 --------- d-----w C:\Program Files\Diablo II
2008-09-28 12:16 --------- d-----w C:\Program Files\Pidgin
2008-09-26 23:02 --------- d-----w C:\Documents and Settings\User\Application Data\GrabIt
2008-09-26 20:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-26 19:25 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-26 18:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-26 17:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-23 19:23 --------- d-----w C:\Documents and Settings\User\Application Data\BitTorrent
2008-09-19 20:09 --------- d-----w C:\Program Files\Anno 1701
2008-09-19 06:34 --------- d-----w C:\Program Files\Microsoft Works
2008-09-17 16:58 --------- d-----w C:\Documents and Settings\User\Application Data\OpenOffice.org2
2008-08-23 23:57 --------- d-----w C:\Program Files\ReflexiveArcade
2008-08-19 19:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\NewsBin
2008-08-19 00:05 --------- d-----w C:\Program Files\Kudos 2-in-1
2008-08-17 16:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-17 16:45 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-17 16:40 --------- d-----w C:\Program Files\Windows Live
2008-08-17 16:32 --------- d-----w C:\Program Files\Ventrilo
2008-08-17 16:32 --------- d-----w C:\Documents and Settings\User\Application Data\Ventrilo
2008-08-17 16:00 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-08-17 16:00 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-08-15 00:15 --------- d-----w C:\Program Files\Paint.NET
2008-08-14 20:08 --------- d-----w C:\Program Files\Smart Projects
2008-08-10 22:32 --------- d-----w C:\Documents and Settings\User\Application Data\SystemRequirementsLab
2008-08-10 20:52 --------- d-----w C:\Program Files\Gargoyle
2008-08-08 00:06 --------- d-----w C:\Program Files\EndItAll
2008-08-07 10:33 --------- d-----w C:\Program Files\7-Zip
2008-07-21 22:44 1,695,744 ----a-w C:\Documents and Settings\User\Application Data\databak.exe
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 C:\WINDOWS\system32\bthprops.cpl]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
ProcessTamer.lnk - C:\Program Files\ProcessTamer\ProcessTamerTray.exe [2008-06-10 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\THQ\\Titan Quest\\Titan Quest.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-28 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-28 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-28 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-28 76040]
R2 HU200SVC;HU200SVC;C:\Program Files\Linksys Home Wireless-G USB Wireless Network Monitor\WLService.exe HU200.exe [ ]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2005-05-12 1287296]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8665d2ed-36f7-11dd-8f53-ae9b405cbf2c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \SystemVolumeInformation\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e11b7646-3794-11dd-8f5c-0012178103f5}]
\Shell\AutoRun\command - J:\Launch.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-06 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{D63C644C-21BE-42DE-8EDF-54B3A23B89B0} - (no file)
HKLM-Run-Symantec NetDriver Monitor - C:\PROGRA~1\SYMNET~1\SNDMon.exe
HKLM-Run-Cmaudio - cmicnfg.cpl
ShellExecuteHooks-{33AC7D18-DC35-4D1A-940E-AFD5FC5C3327} - (no file)
MSConfigStartUp-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\lnum7n98.default\
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 12:03:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Linksys Home Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Home Wireless-G USB Wireless Network Monitor\HU200.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-10-06 12:11:31 - machine was rebooted [User]
ComboFix-quarantined-files.txt 2008-10-06 11:11:21

Pre-Run: 40,394,719,232 bytes free
Post-Run: 40,821,280,768 bytes free

231 --- E O F --- 2008-10-06 11:10:03

as requested.

I also redid step 1 (MalwareBytes) after disabling AVG, but before running Combofix, which turned up nothing (not even the previously found warnings) at all. Presumably, Combofix gives more information, however.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
combofix should have deleted all temp files but you do have 1 problem we need to deal with

an autorun that starts & loads a malware from system restore

I can't tell if the file exists or not or just the registry entry, but we will clear system restore as part of the final clear up, when everything is cleaned
( I always leave SR till last as a backup in case something goes wrong)

download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
 

Attachments

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
then

* Run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from Kaspersky scan

Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from
 

Strongbow03

Thread Starter
Joined
Oct 2, 2008
Messages
8
* Run Kaspersky online virus scan Kaspersky Online Scanner.

This step has been causing me some issues, hence the late reply.

Around 4 hours, or 15% in to the scan, my system will either freeze completely, or reboot itself. I've tried the scan several times in IE, and once or twice in Firefox just to spice things up. No dice.

Is there an alternative to Kaspersky?
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
post the latest combofix log anyway so we can see if anything has appeared
 

Strongbow03

Thread Starter
Joined
Oct 2, 2008
Messages
8
Combofix, as requested.

ComboFix 08-10-05.06 - User 2008-10-06 13:50:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.528 [GMT 1:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-09-06 to 2008-10-06 )))))))))))))))))))))))))))))))
.

2008-10-06 09:57 . 2008-10-06 09:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-06 09:57 . 2008-10-06 09:57 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-10-06 09:57 . 2008-10-06 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-06 09:57 . 2008-09-10 00:09 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-06 09:57 . 2008-09-10 00:09 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-05 16:55 . 2008-10-05 16:55 <DIR> d-------- C:\Program Files\TQ Defiler
2008-10-05 16:55 . 2008-10-05 16:55 <DIR> d-------- C:\Defiler Backups
2008-10-05 15:07 . 2007-01-01 20:03 40,960 -ra------ C:\WINDOWS\system32\psfind.dll
2008-10-05 15:02 . 2008-10-06 08:12 <DIR> d-------- C:\Program Files\THQ
2008-10-05 14:01 . 2008-10-05 14:01 <DIR> d-------- C:\Program Files\EA GAMES
2008-10-05 14:01 . 2004-08-18 04:14 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-10-03 18:20 . 2008-10-03 18:20 <DIR> d-------- C:\Program Files\Infogrames
2008-10-02 15:18 . 1995-04-19 00:00 92,208 --a------ C:\WINDOWS\system32\WING.DLL
2008-10-02 15:18 . 1995-04-19 00:00 27,136 --a------ C:\WINDOWS\system32\WAVMIX16.DLL
2008-10-02 15:18 . 1995-04-19 00:00 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
2008-10-01 14:25 . 2008-10-01 14:29 <DIR> d-------- C:\Program Files\Age of Wonders Shadow Magic
2008-09-30 15:58 . 2008-09-30 15:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-30 15:51 . 2008-09-30 15:51 <DIR> d-------- C:\Program Files\Windows Defender
2008-09-29 01:29 . 2008-09-29 01:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-29 01:29 . 2008-09-29 01:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-28 23:01 . 2008-09-28 23:01 21,840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2008-09-28 23:01 . 2008-09-28 23:01 17,212 --a------ C:\WINDOWS\system32\SIntf32.dll
2008-09-28 23:01 . 2008-09-28 23:01 12,067 --a------ C:\WINDOWS\system32\SIntf16.dll
2008-09-28 22:46 . 2008-09-28 22:46 <DIR> d-------- C:\Sierra
2008-09-28 17:03 . 2008-10-06 10:16 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-28 17:00 . 2008-10-05 13:44 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-28 17:00 . 2008-09-28 17:00 <DIR> d-------- C:\Program Files\AVG
2008-09-28 17:00 . 2008-09-28 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-28 17:00 . 2008-09-28 17:00 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-28 17:00 . 2008-09-28 17:00 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-28 17:00 . 2008-09-28 17:00 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-27 14:33 . 2008-09-27 14:33 <DIR> d-------- C:\Program Files\2K Games
2008-09-26 21:39 . 2008-09-26 21:39 <DIR> d-------- C:\Program Files\FreeCommander
2008-09-26 20:26 . 2008-09-28 17:01 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-26 20:04 . 2008-09-26 20:04 <DIR> d-------- C:\VundoFix Backups
2008-09-26 19:22 . 2008-09-26 21:24 620 --a------ C:\WINDOWS\wininit.ini
2008-09-26 18:30 . 2008-09-26 19:53 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-09-26 18:16 . 2008-09-26 16:32 385,024 --------- C:\WINDOWS\rwlfsdmk.dll_old
2008-09-21 11:14 . 2008-09-21 11:16 <DIR> d-------- C:\Documents and Settings\User\Application Data\ImgBurn
2008-09-21 10:38 . 2008-09-21 10:39 <DIR> d-------- C:\Program Files\ImgBurn
2008-09-21 01:20 . 2008-09-13 22:17 16 --a------ C:\common-key
2008-09-21 01:19 . 2008-09-13 22:17 59,624 --a------ C:\backup-creator.exe
2008-09-19 21:03 . 2008-09-19 21:03 3,911 --a------ C:\ATMA_config.ini
2008-09-19 20:40 . 2008-09-19 21:13 <DIR> d-------- C:\Program Files\Hero Editor
2008-09-19 20:40 . 2008-09-19 21:12 249,856 --------- C:\WINDOWS\Setup1.exe
2008-09-19 20:40 . 2008-09-19 21:12 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-09-19 07:48 . 2008-09-19 07:48 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-09-17 18:44 . 2008-09-27 19:02 22 --a------ C:\WINDOWS\popcinfot.dat
2008-09-17 18:40 . 2008-09-27 19:02 <DIR> d-------- C:\Program Files\Peggle Nights Deluxe
2008-09-15 23:46 . 2008-09-15 23:46 <DIR> d-------- C:\Program Files\Sirtech
2008-09-15 23:45 . 1998-10-29 17:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-09-14 03:25 . 2008-09-14 03:25 26,116 --a------ C:\myNumbers.dat
2008-09-14 03:25 . 2008-09-14 03:25 4,252 --a------ C:\WINDOWS\warp1px.drv
2008-09-14 03:23 . 2008-09-14 03:23 <DIR> d-------- C:\Warpath 21st Century
2008-09-13 20:08 . 2008-09-13 20:08 <DIR> d-------- C:\Program Files\Electronic Arts
2008-09-12 19:01 . 2008-09-12 19:01 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-07 00:12 . 2008-09-07 00:12 <DIR> d-------- C:\Program Files\ATMA V

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-06 08:46 --------- d-----w C:\Documents and Settings\User\Application Data\.purple
2008-10-06 07:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-05 14:15 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-10-02 23:47 --------- d-----w C:\Program Files\M3 GAME Manager
2008-10-01 23:11 --------- d-----w C:\Documents and Settings\User\Application Data\gtk-2.0
2008-09-29 00:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-28 20:26 --------- d-----w C:\Program Files\Diablo II
2008-09-28 12:16 --------- d-----w C:\Program Files\Pidgin
2008-09-26 23:02 --------- d-----w C:\Documents and Settings\User\Application Data\GrabIt
2008-09-26 20:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-26 19:25 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-26 18:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-26 17:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-23 19:23 --------- d-----w C:\Documents and Settings\User\Application Data\BitTorrent
2008-09-19 20:09 --------- d-----w C:\Program Files\Anno 1701
2008-09-19 06:34 --------- d-----w C:\Program Files\Microsoft Works
2008-09-17 16:58 --------- d-----w C:\Documents and Settings\User\Application Data\OpenOffice.org2
2008-08-23 23:57 --------- d-----w C:\Program Files\ReflexiveArcade
2008-08-19 19:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\NewsBin
2008-08-19 00:05 --------- d-----w C:\Program Files\Kudos 2-in-1
2008-08-17 16:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-17 16:45 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-17 16:40 --------- d-----w C:\Program Files\Windows Live
2008-08-17 16:32 --------- d-----w C:\Program Files\Ventrilo
2008-08-17 16:32 --------- d-----w C:\Documents and Settings\User\Application Data\Ventrilo
2008-08-17 16:00 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-08-17 16:00 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-08-15 00:15 --------- d-----w C:\Program Files\Paint.NET
2008-08-14 20:08 --------- d-----w C:\Program Files\Smart Projects
2008-08-10 22:32 --------- d-----w C:\Documents and Settings\User\Application Data\SystemRequirementsLab
2008-08-10 20:52 --------- d-----w C:\Program Files\Gargoyle
2008-08-08 00:06 --------- d-----w C:\Program Files\EndItAll
2008-08-07 10:33 --------- d-----w C:\Program Files\7-Zip
2008-07-21 22:44 1,695,744 ----a-w C:\Documents and Settings\User\Application Data\databak.exe
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
.

((((((((((((((((((((((((((((( [email protected]_12.10.57.65 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 C:\WINDOWS\system32\bthprops.cpl]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
ProcessTamer.lnk - C:\Program Files\ProcessTamer\ProcessTamerTray.exe [2008-06-10 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\THQ\\Titan Quest\\Titan Quest.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-28 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-28 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-28 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-28 76040]
R2 HU200SVC;HU200SVC;C:\Program Files\Linksys Home Wireless-G USB Wireless Network Monitor\WLService.exe HU200.exe [ ]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2005-05-12 1287296]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-10-06 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 13:56:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-06 13:57:33
ComboFix-quarantined-files.txt 2008-10-06 12:57:23
ComboFix2.txt 2008-10-06 11:11:33

Pre-Run: 34,603,343,872 bytes free
Post-Run: 34,591,977,472 bytes free

185 --- E O F --- 2008-10-06 11:10:03
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

This will create a zip file inside C:\QooBox\ named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\ created by combofix named something like [38][email protected]
 

Attachments

Strongbow03

Thread Starter
Joined
Oct 2, 2008
Messages
8
File uploaded. I didn't get any sort of confirmation other than "File uploaded", so I'll have to hope you know where it's stored.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

This will create a zip file inside C:\QooBox\ named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\ created by combofix named something like [38][email protected]
 

Attachments

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top