Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] infected computer


  • This topic is locked This topic is locked
13 replies to this topic

#1 sart7

sart7

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 22 December 2007 - 01:04 AM

My computer has recently been infected with adware and spyware. When i log on to my computer windows defender deletes Win32/Fotomoto and Win32:Virtumonde.A

This happens every time i turn my computer on and it won't seem to go away and it is effecting my computers performance.pls help.

Here is My HijackThis log file.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:36 PM, on 21/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\bklqaxby.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....age=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Segmento] C:\Program Files\ydt\Segmento_Alpha\Segmento_Alpha.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [6c06ac8f] rundll32.exe "C:\WINDOWS\system32\pvjcxaac.dll",b
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Personal Coach.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay12...es/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109297745000
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab53083.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\bklqaxby.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7332 bytes

    Advertisements

Register to Remove


#2 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 23 December 2007 - 10:43 AM

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Step 1

Please download ATF Cleaner. Double-click on ATF-Cleaner.exe to start the program.

  • Under the Main tab, put a check next to Select All.
    Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  • If you use the Firefox browser:
    Click on Firefox at the top and put a check next to Select All.
    If you would like to keep your saved passwords, click No at the prompt.
    Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  • If you use the Opera browser:
    Click on Opera at the top and put a check next to Select All.
    If you would like to keep your saved passwords, click No at the prompt.
    Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

Step 2

Please download SDFix and save it to your desktop.

Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows directory, typically C:\SDFix)

  • Print these instructions or copy them to Notepad and save it to your desktop, as you won't be able to access internet in Safe Mode.
  • Please reboot into Safe Mode. To do this, go to Start > Turn off Computer, and select Restart. Rapidly tap F8 just before Windows starts to load. In the menu that appears, select Safe Mode (Without Networking)

Once in Safe Mode, do the following:

  • Open the extracted SDFix folder and double-click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any trojan services and registry entries that it finds, then prompt you to press any key to reboot; press any key and it will restart the PC.
  • When the PC restarts SDFix will run again and complete the removal process then display Finished. Press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to clipboard ready for posting back on the forum).

Step 3

Please download and install CCleaner.

  • Open CCleaner. In the Left Pane, click Tools.
  • Verify that Uninstall is highlighted in color, or click on it.
  • In the lower right, click Save to Text File.
  • Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
  • You can leave the filename as install.txt.
  • Click Save.
  • Exit Ccleaner by clicking on the X button in the upper right of the CCleaner window.

Step 4

In your next reply, please post:

  • the SDFix report (C:\SDFix\Report.txt)
  • the CCleaner Uninstall List (install.txt)
  • a new HijackThis log

Edited by Simon V., 23 December 2007 - 10:45 AM.


#3 sart7

sart7

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 23 December 2007 - 07:09 PM

Thanks.
here is my SDfix report


SDFix: Version 1.119

Run by Trent on Mon 24/12/2007 at 10:46 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\X.DAT - Deleted
C:\n.bat - Deleted
C:\x.dat - Deleted
C:\z.dat - Deleted
C:\WINDOWS\Fonts\Crack.exe - Deleted
C:\WINDOWS\PART0100.DAT - Deleted
C:\WINDOWS\Fonts\*.zip - 1 File(s) 637,945 bytes - Deleted
C:\WINDOWS\Fonts\'\*.zip - 552 File(s) 352,146,192 bytes - Deleted

x.dat and z.dat data copied to \SDFix\Data.txt


Folder C:\WINDOWS\Fonts\' - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 10:58:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E212AA6-8046-5918-1765-D81162BFE64B}]
"ialjilihpmmakncpde"=hex:6a,61,61,68,68,65,70,6e,64,67,6f,61,65,6b,70,6b,6d,61,64,6a,00,..
"hajicapgdcmfhfna"=hex:6a,61,61,68,68,65,70,6e,64,67,6f,61,65,6b,70,6b,6d,61,64,6a,00,..
"oagiemjimdbhjikfghnelohdiifmom"=hex:61,69,6d,67,6f,6f,69,69,62,67,68,61,68,6e,63,66,6b,6b,6d,68,6f,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Documents and Settings\\Trent\\My Documents\\GAMZ\\[ PC Games ] - Age of Empires II(FULL)\\empires2.exe"="C:\\Documents and Settings\\Trent\\My Documents\\GAMZ\\[ PC Games ] - Age of Empires II(FULL)\\empires2.exe:*:Enabled:Age of Empires II"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Disabled:Warcraft III"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Disabled:eMule"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Disabled:WinMX Application"
"C:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe"="C:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Documents and Settings\\Trent\\My Documents\\GAMZ\\[ PC Games ] - Age of Empires II(FULL)\\age2_x1.exe"="C:\\Documents and Settings\\Trent\\My Documents\\GAMZ\\[ PC Games ] - Age of Empires II(FULL)\\age2_x1.exe:*:Enabled:Age of Empires II Expansion"
"D:\\[ PC Games ] - Age of Empires II(FULL)\\empires2.exe"="D:\\[ PC Games ] - Age of Empires II(FULL)\\empires2.exe:*:Enabled:Age of Empires II"
"C:\\Documents and Settings\\Trent\\Desktop\\[ PC Games ] - Age of Empires II(FULL)\\empires2.exe"="C:\\Documents and Settings\\Trent\\Desktop\\[ PC Games ] - Age of Empires II(FULL)\\empires2.exe:*:Enabled:Age of Empires II"
"C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"="C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe:*:Enabled:Microsoft Flight Simulator"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\NoAdware3\\NoAdware3.exe"="C:\\Program Files\\NoAdware3\\NoAdware3.exe:*:Disabled:NoAdware "
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Disabled:Ares"
"C:\\Program Files\\Activision Value\\Magic Wand\\BGH2005\\Bin\\Bgh2005.exe"="C:\\Program Files\\Activision Value\\Magic Wand\\BGH2005\\Bin\\Bgh2005.exe:*:Enabled:Bgh2005"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Disabled:RTC App Sharing"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Disabled:Windows© NetMeeting©"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\DigitalFusion\\Beach Head - Desert War\\BH2Game\\BH2.exe"="C:\\Program Files\\DigitalFusion\\Beach Head - Desert War\\BH2Game\\BH2.exe:*:Enabled:BH2"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Documents and Settings\\Trent\\My Documents\\games\\[ PC Games ] - Age of Empires II(FULL)\\empires2.exe"="C:\\Documents and Settings\\Trent\\My Documents\\games\\[ PC Games ] - Age of Empires II(FULL)\\empires2.exe:*:Enabled:Age of Empires II"
"C:\\WINDOWS\\system32\\bklqaxby.exe"="C:\\WINDOWS\\system32\\bkl"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 10 Oct 2007 625,152 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Thu 14 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Thu 8 Nov 2007 6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Fri 5 May 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 17 Jun 2007 26,112 ...H. --- "C:\Documents and Settings\Trent\My Documents\~WRL3246.tmp"
Sun 17 Jun 2007 25,088 ...H. --- "C:\Documents and Settings\Trent\My Documents\~WRL3351.tmp"
Thu 15 Aug 2002 266,240 A..H. --- "C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\Mavis Beacon Teaches Typing.exe"
Sat 17 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 6 Aug 2007 45,108 ...H. --- "C:\Documents and Settings\Karen\Local Settings\Temp\Z@R4.tmp"
Mon 6 Aug 2007 15,992 ...H. --- "C:\Documents and Settings\Karen\Local Settings\Temp\Z@R8.tmp"
Mon 6 Aug 2007 17,712 ...H. --- "C:\Documents and Settings\Karen\Local Settings\Temp\Z@RC.tmp"
Mon 6 Aug 2007 1,409 ...H. --- "C:\Documents and Settings\Karen\Local Settings\Temp\Z@S5.tmp"
Mon 6 Aug 2007 1,409 ...H. --- "C:\Documents and Settings\Karen\Local Settings\Temp\Z@S9.tmp"
Mon 6 Aug 2007 1,409 ...H. --- "C:\Documents and Settings\Karen\Local Settings\Temp\Z@SD.tmp"
Thu 8 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT1.tmp"
Tue 19 Jun 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\eabf4d5c34535a00aa7d0d27e1ffc96b\BIT1.tmp"
Mon 16 Apr 2007 22,528 ...H. --- "C:\Documents and Settings\Karen\Application Data\Microsoft\Word\~WRL0004.tmp"

Finished!

#4 sart7

sart7

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 23 December 2007 - 07:27 PM

Ccleaner uninstall list

Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.7
AiO_Scan_CDA
AiOSoftwareNPI
Apple Software Update
avast! Antivirus
BigPond ADSL SIK 5.6 Files
Brain Buster Quiz
BufferChm
CCleaner (remove only)
Clean Ram 1.20 - Free
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
Empire Earth II
eSupportQFolder
Eudora
Express Burn
F300







+Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:34 AM, on 24/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\bklqaxby.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....age=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Segmento] C:\Program Files\ydt\Segmento_Alpha\Segmento_Alpha.exe
O4 - HKLM\..\Run: [6c06ac8f] rundll32.exe "C:\WINDOWS\system32\noetnqam.dll",b
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Personal Coach.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay12...es/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109297745000
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab53083.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\bklqaxby.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7390 bytes

#5 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 24 December 2007 - 04:48 AM

Hi :)

You had a password stealing trojan on your system. The passwords the trojan has stolen can be found here: C:\SDFix\Data.txt. Open the file in Notepad, and change all the passwords mentioned there from a clean computer.

Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.7
AiO_Scan_CDA
AiOSoftwareNPI
Apple Software Update
avast! Antivirus
BigPond ADSL SIK 5.6 Files
Brain Buster Quiz
BufferChm
CCleaner (remove only)
Clean Ram 1.20 - Free
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
Empire Earth II
eSupportQFolder
Eudora
Express Burn
F300

Is that the whole Uninstall List? It looks a little short, please post the complete one in your next reply. Also do the following:

Please download Combofix:


Double-click on combofix.exe and follow the prompts.
When finished, it will produce a log for you. Save it to a convenient location.

Note: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.

In your next reply, please post:

  • the complete Uninstall List
  • the Combofix log (C:\Combofix.txt)
  • a new HijackThis log


#6 sart7

sart7

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 27 December 2007 - 12:52 AM

Uninstall list

Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.7
AiO_Scan_CDA
AiOSoftwareNPI
Apple Software Update
avast! Antivirus
BigPond ADSL SIK 5.6 Files
Brain Buster Quiz
BufferChm
CCleaner (remove only)
Clean Ram 1.20 - Free
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
Empire Earth II
eSupportQFolder
Eudora
Express Burn
F300
F300_Help
Fax_CDA
GTK+ 2.10.13 runtime environment
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB929120)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
HPPhotoSmartExpress
HPProductAssistant
HPSU306Stub
igLoader
Image Resizer Powertoy for Windows XP
InstantShareDevicesMFC
Intel® Extreme Graphics Driver
Intel® PRO Ethernet Adapter and Software
iTunes
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2
LimeWire 4.14.12
Macromedia Shockwave Player
MarketResearch
Mavis Beacon Teaches Typing 15
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard 2005
Microsoft Flight Simulator 2004 A Century of Flight
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
msxml4
Nero 6 Ultra Edition
NewCopy_CDA
Nokia Connectivity Cable Driver
Nokia PC Suite
Numbers Up! VP V1.2.5
Photo Frame Show
Picasa 2
PitchPerfect Uninstall
Pivot Stickfigure Animator
Pixia
Plato Video To PSP Converter Free 3.61
ProductContextNPI
QuickTime
Raw
Readme
RegistryFix v6.2
Scan
ScannerCopy
Search Enhancer
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Shockwave
SolutionCenter
Sonic DLA
SoundMAX
Status
StorageCrypt v2.0
Surround Mp4 Tool 3.0.4
System TuneUp
The GIMP 2.2.17
Toolbox
TrayApp
Typing Tournament V1.1.1 Home
Ulead Video ToolBox 2.0 Plus Nokia Edition
Unreal Tournament Demo
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VideoEgg Publisher
WavePad Uninstall
WebFldrs XP
WebReg
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Yahoo! Toolbar
YouTube Downloader 2.3


Combofix

ComboFix 07-12-21.4 - Trent 2007-12-27 16:18:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.819 [GMT 10:00]
Running from: C:\Documents and Settings\Trent\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aonjubrn.dll
C:\WINDOWS\system32\bklqaxby.exe
C:\WINDOWS\system32\btuvxruo.dll
C:\WINDOWS\system32\bytovxdl.dll
C:\WINDOWS\system32\cwtnwxay.exe
C:\WINDOWS\system32\dfcdcghn.dll
C:\WINDOWS\system32\drslxpip.dll
C:\WINDOWS\system32\eqrehcfu.exe
C:\WINDOWS\system32\ftuxcdon.exe
C:\WINDOWS\system32\gsnhyber.ini
C:\WINDOWS\system32\hdsmaygg.dll
C:\WINDOWS\system32\iqfqyfou.exe
C:\WINDOWS\system32\irnxfftl.dll
C:\WINDOWS\system32\ispansum.dll
C:\WINDOWS\system32\iypcnnrx.dll
C:\WINDOWS\system32\jqglukae.dll
C:\WINDOWS\system32\kariejls.dll
C:\WINDOWS\system32\llerfcow.dll
C:\WINDOWS\system32\lmvlyhsb.dll
C:\WINDOWS\system32\muegqyfk.exe
C:\WINDOWS\system32\nhgcdcfd.ini
C:\WINDOWS\system32\nuvmfcbu.dll
C:\WINDOWS\system32\oorujrox.dll
C:\WINDOWS\system32\oqjfuqar.dll
C:\WINDOWS\system32\oqtoetcf.exe
C:\WINDOWS\system32\ovudypfb.dll
C:\WINDOWS\system32\pipxlsrd.ini
C:\WINDOWS\system32\psoafycu.exe
C:\WINDOWS\system32\qhnnkgqb.exe
C:\WINDOWS\system32\qwkccyen.exe
C:\WINDOWS\system32\rbtcmyjv.dll
C:\WINDOWS\system32\rebyhnsg.dll
C:\WINDOWS\system32\rrutv.ini
C:\WINDOWS\system32\rrutv.ini2
C:\WINDOWS\system32\rucwqisl.exe
C:\WINDOWS\system32\scpwidrq.exe
C:\WINDOWS\system32\scwlngob.dll
C:\WINDOWS\system32\sljeirak.ini
C:\WINDOWS\system32\ujqarjfu.exe
C:\WINDOWS\system32\utoveqbu.exe
C:\WINDOWS\system32\vqpsyrvq.exe
C:\WINDOWS\system32\vturr.dll
C:\WINDOWS\system32\wocfrell.ini
C:\WINDOWS\system32\wvqekdob.exe
C:\WINDOWS\system32\yioiregb.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-24 15:39 . 2007-12-26 09:59 1,019,319 --ahs---- C:\WINDOWS\system32\fvsuakbg.ini
2007-12-24 11:11 . 2007-12-24 11:14 <DIR> d-------- C:\Program Files\CCleaner
2007-12-24 10:44 . 2007-12-24 10:45 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-23 15:38 . 2007-12-24 15:38 988,901 --ahs---- C:\WINDOWS\system32\maqnteon.ini
2007-12-22 14:43 . 2007-12-23 15:38 991,110 --ahs---- C:\WINDOWS\system32\ulrasaih.ini
2007-12-21 14:25 . 2007-12-21 14:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-21 09:58 . 2007-12-22 14:37 991,902 --ahs---- C:\WINDOWS\system32\caaxcjvp.ini
2007-12-19 17:47 . 2007-12-19 17:47 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-18 13:05 . 2007-12-19 17:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-18 12:46 . 2007-12-18 12:46 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-17 10:03 . 2007-12-18 12:18 879,620 --ahs---- C:\WINDOWS\system32\fvddupcs.ini
2007-12-15 17:40 . 2007-12-17 10:03 877,632 --ahs---- C:\WINDOWS\system32\bfugaktu.ini
2007-12-14 12:06 . 2007-12-15 17:37 869,325 --ahs---- C:\WINDOWS\system32\hynsobvs.ini
2007-12-11 14:29 . 2007-12-14 12:06 1,003,306 --ahs---- C:\WINDOWS\system32\pxurieqy.ini
2007-12-10 14:28 . 2007-12-11 14:29 859,064 --ahs---- C:\WINDOWS\system32\ullyomsh.ini
2007-12-09 16:14 . 2007-12-10 14:25 834,256 --ahs---- C:\WINDOWS\system32\gjjganwe.ini
2007-12-08 17:57 . 2007-12-21 12:47 <DIR> d-------- C:\Program Files\XoftSpySE
2007-12-08 17:53 . 2007-12-08 17:53 <DIR> d-------- C:\Program Files\RegistryFix
2007-12-07 08:43 . 2007-12-07 08:43 <DIR> d-------- C:\Program Files\FDRLab
2007-12-07 08:43 . 2007-12-07 08:43 <DIR> d-------- C:\Documents and Settings\Trent\Application Data\VideoEgg
2007-12-05 12:03 . 2007-12-05 12:03 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-12-03 11:22 . 2007-12-19 17:40 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-03 11:22 . 2007-12-03 11:22 0 --a------ C:\WINDOWS\AoADVDRipper.INI
2007-12-03 11:21 . 2005-12-30 20:10 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-12-03 11:21 . 2005-12-30 20:18 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-12-03 11:21 . 2002-07-17 09:20 45,056 --a------ C:\WINDOWS\system32\Wnaspi32.dll
2007-12-03 11:21 . 2002-07-17 08:53 16,877 --a------ C:\WINDOWS\system32\drivers\Aspi32.sys
2007-12-03 11:21 . 2002-07-17 16:22 4,455 --a------ C:\WINDOWS\system\Winaspi.dll
2007-12-03 11:21 . 2002-07-17 16:22 3,535 --a------ C:\WINDOWS\system\Wowpost.exe
2007-11-28 20:42 . 2007-11-28 20:42 <DIR> d-------- C:\WINDOWS\Typing Tournament V1.1.1 Home
2007-11-28 20:42 . 2007-12-07 14:06 <DIR> d-------- C:\Program Files\Typing Tournament V1.1.1 Home
2007-11-27 19:50 . 2007-11-27 19:50 <DIR> d-------- C:\WINDOWS\Numbers Up! VP V1.2.5
2007-11-27 19:50 . 2007-11-27 19:52 <DIR> d-------- C:\Program Files\Numbers Up! VP V1.2.5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 02:47 --------- d-----w C:\Program Files\ydt
2007-12-18 02:20 --------- d-----w C:\Documents and Settings\Trent\Application Data\FrostWire
2007-12-17 05:40 --------- d-----w C:\Program Files\LimeWire
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-18 02:26 102,400 ----a-w C:\WINDOWS\Segmento_AlphaUninstall.exe
2007-11-18 02:01 77,824 ----a-w C:\WINDOWS\iRODUninstall.exe
2007-11-18 01:58 77,824 ----a-w C:\WINDOWS\SkycarUninstall.exe
2007-11-17 07:58 --------- d-----w C:\Program Files\Picasa2
2007-11-17 07:11 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 12:22 --------- d-----w C:\Documents and Settings\Karen\Application Data\alot
2007-11-06 10:09 --------- d-----w C:\Documents and Settings\JESS\Application Data\alot
2007-11-03 10:18 --------- d-----w C:\Program Files\FrameShow
2007-11-03 04:28 --------- d-----w C:\Documents and Settings\Trent\Application Data\PhotoFrameShow
2006-12-01 10:10 6,144 ----a-w C:\Documents and Settings\Karen\Application Data\internaldb8186.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 15:53]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-01-13 14:07]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-01-13 13:53]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 01:04]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 23:00]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"Segmento"="C:\Program Files\ydt\Segmento_Alpha\Segmento_Alpha.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-24 07:18]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Personal Coach.lnk - C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2007-07-17 15:45:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\req]
C:\WINDOWS\system32\req.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 09:36 256576 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2007-10-24 07:18 443968 --a------ C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

S2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys []
S3 usbanyka;Anyka USB Web Camera;C:\WINDOWS\system32\DRIVERS\UsbAnyka.sys [2007-02-02 14:02]

.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 22:31:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-27 06:26:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-12-27 06:21:34 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2005-06-16 09:39:57 C:\WINDOWS\Tasks\RegistryMedicAuotScan.job"
- C:\Program Files\Iomatic\Registry Medic\RegMedical.exe
"2005-08-18 08:51:52 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 16:31:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-27 16:32:42 - machine was rebooted
.
2007-12-18 03:17:07 --- E O F ---



HJT


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:46 PM, on 27/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....age=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Segmento] C:\Program Files\ydt\Segmento_Alpha\Segmento_Alpha.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Personal Coach.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay12...es/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109297745000
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab53083.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7905 bytes

#7 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 27 December 2007 - 10:55 AM

Hi :)

I understand that downloading music and other files may be important to you; however, the Peer-to-Peer programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

Here is some information that looks at the rates of infection:

http://www.benedelman.org/spyware/p2p/

With that being said, I recommend that you remove the following Peer-to-Peer program(s):

LimeWire 4.14.12

Step 1

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

File::

C:\WINDOWS\system32\fvsuakbg.ini
C:\WINDOWS\system32\maqnteon.ini
C:\WINDOWS\system32\ulrasaih.ini
C:\WINDOWS\system32\caaxcjvp.ini
C:\WINDOWS\system32\fvddupcs.ini
C:\WINDOWS\system32\bfugaktu.ini
C:\WINDOWS\system32\hynsobvs.ini
C:\WINDOWS\system32\pxurieqy.ini
C:\WINDOWS\system32\ullyomsh.ini
C:\WINDOWS\system32\gjjganwe.ini

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\req]

Driver::

SVKP

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 2

Click on Start, then Control Panel. Double click on Add or Remove Programs.

Please remove the following program(s):

  • J2SE Runtime Environment 5.0 Update 3
  • Java 2 Runtime Environment, SE v1.4.2
  • Search Enhancer

Then download and install Java Runtime Environment (JRE) 6 Update 3.

Step 3

Please do an online scan with Kaspersky WebScanner.

Click on Kaspersky Online Scanner. On the welcome screen, click Accept.

You will be promted to install an ActiveX component from Kaspersky, click Install.

  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:

  • Scan using the following Anti-Virus database:

    Extended (if available, otherwise Standard)

  • Scan Options:

    Scan Archives
    Scan Mail Bases

  • Click OK.
  • Now under Select a Target to Scan:

    Select My Computer.

  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button and save the file to your desktop.

Step 4

In your next reply, please post:

  • the Combofix log (C:\Combofix.txt)
  • the Kaspersky Online Scan report
  • a new HijackThis log


#8 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 01 January 2008 - 09:42 AM

Are you still with me?

#9 sart7

sart7

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 01 January 2008 - 05:05 PM

Yes, sorry i have been away for the las 2 days i am running Kaspersky Online Scanner now

#10 sart7

sart7

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 02 January 2008 - 03:12 AM

Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 02, 2008 6:59:25 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/01/2008
Kaspersky Anti-Virus database records: 501232
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 101282
Number of viruses found: 10
Number of infected objects: 105
Number of suspicious objects: 0
Duration of the scan process: 01:22:02

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12082006-172723.log Object is locked skipped
C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\AntiPhishing\6729BBF9-D54C-48CB-A4D7-AD400339D808.dat Object is locked skipped
C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Trent\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Trent\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Trent\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Trent\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D3FCC922-A3B3-4530-BC57-3D3492A47E1A} Object is locked skipped
C:\Documents and Settings\Trent\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Trent\Local Settings\Temporary Internet Files\Content.IE5\GHDFYAUD\crossdomain[2].xml Object is locked skipped
C:\Documents and Settings\Trent\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Trent\Local Settings\Temporary Internet Files\Content.IE5\JSWVASB9\songspot160_310[1].swf Object is locked skipped
C:\Documents and Settings\Trent\Local Settings\Temporary Internet Files\Content.IE5\PA6O65DW\BurstingInteractionsPipe[1].htm Object is locked skipped
C:\Documents and Settings\Trent\ntuser.dat Object is locked skipped
C:\Documents and Settings\Trent\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\aonjubrn.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\bklqaxby.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\bytovxdl.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\cwtnwxay.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\dfcdcghn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drslxpip.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\eqrehcfu.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ftuxcdon.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\hdsmaygg.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\iqfqyfou.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\irnxfftl.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ispansum.dll.vir Infected: Trojan.Win32.Pakes.bwd skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\iypcnnrx.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\jqglukae.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\kariejls.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\muegqyfk.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\nuvmfcbu.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\oorujrox.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\oqtoetcf.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ovudypfb.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\psoafycu.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\qhnnkgqb.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\qwkccyen.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\rbtcmyjv.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\rebyhnsg.dll.vir Infected: Backdoor.Win32.Agent.dlj skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\rucwqisl.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\scpwidrq.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\scwlngob.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ujqarjfu.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\utoveqbu.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\vqpsyrvq.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\wvqekdob.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\yioiregb.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\SDFix\backups\backups.zip/backups/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP576\A0234477.exe Infected: Trojan-Downloader.Win32.Small.guf skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP577\A0234499.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP577\A0234501.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP577\A0234521.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ak skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP577\A0234523.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP577\A0234524.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP577\A0234525.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP577\A0234529.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP582\A0234661.exe Infected: not-a-virus:PSWTool.Win32.PassView.p skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP585\A0235908.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP585\A0235932.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP586\A0235959.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP588\A0235993.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP589\A0236020.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP594\A0237108.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP596\A0237176.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP598\A0237201.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP599\A0237238.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP600\A0237263.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP602\A0237322.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP602\A0237323.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP602\A0237324.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP602\A0237325.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP602\A0237326.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP602\A0237327.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP602\A0237328.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP602\A0237329.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP602\A0237330.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP602\A0237331.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP602\A0237332.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP604\A0237538.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP606\A0237606.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP608\A0237632.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP610\A0238682.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP610\A0238690.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP610\A0238733.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP611\A0238762.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238790.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238791.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238792.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238793.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238794.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238795.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238796.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238797.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238798.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238799.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238800.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238801.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238802.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238803.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238804.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238805.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238806.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238808.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238809.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238810.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238811.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238812.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238813.dll Infected: Trojan.Win32.Pakes.bwd skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238814.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238815.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238816.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238819.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238820.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238822.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238823.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238824.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238825.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP614\A0238826.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{BB3D050C-545B-4A12-BEC2-3427D97105BC}\RP621\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5dc.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


ComboFix:

ComboFix 07-12-21.4 - Trent 2007-12-28 8:23:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.868 [GMT 10:00]
Running from: C:\Documents and Settings\Trent\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Trent\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\bfugaktu.ini
C:\WINDOWS\system32\caaxcjvp.ini
C:\WINDOWS\system32\fvddupcs.ini
C:\WINDOWS\system32\fvsuakbg.ini
C:\WINDOWS\system32\gjjganwe.ini
C:\WINDOWS\system32\hynsobvs.ini
C:\WINDOWS\system32\maqnteon.ini
C:\WINDOWS\system32\pxurieqy.ini
C:\WINDOWS\system32\ullyomsh.ini
C:\WINDOWS\system32\ulrasaih.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bfugaktu.ini
C:\WINDOWS\system32\caaxcjvp.ini
C:\WINDOWS\system32\fvddupcs.ini
C:\WINDOWS\system32\fvsuakbg.ini
C:\WINDOWS\system32\gjjganwe.ini
C:\WINDOWS\system32\hynsobvs.ini
C:\WINDOWS\system32\maqnteon.ini
C:\WINDOWS\system32\pxurieqy.ini
C:\WINDOWS\system32\ullyomsh.ini
C:\WINDOWS\system32\ulrasaih.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SVKP
-------\SVKP


((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-24 11:11 . 2007-12-24 11:14 <DIR> d-------- C:\Program Files\CCleaner
2007-12-24 10:44 . 2007-12-24 10:45 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-21 14:25 . 2007-12-21 14:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-19 17:47 . 2007-12-19 17:47 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-18 13:05 . 2007-12-19 17:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-18 12:46 . 2007-12-18 12:46 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-08 17:57 . 2007-12-21 12:47 <DIR> d-------- C:\Program Files\XoftSpySE
2007-12-08 17:53 . 2007-12-08 17:53 <DIR> d-------- C:\Program Files\RegistryFix
2007-12-07 08:43 . 2007-12-07 08:43 <DIR> d-------- C:\Program Files\FDRLab
2007-12-07 08:43 . 2007-12-07 08:43 <DIR> d-------- C:\Documents and Settings\Trent\Application Data\VideoEgg
2007-12-05 12:03 . 2007-12-05 12:03 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-12-03 11:22 . 2007-12-19 17:40 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-03 11:22 . 2007-12-03 11:22 0 --a------ C:\WINDOWS\AoADVDRipper.INI
2007-12-03 11:21 . 2005-12-30 20:10 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-12-03 11:21 . 2005-12-30 20:18 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-12-03 11:21 . 2002-07-17 09:20 45,056 --a------ C:\WINDOWS\system32\Wnaspi32.dll
2007-12-03 11:21 . 2002-07-17 08:53 16,877 --a------ C:\WINDOWS\system32\drivers\Aspi32.sys
2007-12-03 11:21 . 2002-07-17 16:22 4,455 --a------ C:\WINDOWS\system\Winaspi.dll
2007-12-03 11:21 . 2002-07-17 16:22 3,535 --a------ C:\WINDOWS\system\Wowpost.exe
2007-11-28 20:42 . 2007-11-28 20:42 <DIR> d-------- C:\WINDOWS\Typing Tournament V1.1.1 Home
2007-11-28 20:42 . 2007-12-07 14:06 <DIR> d-------- C:\Program Files\Typing Tournament V1.1.1 Home
2007-11-27 19:50 . 2007-11-27 19:50 <DIR> d-------- C:\WINDOWS\Numbers Up! VP V1.2.5
2007-11-27 19:50 . 2007-11-27 19:52 <DIR> d-------- C:\Program Files\Numbers Up! VP V1.2.5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 02:47 --------- d-----w C:\Program Files\ydt
2007-12-18 02:20 --------- d-----w C:\Documents and Settings\Trent\Application Data\FrostWire
2007-12-17 05:40 --------- d-----w C:\Program Files\LimeWire
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-18 02:26 102,400 ----a-w C:\WINDOWS\Segmento_AlphaUninstall.exe
2007-11-18 02:01 77,824 ----a-w C:\WINDOWS\iRODUninstall.exe
2007-11-18 01:58 77,824 ----a-w C:\WINDOWS\SkycarUninstall.exe
2007-11-17 07:58 --------- d-----w C:\Program Files\Picasa2
2007-11-17 07:11 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 12:22 --------- d-----w C:\Documents and Settings\Karen\Application Data\alot
2007-11-06 10:09 --------- d-----w C:\Documents and Settings\JESS\Application Data\alot
2007-11-03 10:18 --------- d-----w C:\Program Files\FrameShow
2007-11-03 04:28 --------- d-----w C:\Documents and Settings\Trent\Application Data\PhotoFrameShow
2006-12-01 10:10 6,144 ----a-w C:\Documents and Settings\Karen\Application Data\internaldb8186.dat
.

((((((((((((((((((((((((((((( snapshot@2007-12-27_16.31.59.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-27 06:29:41 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_600.dat
+ 2007-12-27 23:18:03 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_600.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 15:53]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-01-13 14:07]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-01-13 13:53]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 01:04]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 23:00]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"Segmento"="C:\Program Files\ydt\Segmento_Alpha\Segmento_Alpha.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-24 07:18]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Personal Coach.lnk - C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2007-07-17 15:45:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 09:36 256576 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2007-10-24 07:18 443968 --a------ C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

S3 usbanyka;Anyka USB Web Camera;C:\WINDOWS\system32\DRIVERS\UsbAnyka.sys [2007-02-02 14:02]

.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 22:31:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-27 22:26:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-12-27 22:18:43 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2005-06-16 09:39:57 C:\WINDOWS\Tasks\RegistryMedicAuotScan.job"
- C:\Program Files\Iomatic\Registry Medic\RegMedical.exe
"2005-08-18 08:51:52 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 09:18:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-28 9:20:27 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-27 16:32
.
2007-12-18 03:17:07 --- E O F ---


HJT:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:50 PM, on 2/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Segmento] C:\Program Files\ydt\Segmento_Alpha\Segmento_Alpha.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Personal Coach.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay12...es/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109297745000
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab53083.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8327 bytes

#11 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 02 January 2008 - 04:35 AM

That's looking good, Kaspersky only found files in the backup folders of the tools we ran, and some infected Restore Points, which we will clean later on. How is your computer running now?

#12 sart7

sart7

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 02 January 2008 - 04:03 PM

It is running good. thanks a heap!

#13 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 02 January 2008 - 05:05 PM

Hi :)

Congratulations, your log looks clean. Please advise of any problems you are still experiencing, or follow these simple steps to keep your computer clean in the future:

You can now delete the following program(s):

  • SDFix, C:\SDFix\

Click Start then Run....

  • Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)

    Posted Image

  • This will uninstall Combofix.

Make your Internet Explorer More Secure

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.

  • Change the Download signed ActiveX controls to Prompt.
  • Change the Download unsigned ActiveX controls to Disable.
  • Change the Initialise and script ActiveX controls not marked as safe to Disable.
  • Change the Installation of desktop items to Prompt.
  • Change the Launching programs and files in an IFRAME to Prompt.
  • Change the Navigate sub-frames across different domains to Prompt.
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.

  • Next press the Apply button and then the OK to exit the Internet Properties page.

Update your Anti-Virus Software - It is very imprtant that you update your anti-virus software at least once a week (even more if you wish). If you do not update your anti-virus software then it will not be able to catch any of the new variants that will come out.

Use a Firewall - Without a firewall your computer is susceptible to being hacked and taken over. The Windows firewall isn't sufficient as it only monitors incoming connections.

Here are a few (free) firewalls, please download and install one of them:


Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option. This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

Install Ad-Aware - Download and install Ad-Aware. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line - Anti-Malware

Update All These Programs Regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted! - Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. You have to be registered to post. After registering just find your country room and register your complaint. The infection you had was Vundo (Virtumonde)

#14 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 04 January 2008 - 04:42 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users