Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Internet Explorer connects but then won't open next page?

Started by TractorTom , Dec 07 2007 01:00 AM

  • Please log in to reply
8 replies to this topic

#1 TractorTom

TractorTom

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 07 December 2007 - 01:00 AM

I can PING the outside world from a command prompt.

I open IE, my Google homwe page opens, I enter a search string, Google returns but when I click on a link - nada.

Also I cannot update AVG.

Confused? I am.




Logfile of HijackThis v1.99.1
Scan saved at 09:41:34, on 07/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {834C94FB-B080-4B99-B5AD-FFE4441EC16C} - C:\WINDOWS\System32\vtuss.dll (file missing)
O2 - BHO: (no name) - {C88E57CA-D7E9-4B45-96A4-88D95F40F872} - C:\WINDOWS\System32\kleuodjr.dll (file missing)
O2 - BHO: (no name) - {E44F0DF7-95E0-42C3-B268-8D5C7374F139} - C:\WINDOWS\System32\nnnom.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [Microsoft Windows Firewall] firewall.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: nnnom - C:\WINDOWS\System32\nnnom.dll (file missing)
O20 - Winlogon Notify: vtuss - C:\WINDOWS\System32\vtuss.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Edited by TractorTom, 07 December 2007 - 03:49 AM.

    Advertisements

Register to Remove

#2 Markka

Markka

    Advanced Member

  • Banned
  • PipPipPipPip
  • 784 posts

Posted 07 December 2007 - 07:34 AM

Hi and welcome to the forums. :) I'm Markka and I will be helping you with your malware issues. I'll check your HijackThis log. Right now I'm MRU Undergrad, everything that I post to you must be checked by teachers of Malware Removal University. Please be patient. :)

#3 Markka

Markka

    Advanced Member

  • Banned
  • PipPipPipPip
  • 784 posts

Posted 08 December 2007 - 07:29 AM

Hello :)

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post

#4 TractorTom

TractorTom

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 09 December 2007 - 03:31 AM

The PC belongs to a friend of mine. His mother passed away 9 months ago so he would prefer not to reformat at there are scraps of information on the PC he would like to preserve. So if you can advise on removal that would be great. Thanks, TractorTom

#5 Markka

Markka

    Advanced Member

  • Banned
  • PipPipPipPip
  • 784 posts

Posted 27 December 2007 - 05:47 AM

Hello and sorry for the long delay, I didn't get an e-mail notify :(

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall!
__________________

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
____________________

Post:

- A fresh HijackThis log
- Contents of C:\ComboFix.txt
- Contents of the Report.txt

#6 TractorTom

TractorTom

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 28 December 2007 - 12:28 AM

Hi Markka,

Re delay in replying - no problem I know you guys are busy.

Here are my latest logs. I also ran the Norton Removal Tool as there were traces of an old Symantec / Norton AV program left behind.

The main problem I'm having is that other PC's connect to the net via this one but although they can Google something and something returns but then they cannot open something.

Thanks,

TractorTom




ComboFix log:

ComboFix 07-12-21.4 - Tom Reaney 2007-12-28 5:24:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.407 [GMT 0:00]
Running from: C:\Documents and Settings\Tom Reaney\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\internet explorer\msimg32.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-18 09:05 . 2007-12-18 09:05 <DIR> d-------- C:\Program Files\Akamai
2007-12-18 09:05 . 2007-12-18 09:05 <DIR> d-------- C:\Documents and Settings\Tom Reaney\Application Data\Download Manager
2007-12-14 08:34 . 2007-12-14 08:35 <DIR> d-------- C:\Documents and Settings\Tom Reaney\Application Data\PrevxCSI
2007-12-14 08:34 . 2007-12-14 08:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-07 10:56 . 2007-12-07 10:56 1,262 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-04 16:11 . 2007-12-04 16:11 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-04 16:11 . 2006-10-04 14:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb
2007-12-04 16:07 . 2007-12-04 16:09 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-04 16:07 . 2007-12-14 08:06 1,393 --a------ C:\WINDOWS\imsins.BAK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 03:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-27 16:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-02 01:53 --------- d-----w C:\Documents and Settings\Tom Reaney\Application Data\Skype
2007-11-24 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 10:25 20,480 ------w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 08:59 --------- d-----w C:\Documents and Settings\Tom Reaney\Application Data\GoodSync
2007-11-13 08:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-05 09:39 --------- d-----w C:\Documents and Settings\Tom Reaney\Application Data\HouseCall 6.6
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 17:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2006-12-19 15:26 37,992 -c--a-w C:\Documents and Settings\Tom Reaney\Application Data\GDIPFONTCACHEV1.DAT
2006-10-02 07:15 12,288,465 -c--a-w C:\Documents and Settings\Documents and Settings\AVG7QT.DAT
2006-07-19 06:43 0 -c--a-w C:\Documents and Settings\Documents and Settings\mozystate.dat
2006-07-19 06:43 0 -c--a-w C:\Documents and Settings\Documents and Settings\changes.dat
2006-06-03 07:45 95,510 -c--a-w C:\Documents and Settings\Documents and Settings\rr1.reg
2006-05-06 05:56 610,304 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\TCPOptimizer.exe
2006-04-27 04:53 890,576 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\EClea2_0.exe
2006-04-19 08:36 161 -c--a-w C:\Documents and Settings\Documents and Settings\Delme.bat
2006-04-19 08:33 178,792 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\cc_20060419_0932.reg
2006-04-18 06:42 2,252,736 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\hydraulic_power_pack.zip
2006-04-16 16:26 7,000,700 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\TU2006TrialEN(2).exe
2006-03-15 09:22 3,049,389 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\backer6e.exe
2006-03-13 09:24 3,986,160 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\LogMeIn.exe
2006-02-22 11:25 7,118,825 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\rrab.exe
2006-02-22 10:12 1,227,536 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\registryrepair_rr46.exe
2006-02-20 08:54 896,720 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\googletalk-setup.exe
2006-01-26 23:16 263,264 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\NetDiag_setup.exe
2006-01-01 17:14 102,753 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\sylvanderdiags.zip
1988-01-09 09:16 0 -c--a-w C:\Documents and Settings\Documents and Settings\CONFIG.SYS
1988-01-09 09:16 0 -c--a-w C:\Documents and Settings\Documents and Settings\AUTOEXEC.BAT
2001-08-18 12:00 94,784 -csh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56 83,456 -csh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56 11,776 -csh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 14:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-10-19 14:53 293888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2006-08-11 16:04 11496 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet k series) - 2.lnk]
backup=C:\WINDOWS\pss\HPAiODevice(hp officejet k series) - 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ONSPEED.lnk]
backup=C:\WINDOWS\pss\ONSPEED.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Push Client.lnk]
backup=C:\WINDOWS\pss\Push Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
backup=C:\WINDOWS\pss\Run Google Web Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Symantec ACT!\SideACT!.lnk
backup=C:\WINDOWS\pss\SideACT!.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tom Reaney^Start Menu^Programs^Startup^Mozy Status.lnk]
path=C:\Documents and Settings\Tom Reaney\Start Menu\Programs\Startup\Mozy Status.lnk
backup=C:\WINDOWS\pss\Mozy Status.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tom Reaney^Start Menu^Programs^Startup^OpenOffice.org 1.1.4.lnk]
path=D:\Program Files\OpenOffice.org1.1.4\OpenOffice.org 1.1.4.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 1.1.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tom Reaney^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
D:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Carbonite Backup]
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 -----c--- C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
2005-11-11 10:15 851456 --a--c--- C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
D:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe -win

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
D:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Tray Icon WMI]
2002-03-22 17:51 32768 -----c--- C:\Program Files\Hewlett-Packard\TopToolsWMI\HPTrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-09-13 11:51 1450096 -----c--- D:\Program Files\Nero CDRW\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kaseya Agent Service Helper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2006-08-11 16:04 303856 --a--c--- C:\Program Files\LogMeIn\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
2004-08-13 16:41 86016 -----c--- C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-xu\msnappau.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCLaunch]
2003-04-24 11:17 40960 -----c--- C:\WINDOWS\NCLAUNCH.EXe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 -----c--- C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
C:\Program Files\Eset\nod32kui.exe /WAITSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Tray Application]
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rfagent]
D:\Program Files\RFA\rfagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
D:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 00:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
D:\Program Files\Windows Registry Repair Pro\RegistryRepairPro.exe 3

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDOWS SYSTEM]
nec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"WinVNC4"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"rfagent"="D:\Program Files\RFA\rfagent.exe"

R2 CAPI;CAPI 2.0 Service;C:\WINDOWS\system32\DRIVERS\capi.sys [2001-03-21 04:21]
R2 HPAlertWMI;HPAlertWMI;C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe [2002-03-22 17:15]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\RaInfo.sys [2006-08-11 16:04]
R2 NDISCAPI;NDIS CAPI Service;C:\WINDOWS\system32\DRIVERS\ndiscapi.sys [2001-03-21 04:21]
R3 LMImirr;LMImirr;C:\WINDOWS\system32\DRIVERS\LMImirr.sys [2006-09-12 06:35]
R3 wdxwmac;PCI ISDN Card NDIS WAN Driver;C:\WINDOWS\system32\DRIVERS\wdxwmac.sys [2001-03-21 04:21]
S3 hpdat;hpdat;C:\WINDOWS\system32\DRIVERS\hpdat.sys [2005-02-17 16:27]
S3 HPUSBMSC;HP USB Mass Storage Driver (HPUSBMSC);C:\WINDOWS\system32\DRIVERS\HPUSBMSC.SYS [2005-03-04 14:56]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial;C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys []
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
S3 SGUARD;SGUARD;C:\WINDOWS\system32\drivers\SGuard.sys [2004-09-02 15:39]
S3 USBVSP;USBVSP;C:\WINDOWS\system32\drivers\Usbvsp.sys [2003-09-08 13:43]
S3 WinRT;WinRT;C:\WINDOWS\System32\drivers\WinRT.sys [1998-12-01 12:06]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 21:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a2e7429-612b-11dc-90cb-000a5e54d60a}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{836142c8-6510-11dc-90ce-000a5e54d60a}]
\Shell\AutoRun\command - F:\AutoRun.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 05:27:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-28 5:28:11
.
2007-12-27 08:01:38 --- E O F ---


SDFix log:


SDFix: Version 1.120

Run by Tom Reaney on 28/12/2007 at 05:54

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 06:02:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Sat 18 Aug 2001 94,784 ..SH. --- "C:\WINDOWS\twain.dll"
Wed 4 Aug 2004 60,416 ..SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 4 Aug 2004 1,028,096 ..SH. --- "C:\WINDOWS\system32\mfc42.dll"
Wed 4 Aug 2004 413,696 ..SH. --- "C:\WINDOWS\system32\msvcp60.dll"
Wed 4 Aug 2004 343,040 ..SH. --- "C:\WINDOWS\system32\msvcrt.dll"
Thu 17 May 2007 549,376 ..SH. --- "C:\WINDOWS\system32\oleaut32.dll"
Wed 4 Aug 2004 83,456 ..SH. --- "C:\WINDOWS\system32\olepro32.dll"
Wed 4 Aug 2004 11,776 ..SH. --- "C:\WINDOWS\system32\regsvr32.exe"
Tue 4 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 8 Aug 2007 4,477,848 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\798cabe75c9fc29e7e313f70bf1ec7d6\BIT130.tmp"
Thu 7 Apr 2005 27,648 ...H. --- "C:\Documents and Settings\Tom Reaney\Application Data\Microsoft\Templates\~WRL3761.tmp"
Mon 16 Dec 2002 28,160 ...H. --- "C:\Documents and Settings\Tom Reaney\Application Data\Microsoft\Templates\~WRL3868.tmp"
Tue 12 Apr 2005 28,672 ...H. --- "C:\Documents and Settings\Tom Reaney\Application Data\Microsoft\Templates\~WRL4052.tmp"
Thu 11 Mar 2004 19,456 ...H. --- "C:\Documents and Settings\Tom Reaney\Application Data\Microsoft\Word\~WRL0003.tmp"
Thu 13 Feb 2003 41,472 ...H. --- "C:\Documents and Settings\Tom Reaney\Application Data\Microsoft\Word\~WRL1295.tmp"
Thu 13 Feb 2003 39,936 ...H. --- "C:\Documents and Settings\Tom Reaney\Application Data\Microsoft\Word\~WRL2747.tmp"
Wed 15 Feb 2006 73,728 ...H. --- "C:\Documents and Settings\Tom Reaney\Application Data\Microsoft\Word\~WRL3667.tmp"
Thu 13 Feb 2003 41,472 ...H. --- "C:\Documents and Settings\Tom Reaney\Application Data\Microsoft\Word\~WRL3681.tmp"
Wed 5 Mar 2003 34,304 ...H. --- "C:\Documents and Settings\Tom Reaney\Application Data\Microsoft\Word\~WRL3704.tmp"

Finished!


HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 06:12:29, on 28/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Nero CDRW\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe
C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIWDog.exe
D:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://159.134.244.195/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: &Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C1EBB7B-1F88-4837-830C-7F29CA025955}: NameServer = 192.168.0.1
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HPAlertWMI - Hewlett-Packard Co. - C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Nero CDRW\InCD\InCDsrv.exe

#7 Markka

Markka

    Advanced Member

  • Banned
  • PipPipPipPip
  • 784 posts

Posted 02 January 2008 - 10:01 AM

Hello :)

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
__________________

Open HijackThis, Click Do a system scan only, checkmark this/these. Then close all other windows except HijackThis and press fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
__________________

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\Documents and Settings\mozystate.dat
C:\Documents and Settings\Documents and Settings\changes.dat

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDOWS SYSTEM]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a2e7429-612b-11dc-90cb-000a5e54d60a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{836142c8-6510-11dc-90ce-000a5e54d60a}]


Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot).
____________________

Please then reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
_______________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Do not automatically generate reports and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
___________________

Post:
- A fresh HijackThis log
- AVG Anti-Spyware's report
- Logfile of ComboFix

#8 TractorTom

TractorTom

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 05 January 2008 - 09:18 AM

I may have screwed up the AVGAS bit - the screen resolution was set too and I couln't see what I as doing. Here are the latest posts that you requested:

1. ComboFix log

ComboFix 08-01-04.1 - Tom Reaney 2008-01-05 6:53:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.578 [GMT 0:00]
Running from: C:\Documents and Settings\Tom Reaney\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tom Reaney\Desktop\CFScript.txt

FILE
C:\Documents and Settings\Documents and Settings\changes.dat
C:\Documents and Settings\Documents and Settings\mozystate.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Documents and Settings\changes.dat
C:\Documents and Settings\Documents and Settings\mozystate.dat

.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-05 06:52 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 05:56 . 2008-01-05 05:56 <DIR> d-------- C:\Documents and Settings\Tom Reaney\Application Data\Grisoft
2008-01-05 05:55 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-28 05:52 . 2007-12-28 05:52 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-18 09:05 . 2007-12-18 09:05 <DIR> d-------- C:\Program Files\Akamai
2007-12-18 09:05 . 2007-12-18 09:05 <DIR> d-------- C:\Documents and Settings\Tom Reaney\Application Data\Download Manager
2007-12-14 08:34 . 2007-12-14 08:35 <DIR> d-------- C:\Documents and Settings\Tom Reaney\Application Data\PrevxCSI
2007-12-14 08:34 . 2007-12-14 08:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-07 10:56 . 2007-12-07 10:56 1,262 --a------ C:\WINDOWS\system32\tmp.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 06:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-05 00:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-04 16:11 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-02 01:53 --------- d-----w C:\Documents and Settings\Tom Reaney\Application Data\Skype
2007-11-24 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 10:25 20,480 ------w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 08:59 --------- d-----w C:\Documents and Settings\Tom Reaney\Application Data\GoodSync
2007-11-13 08:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-05 09:39 --------- d-----w C:\Documents and Settings\Tom Reaney\Application Data\HouseCall 6.6
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 17:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2006-12-19 15:26 37,992 -c--a-w C:\Documents and Settings\Tom Reaney\Application Data\GDIPFONTCACHEV1.DAT
2006-10-02 07:15 12,288,465 -c--a-w C:\Documents and Settings\Documents and Settings\AVG7QT.DAT
2006-06-03 07:45 95,510 -c--a-w C:\Documents and Settings\Documents and Settings\rr1.reg
2006-05-06 05:56 610,304 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\TCPOptimizer.exe
2006-04-27 04:53 890,576 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\EClea2_0.exe
2006-04-19 08:36 161 -c--a-w C:\Documents and Settings\Documents and Settings\Delme.bat
2006-04-19 08:33 178,792 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\cc_20060419_0932.reg
2006-04-18 06:42 2,252,736 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\hydraulic_power_pack.zip
2006-04-16 16:26 7,000,700 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\TU2006TrialEN(2).exe
2006-03-15 09:22 3,049,389 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\backer6e.exe
2006-03-13 09:24 3,986,160 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\LogMeIn.exe
2006-02-22 11:25 7,118,825 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\rrab.exe
2006-02-22 10:12 1,227,536 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\registryrepair_rr46.exe
2006-02-20 08:54 896,720 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\googletalk-setup.exe
2006-01-26 23:16 263,264 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\NetDiag_setup.exe
2006-01-01 17:14 102,753 -c--a-w C:\Documents and Settings\Tom Reaney OLD desktop May 6 2006\sylvanderdiags.zip
1988-01-09 09:16 0 -c--a-w C:\Documents and Settings\Documents and Settings\CONFIG.SYS
1988-01-09 09:16 0 -c--a-w C:\Documents and Settings\Documents and Settings\AUTOEXEC.BAT
2001-08-18 12:00 94,784 -csh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56 83,456 -csh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56 11,776 -csh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:11 579072]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-01-05 06:16 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 14:41 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-10-19 14:53 293888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2006-08-11 16:04 11496 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet k series) - 2.lnk]
backup=C:\WINDOWS\pss\HPAiODevice(hp officejet k series) - 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ONSPEED.lnk]
backup=C:\WINDOWS\pss\ONSPEED.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Push Client.lnk]
backup=C:\WINDOWS\pss\Push Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
backup=C:\WINDOWS\pss\Run Google Web Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Symantec ACT!\SideACT!.lnk
backup=C:\WINDOWS\pss\SideACT!.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tom Reaney^Start Menu^Programs^Startup^Mozy Status.lnk]
path=C:\Documents and Settings\Tom Reaney\Start Menu\Programs\Startup\Mozy Status.lnk
backup=C:\WINDOWS\pss\Mozy Status.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tom Reaney^Start Menu^Programs^Startup^OpenOffice.org 1.1.4.lnk]
path=D:\Program Files\OpenOffice.org1.1.4\OpenOffice.org 1.1.4.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 1.1.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tom Reaney^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
D:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Carbonite Backup]
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 -----c--- C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
2005-11-11 10:15 851456 --a--c--- C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
D:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe -win

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
D:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Tray Icon WMI]
2002-03-22 17:51 32768 -----c--- C:\Program Files\Hewlett-Packard\TopToolsWMI\HPTrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-09-13 11:51 1450096 -----c--- D:\Program Files\Nero CDRW\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kaseya Agent Service Helper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2006-08-11 16:04 303856 --a--c--- C:\Program Files\LogMeIn\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
2004-08-13 16:41 86016 -----c--- C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-xu\msnappau.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCLaunch]
2003-04-24 11:17 40960 -----c--- C:\WINDOWS\NCLAUNCH.EXe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 -----c--- C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
C:\Program Files\Eset\nod32kui.exe /WAITSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Tray Application]
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rfagent]
D:\Program Files\RFA\rfagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
D:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 00:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
D:\Program Files\Windows Registry Repair Pro\RegistryRepairPro.exe 3

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"WinVNC4"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"rfagent"="D:\Program Files\RFA\rfagent.exe"

R2 CAPI;CAPI 2.0 Service;C:\WINDOWS\system32\DRIVERS\capi.sys [2001-03-21 04:21]
R2 HPAlertWMI;HPAlertWMI;C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe [2002-03-22 17:15]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\RaInfo.sys [2006-08-11 16:04]
R2 NDISCAPI;NDIS CAPI Service;C:\WINDOWS\system32\DRIVERS\ndiscapi.sys [2001-03-21 04:21]
R3 wdxwmac;PCI ISDN Card NDIS WAN Driver;C:\WINDOWS\system32\DRIVERS\wdxwmac.sys [2001-03-21 04:21]
S3 hpdat;hpdat;C:\WINDOWS\system32\DRIVERS\hpdat.sys [2005-02-17 16:27]
S3 HPUSBMSC;HP USB Mass Storage Driver (HPUSBMSC);C:\WINDOWS\system32\DRIVERS\HPUSBMSC.SYS [2005-03-04 14:56]
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
S3 SGUARD;SGUARD;C:\WINDOWS\system32\drivers\SGuard.sys [2004-09-02 15:39]
S3 USBVSP;USBVSP;C:\WINDOWS\system32\drivers\Usbvsp.sys [2003-09-08 13:43]
S3 WinRT;WinRT;C:\WINDOWS\System32\drivers\WinRT.sys [1998-12-01 12:06]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 21:52]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 06:56:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 6:58:18
ComboFix-quarantined-files.txt 2008-01-05 06:57:53
ComboFix2.txt 2007-12-28 05:28:14
.
2008-01-03 08:01:10 --- E O F ---





2. AVGAS log

I think I messed this up. The good news is that AVGAS only found some entries associated with LogMeIn (remote control software)





3. HiJackThis log

Logfile of HijackThis v1.99.1
Scan saved at 15:11:40, on 05/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Nero CDRW\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe
C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIWDog.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://159.134.244.195/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: &Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1608905C-342E-437D-8AFB-46A403EAD15D}: NameServer = 213.94.190.235 213.94.190.195
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C1EBB7B-1F88-4837-830C-7F29CA025955}: NameServer = 192.168.0.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{1608905C-342E-437D-8AFB-46A403EAD15D}: NameServer = 213.94.190.235 213.94.190.195
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - LMIinit.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HPAlertWMI - Hewlett-Packard Co. - C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Nero CDRW\InCD\InCDsrv.exe

#9 Markka

Markka

    Advanced Member

  • Banned
  • PipPipPipPip
  • 784 posts

Posted 12 February 2008 - 07:18 AM

Still there? :blush:

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·