Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:36 AM, on 7/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\logon.scr
C:\Documents and Settings\Adam\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\PaperCut Print Logger\pcpl.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Avant Browser\avant.exe

O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dll (file missing)
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\System Files Updater.exe /S
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Adam\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll (file missing)
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll (file missing)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D8C978C-06C8-4D47-B918-B27A37470631}: NameServer = 10.1.1.1
O20 - Winlogon Notify: jkkKawvu - C:\WINDOWS\SYSTEM32\jkkKawvu.dll

--
End of file - 3001 bytes




this thing is causing rediculous HDD activity. not sure what it is or how to get rid of it - came in a zip file which has since been deleted and i can't find where i got it from - also google returns no results on jkkKawvu.dll or jkkKawvu

thanks for your time.

Adam

Hi adimwis, and Welcome to WhatTheTech

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

A. Please download ComboFix by sUBs from HERE or HERE directly to your Desktop.

Note: If you already have ComboFix on your machine, please DELETE it from your desktop before downloading the newest version.

B. Now we must disable some of your security programs so that they do not interfere with the running of our tools:

SPYBOT TEATIMER

• Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
• On the left hand side, click on Tools, then click on the Resident Icon in the list.
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• Click on the "System Startup" icon in the List
• Uncheck the "TeaTimer" box and "OK" any prompts.
• If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
• Exit Spybot S&D when done.
• (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

C.Go to -> Run -> copy/paste the following single line command in the runbox & click OK

"%userprofile%\desktop\combofix.exe" /killall

• DO NOT USE your computer for any other purpose while ComboFix is running.
• ComboFix may restart your computer, this is normal.
• When finished, it will produce a log, ComboFix.txt.
• Please post ComboFix.txt in your next reply along with a new HijackThis log.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

thanks for the great instructions - not that i needed them quite that detailed but still - very clear!


ComboFix 08-07-28.4 - Adam 2008-07-29 19:31:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.801 [GMT 12:00]
Running from: C:\Documents and Settings\Adam\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Adam\Application Data\inst.exe
C:\WINDOWS\system32\jkkKawvu.dll
C:\WINDOWS\system32\khfDwtuT.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 )))))))))))))))))))))))))))))))
.

2008-07-26 17:08 . 2008-07-26 17:11 <DIR> d-------- C:\!KillBox
2008-07-26 02:35 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-07-26 02:34 . 2008-07-26 02:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-07-26 02:34 . 2008-07-26 02:38 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\Simply Super Software
2008-07-26 02:34 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-07-26 02:34 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2008-07-26 02:34 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-07-26 02:34 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-07-26 00:53 . 2008-07-26 00:53 123,131 --a------ C:\WINDOWS\system32\system32.rar
2008-07-25 01:18 . 2008-07-25 01:18 17,920 --a------ C:\WINDOWS\system32\bho2_e.dll
2008-07-23 18:07 . 2008-07-23 18:07 <DIR> d-------- C:\Program Files\Common Files\MAPILab Ltd
2008-07-23 14:18 . 2008-07-23 14:18 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\Sony
2008-07-23 14:15 . 2008-07-23 14:15 <DIR> d-------- C:\Program Files\Vstplugins
2008-07-23 14:14 . 2008-07-23 14:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-07-11 08:29 . 2008-07-11 08:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-06-30 13:55 . 2008-07-15 13:39 <DIR> d-------- C:\Program Files\FrostWire
2008-06-30 13:55 . 2008-07-22 23:36 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\FrostWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 07:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-29 07:42 --------- d-----w C:\Program Files\PC Tools AntiVirus
2008-07-23 06:31 --------- d-----w C:\Documents and Settings\Adam\Application Data\uTorrent
2008-07-20 01:18 --------- d-----w C:\Program Files\Winamp
2008-06-30 01:50 --------- d-----w C:\Documents and Settings\Adam\Application Data\LimeWire
2008-06-30 01:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-28 03:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-28 02:34 --------- d-----w C:\Program Files\PaperCut Print Logger
2008-06-25 21:52 --------- d-----w C:\Program Files\Soulseek
2008-06-25 02:19 --------- d-----w C:\Documents and Settings\Adam\Application Data\AdobeUM
2008-06-23 00:02 --------- d-----w C:\Documents and Settings\Adam\Application Data\Avant Profiles
2008-06-22 22:49 --------- d-----w C:\Program Files\Common Files\L&H
2008-06-22 22:48 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-22 22:45 --------- d-----w C:\Program Files\Microsoft Works
2008-06-22 22:41 --------- d-----w C:\Program Files\Microsoft.NET
2008-06-21 03:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-21 03:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-21 00:59 --------- d-----w C:\Program Files\Soulseek-Test
2008-06-20 13:31 --------- d-----w C:\Documents and Settings\Adam\Application Data\dvdcss
2008-06-20 13:30 --------- d-----w C:\Program Files\megui
2008-06-20 13:30 --------- d-----w C:\Program Files\DVD Decrypter
2008-06-20 13:23 --------- d-----w C:\Program Files\Haali
2008-06-20 13:18 --------- d-----w C:\Documents and Settings\Adam\Application Data\Vso
2008-06-18 23:52 --------- d-----w C:\Program Files\CamStudio
2008-06-18 00:50 --------- d-----w C:\Program Files\The Complete MP3 Manager
2008-06-17 08:41 --------- d-----w C:\Program Files\SHOUTcast
2008-06-17 07:38 --------- d-----w C:\Program Files\MSBuild
2008-06-17 07:28 --------- d-----w C:\Program Files\Reference Assemblies
2008-06-17 06:54 --------- d-----w C:\Program Files\Sony Setup
2008-06-17 06:54 --------- d-----w C:\Documents and Settings\Adam\Application Data\Sony Setup
2008-06-14 05:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-10 07:41 --------- d-----w C:\Documents and Settings\Adam\Application Data\Go2PCsoft
2008-06-10 06:12 --------- d-----w C:\Program Files\Common Files\PC Tools
2008-06-09 10:42 --------- d-----w C:\Documents and Settings\Adam\Application Data\DivX
2008-06-09 09:08 --------- d-----w C:\Program Files\No-IP
2008-06-09 06:16 --------- d-----w C:\Program Files\RealVNC
2008-06-09 06:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-11-26 05:37 4 --sh--r C:\Documents and Settings\All Users\Application Data\sysqcl1129139270.dat
2007-11-18 09:51 47,360 ----a-w C:\Documents and Settings\Adam\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-11-17 00:28 171464]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 11:54 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
"Google Update"="C:\Documents and Settings\Adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-07-23 16:45 119280]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2007-09-19 15:27 2483504]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 01:00 28672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 16:22 86016]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-03-05 09:37 1238928]
"TrojanScanner"="D:\Program Files\Trojan Remover\Trjscan.exe" [2008-07-22 14:13 909392]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 21:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]

C:\Documents and Settings\Adam\Start Menu\Programs\Startup\
YouTube Uploader.lnk - C:\Documents and Settings\Adam\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [2007-11-09 13:33:08 71152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.CSCD"= camcodec.dll
"aux1"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
backup=C:\WINDOWS\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=C:\WINDOWS\pss\NCProTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Transcend StoreJet elite]
--a------ 2007-02-15 15:15 5111296 C:\Program Files\Transcend Utility\Transcend StoreJet elite\SJelite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2006-06-01 16:22 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"MagicTuneEngine"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1900:UDP"= 1900:UDP:*:Disabled:@xpsp2res.dll,-22007
"2869:TCP"= 2869:TCP:*:Disabled:@xpsp2res.dll,-22008

.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-System Files Updater - C:\WINDOWS\FlyakiteOSX\System Files Updater.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
O8 -: E&xport to Microsoft Excel - F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{8D8C978C-06C8-4D47-B918-B27A37470631}: NameServer = 10.1.1.1

O16 -: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
C:\WINDOWS\Downloaded Program Files\BeboUploader.inf
C:\WINDOWS\system32\unicows.dll
C:\WINDOWS\Downloaded Program Files\BeboUploader.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 19:41:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4???6????92????wd??w6???????\???\??????????????w-??w\???\????????cb??????C@?\???\??????s6???\??????s\????92?A??s?92??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\PaperCut Print Logger\pcpl.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-29 19:47:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-29 07:47:46

Pre-Run: 1,236,180,992 bytes free
Post-Run: 2,190,110,720 bytes free

175





================================================================================
===================




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:49, on 2008-07-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\PaperCut Print Logger\pcpl.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Adam\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Avant Browser\avant.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Adam\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D8C978C-06C8-4D47-B918-B27A37470631}: NameServer = 10.1.1.1

--
End of file - 2440 bytes

adimwis,

Your computer appears to have been infected by backdoor trojans. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

• Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
• Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning.



We have noticed that most people seeking help from us are coming with infections contracted from the use of P2P programs.

Because of this, we felt we needed to change our policy on the use of P2P file sharing programs.

You have the following P-2-P program(s) installed
FrostWire, uTorrent, LimeWire, Soulseek

This is how you uninstall it/them:

• Click Start
• Go to Control Panel
• Go to Add/Remove Programs
• Find and click Remove for the following (if present):

FrostWire
uTorrent
LimeWire
Soulseek

If you do not choose to remove these files, help on this forum will be discontinued.

COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  
  CODE
  KILLALL::
  
  File::
  C:\WINDOWS\system32\system32.rar
  C:\WINDOWS\system32\bho2_e.dll
  C:\Documents and Settings\All Users\Application Data\sysqcl1129139270.dat
  
  Folder::
  C:\Program Files\FrostWire
  C:\Documents and Settings\Adam\Application Data\FrostWire
  C:\Documents and Settings\Adam\Application Data\uTorrent
  C:\Documents and Settings\Adam\Application Data\LimeWire
  C:\Program Files\Soulseek
  C:\Program Files\Soulseek-Test
  
  
• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Then

Please go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

In your next reply please provide:

• ComboFix.txt
• Kaspersky report
• New HijackThis log taken after everything else completed

adimwis,

How's it going?

Are you having trouble with the instructions?

computer is going great thanks, but i am not going to uninstall my programs because a forum asks me to.

i thank you for your time, and now, i assume i will not be welcome on the forum because i have chosen to leave utorrent etc on my computer.

thankyou again.

Adam.

adimwis,

Thanks for responding back and letting me know your decision. It is yours to make.

I would ask that you follow one last set of instructions to remove ComboFix as it is a very powerful program that can harm your system if used incorrectly.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• Note the space between the X and the U, it needs to be there.
• 

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

Good Luck.

This topic will be closed due to refusal to remove P2P programs.

This post has been edited by Tomk: Jul 31 2008, 09:10 PM