124 replies to this topic

[jpshortstuff]

Hi Joecastle

ComboFix is updated regularly, we're going to try a newer version.

Please delete any existing copies of ComboFix

Download ComboFix by sUBs from here

**Save it to your desktop**

Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please save that log to post in your next reply along with a fresh HJT log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Thanks,

jpshortstuff

[Joecastle]

Here it is,

Same window apears as previous... Everytime I run the combofix & in the middle of its process a window pops up with the said file sed.cfexe at the top and at the bottom of it it says sed.cfexe has encountered a problem and needs to close. We are sorry for the inconvenience. I always click Don't Send. I think it is probably why these files are not going away?

ComboFix 07-10-14.4 - admin 2007-10-14 15:48:32.5 - FAT32x86
Running from: E:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cagacag.dll . . . . failed to delete
C:\WINDOWS\system32\cagacag.dll.bak . . . . failed to delete
C:\WINDOWS\system32\drivers\iiccncfm.dat . . . . failed to delete
C:\WINDOWS\system32\drivers\lhfjncwk.dat . . . . failed to delete
C:\WINDOWS\system32\mstlsap.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_GPEJSJBQ
-------\LEGACY_PNJMLGJX
-------\gpejsjbq
-------\pnjmlgjx


((((((((((((((((((((((((( Files Created from 2007-09-14 to 2007-10-14 )))))))))))))))))))))))))))))))
.

2007-10-09 19:13 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-05 19:52 17,664 C:\WINDOWS\system32\drivers\lhfjncwk.dat
2007-10-05 19:52 5,120 C:\WINDOWS\system32\drivers\iiccncfm.dat
2007-10-05 17:26 <DIR> d-------- C:\Documents and Settings\admin\Application Data\TrojanHunter
2007-10-05 13:57 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-10-04 21:47 <DIR> d-------- C:\WINDOWS\peernet
2007-10-04 21:46 <DIR> d-------- C:\WINDOWS\provisioning
2007-10-04 21:33 20,480 --a------ C:\WINDOWS\system32\sprecovr.exe
2007-10-04 21:28 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-04 21:19 <DIR> d-------- C:\WINDOWS\EHome
2007-10-04 20:53 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-10-04 17:28 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-10-04 17:28 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-10-04 17:28 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-10-04 17:28 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-10-04 17:28 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-10-04 17:08 <DIR> d--h----- C:\WINDOWS\$xpsp1hfm$
2007-10-04 17:08 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-10-04 02:56 <DIR> d-------- C:\WINDOWS\system32\bits
2007-10-04 00:09 <DIR> d-------- C:\WINDOWS\pss
2007-10-03 23:49 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Grisoft
2007-10-03 23:49 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-03 23:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-03 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 23:17 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-10-03 23:17 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-10-03 23:17 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-10-03 23:17 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-10-03 23:17 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-10-03 23:17 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-09-20 20:34 6,720 --a------ C:\WINDOWS\system32\syslodr.sys
2007-09-20 19:38 105,591 --a------ C:\WINDOWS\system32\mstlsap.dll
2007-09-20 19:24 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-09-20 19:24 17,992 --a------ C:\WINDOWS\system32\bcm42rly.sys
2007-09-20 19:24 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-09-20 19:23 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-09-20 19:07 <DIR> d-------- C:\Documents and Settings\admin\Application Data\AdobeUM
2007-09-20 19:03 <DIR> d-------- C:\Program Files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 17:22 94,720 ----a-w C:\WINDOWS\system32\cagacag.dll
2007-10-04 03:50 246 ----a-w C:\Program Files\Common Files\lavu
2007-09-08 02:23 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2007-09-08 02:23 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2007-08-20 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-08-20 22:09 --------- d-----w C:\Documents and Settings\admin\Application Data\MSN6
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-25 15:50 412,160 ----a-w C:\WINDOWS\installer.exe
2007-07-15 19:06 202,240 ----a-w C:\WINDOWS\system32\Yamaha 2007 R1.scr
2007-03-25 01:55 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{078A5878-DA1D-4AD9-A6CD-63D7F737106A}]
2001-08-23 12:00 105591 --a------ C:\WINDOWS\System32\mstlsap.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC91129A-A238-49F2-B101-2896DF91A32F}]
2007-10-07 13:22 94720 --a------ c:\windows\system32\cagacag.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-08-10 18:10]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-10 18:11]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 00:33]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
helpsvcgpejsjbq

*Newly Created Service* - GTNDIS5
*Newly Created Service* - PNJMLGJX
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-14 15:55:26
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-14 15:58:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-12 21:07
C:\ComboFix3.txt ... 2007-10-12 20:21
C:\ComboFix2.txt ... 2007-10-12 21:07
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 4:03:34 PM, on 10/14/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\admin\Desktop\New Folder\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {078A5878-DA1D-4AD9-A6CD-63D7F737106A} - C:\WINDOWS\System32\mstlsap.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BC91129A-A238-49F2-B101-2896DF91A32F} - c:\windows\system32\cagacag.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O20 - AppInit_DLLs:  C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WUSB54GSCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe (file missing)

[jpshortstuff]

Hi Joecastle

Big thanks to sUBs (ComboFix developer) for this one.

Download this tool - Gmer

• Extract the contents of the zipped file to desktop.
• Disconnect from internet and close all running programs.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...say NO.
• In the left panel, you will see a line that says something similar to this ...
  

  Code \SystemRoot\system32\drivers\lhfjncwk.dat ObOpenObjectByName

• Right click on the line & select 'Restore Code'
• Once that's done, close Gmer.exe

When you used my CFScript the second time, you accidentally used the old one according to the log. To ensure that doesn't happen this time, please delete any CFScripts you have currently.

Don't worry so much about the sed.cfexe for now, sUBs says its not a real problem for the moment.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\cagacag.dll
C:\WINDOWS\system32\cagacag.dll.bak
C:\WINDOWS\system32\drivers\iiccncfm.dat
C:\WINDOWS\system32\drivers\lhfjncwk.dat
C:\WINDOWS\system32\mstlsap.dll
C:\WINDOWS\system32\syslodr.sys 
C:\Program Files\Common Files\lavu 

Driver::
iiccncfm
lhfjncwk
gpejsjbq
pnjmlgjx

NetSvc::
gpejsjbq 

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetSvcs\helpsvcgpejsjbq]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{078A5878-DA1D-4AD9-A6CD-63D7F737106A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC91129A-A238-49F2-B101-2896DF91A32F}]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"

3. Save the above as CFScript.txt

4. Drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

Good luck

jpshortstuff

[Joecastle]

Hi jpshortstuff,

Just a note. I have no internet connection on this computer. I lost it awhile ago. I have been using a junk drive & to transnfer the programs & logs form one computer to the other..

Here are the logs...

ComboFix 07-10-14.4 - admin 2007-10-15 15:54:05.6 - FAT32x86
Running from: E:\ComboFix.exe
Command switches used :: C:\Documents and Settings\admin\Desktop\CFScript.txt

FILE::
C:\Program Files\Common Files\lavu
C:\WINDOWS\system32\cagacag.dll
C:\WINDOWS\system32\cagacag.dll.bak
C:\WINDOWS\system32\drivers\iiccncfm.dat
C:\WINDOWS\system32\drivers\lhfjncwk.dat
C:\WINDOWS\system32\mstlsap.dll
C:\WINDOWS\system32\syslodr.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\lavu
C:\WINDOWS\system32\cagacag.dll
C:\WINDOWS\system32\cagacag.dll
C:\WINDOWS\system32\drivers\iiccncfm.dat
C:\WINDOWS\system32\drivers\lhfjncwk.dat
C:\WINDOWS\system32\drivers\lhfjncwk.dat
C:\WINDOWS\system32\mstlsap.dll
C:\WINDOWS\system32\syslodr.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_GPEJSJBQ
-------\LEGACY_PNJMLGJX
-------\gpejsjbq
-------\pnjmlgjx


((((((((((((((((((((((((( Files Created from 2007-09-15 to 2007-10-15 )))))))))))))))))))))))))))))))
.

2007-10-09 19:13 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-05 17:26 <DIR> d-------- C:\Documents and Settings\admin\Application Data\TrojanHunter
2007-10-05 13:57 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-10-04 21:47 <DIR> d-------- C:\WINDOWS\peernet
2007-10-04 21:46 <DIR> d-------- C:\WINDOWS\provisioning
2007-10-04 21:33 20,480 --a------ C:\WINDOWS\system32\sprecovr.exe
2007-10-04 21:28 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-04 21:19 <DIR> d-------- C:\WINDOWS\EHome
2007-10-04 20:53 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-10-04 17:28 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-10-04 17:28 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-10-04 17:28 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-10-04 17:28 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-10-04 17:28 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-10-04 17:08 <DIR> d--h----- C:\WINDOWS\$xpsp1hfm$
2007-10-04 17:08 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-10-04 02:56 <DIR> d-------- C:\WINDOWS\system32\bits
2007-10-04 00:09 <DIR> d-------- C:\WINDOWS\pss
2007-10-03 23:49 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Grisoft
2007-10-03 23:49 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-03 23:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-03 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 23:17 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-10-03 23:17 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-10-03 23:17 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-10-03 23:17 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-10-03 23:17 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-10-03 23:17 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-09-20 19:24 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-09-20 19:24 17,992 --a------ C:\WINDOWS\system32\bcm42rly.sys
2007-09-20 19:24 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-09-20 19:23 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-09-20 19:07 <DIR> d-------- C:\Documents and Settings\admin\Application Data\AdobeUM
2007-09-20 19:03 <DIR> d-------- C:\Program Files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-08 02:23 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2007-09-08 02:23 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2007-08-20 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-08-20 22:09 --------- d-----w C:\Documents and Settings\admin\Application Data\MSN6
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-25 15:50 412,160 ----a-w C:\WINDOWS\installer.exe
2007-07-15 19:06 202,240 ----a-w C:\WINDOWS\system32\Yamaha 2007 R1.scr
2007-03-25 01:55 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-09_19.28.22.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-15 19:48:42 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 13:38:18 581,632 ----a-r C:\WINDOWS\gmer.exe
+ 2007-10-15 19:48:44 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-08-10 18:10]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-10 18:11]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 00:33]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
helpsvcgpejsjbq

*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-15 15:58:56
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-15 16:02:02 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-12 21:07
C:\ComboFix3.txt ... 2007-10-12 21:07
C:\ComboFix2.txt ... 2007-10-14 15:58
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 4:03:01 PM, on 10/15/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\admin\Desktop\New Folder\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WUSB54GSCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe (file missing)

[sUΒs]

How did you lose your internet connection? Was it caused by the infection?

[Joecastle]

[quote name='Joecastle' date='Oct 7 2007, 07:05 PM' post='407340']
Here is a HJT log. I had to save it on my junk drive and use my pc in order to post it here. The lap top now lost its network connection & AVG report is gone as well.

Logfile of HijackThis v1.99.1
Scan saved at 6:51:12 PM, on 10/7/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\System32\_svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\YMANTE~1\wuauboot.exe
C:\Documents and Settings\admin\My Documents\??crosoft\d?xplore.exe
C:\Documents and Settings\admin\Application Data\WinTouch\WinTouch.exe
C:\Program Files\ISM2\ISMPack5.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\System32\_svchost.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\Documents and Settings\admin\Desktop\New Folder\hijackthis.exe

O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {078A5878-DA1D-4AD9-A6CD-63D7F737106A} - C:\WINDOWS\System32\mstlsap.dll
O2 - BHO: (no name) - {07e789d7-1024-4b80-95e0-05c37a019991} - C:\WINDOWS\System32\roehxlk.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: 0 - {3F21B1EF-5204-4C3E-0984-BAA1997E92DA} - C:\Program Files\Common Files\lavu.dll (file missing)
O2 - BHO: (no name) - {412A8BAA-F626-43A8-A141-9B5459D8680D} - C:\Program Files\MSN Gaming Zone\hokerowo4444.dll
O2 - BHO: (no name) - {42DF7F1B-B0A3-E750-A049-E72B2E948CC5} - C:\WINDOWS\System32\txkl.dll
O2 - BHO: Flash Module - {43621FA4-9E25-4bcf-A5F4-5934E3838EC1} - btasv.dll (file missing)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {61AA313D-D651-425F-AFCF-3D5A6A66163C} - C:\Program Files\MSN Gaming Zone\hokerowo83122.dll
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {9A91A92D-35B0-3C1C-EC5C-4B761C4E069E} - C:\WINDOWS\System32\glxgulu.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BC91129A-A238-49F2-B101-2896DF91A32F} - c:\windows\system32\cagacag.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1155247693\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\_svchost.exe
O4 - HKLM\..\Run: [QuickTime] C:\WINDOWS\TEMP\kroouhug.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [IEFilter] C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe
O4 - HKCU\..\Run: [Sets] "C:\PROGRA~1\YMANTE~1\wuauboot.exe" -vt yazb
O4 - HKCU\..\Run: [Gtesultq] "C:\Documents and Settings\admin\My Documents\??crosoft\d?xplore.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\admin\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\admin\Application Data\Microsoft\Windows\eckefy.exe
O4 - HKCU\..\Run: [ISMPack5] "C:\Program Files\ISM2\ISMPack5.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - ?p=ZCxdm736MGUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - file://D:\GAMES\msjavx86_3805.exe
O20 - AppInit_DLLs:  C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: bsfrzvci - C:\WINDOWS\SYSTEM32\cagacag.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\System32\_svchost.exe
O23 - Service: WUSB54GSCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe" "WUSB54GSC.exe (file missing)


I will do another AVG in Safe Mode & try to save it again...
[/quote

Since post #6 is when I lost it. When I go to network connections there is nothing there. I have been using a junk drive to trnsfer since then...

[sUΒs]

Is your other machine a Windows XP machine? Give this a try ...

Go to this directory > C:\Windows\System32\drivers\
Locate the file -> tcpip.sys
Rename it to > tcpip.sys_old

Wait 5 seconds & refresh the page by pressing F5
See if the Operating System regenerates a fresh copy of tcpip.sys

If not, copy tcpip.sys from another machine & place it in the C:\Windows\System32\drivers\ directory
Reboot the machine

[Joecastle]

Hi sUBs, Tried above but do see any change.. System is not responding freezing up so I did a hard boot & still the same. A window just popped up saying Virtual memory is increasing & another just popped saying WLAN_Cfg out of memory.

[sUΒs]

Let's have a look at Windows Event Viewer. It might give us a clue as to what is causing these issues

Go to Start > Run - type in eventvwr <Press Enter>




This is a picture of what the event viewer looks like.
You will see Application, Security & System listed in the left pane.

• In the left pane click on Application.
• Click the gray title “Type” at the top of the source name column in the right pane to sort by type name
  Look for “Error” & double-click on the most recent 10, and evaluate the event description for any indication of the cause of the problem.
• Make note of the Description, EventID and Source of these Event Properties.
• From the right pane, doubleclick on the line where it says error & you should get a window like the example below
  
  
  
  
  
  
• In the upper right corner of this picture, you should see 2 arrows. One is pointing up & the other, pointing down.
  There is another button below the 2 arrows. Click once on it. (this will copy some information to clipboard)
• Open notepad & paste the info in there. This will copy the event information to the clipboard. Paste the information for each event here

Repeat steps 1-6 for System

[sUΒs]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
helpsvcgpejsjbq

This is a strange entry in your ComboFix log.

The entry looks like the combination of 2 services: helpsvc + gpejsjbq. Malware appears to have messed it up. We shall need to fix it.

Downlaod & run the tool that I have attached to this post. Then post the log it produces.

[Joecastle]

Hi sUBs, The computer is unresponsive. Ever since I copied & pasted the tcpip.sys from my machine to this one it has been unresponsive. I open event viewer as decribed above & click on the button & nothing happens. I try to open note pad & it does not open (even if I go into run & type notepad.exe). I downloaded the attached file to my junk drive I when I double click My Computer it will not open. Is there any way I can undo the tcpip.sys procedure that I did? The computer was working better then. Then maybe I can run the above procedures.

[sUΒs]

Isn't your other machine a Windows XP machine? Do a search of the infected machine for other copies tcpip.sys. If you can find one, we can copy that to replace tcpip.sys.

[Joecastle]

I cannot open any window on the infected machine. I clicked on start button to try & restart & instead it ask's if I want to switch users or log off. So I clicked switch users to see what other user is logged on & it will not respond. I then clicked to log off & now it seemed as if it were to shut down but another window now popped saying Log On to Windows asking for a user name & password. I did not have to do this before.

[sUΒs]

That does not sound anything like tcpip trouble. tcpip.sys is a driver used by network components. It has nothing to do with logon/logoffs. Hard boot the machine & try logging on in safe mode without networking. tcpip.sys isn't used there.

[Joecastle]

OK, Yes, my machine is a XP Pro SP2. I'm in safemode & in the C:\WINDOWS\system32\drivers I see a tcpip6 & the one I copied in ther is tcpip.sys_old. I did a search & it found the tcpip.sys_old & tcpip.