WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Constant Hijack Attempt

Started by GreatGuy , May 03 2008 01:01 AM

This topic is locked

11 replies to this topic

#1 GreatGuy

Authentic Member

Authentic Member
51 posts

Posted 03 May 2008 - 01:01 AM

There is a continuous attempt to hijack IE explorer. The SpywareGuard is blocking it but it is a nuisance as it keeps happening. Used AVG and Adaware but problem persists.

Hijack This log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 08:37:51, on 03/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetProject\sbmntr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Hotkey\Hotkey.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Piolet\Piolet.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 527631 helper - {54160F28-994B-48DD-8D83-1B2F6B9EB054} - C:\WINDOWS\system32\527631\527631.dll (file missing)
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Hotkey] C:\Program Files\Hotkey\Hotkey.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.getietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.getietool.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://start.hsbc.c...uniperSetup.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

Advertisements

Register to Remove

#2 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 03 May 2008 - 02:10 PM

Hi! Welcome to the forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.

You too could train to help others- Join the Classroom

#3 GreatGuy

Authentic Member

Authentic Member
51 posts

Posted 04 May 2008 - 03:28 AM

Scotty Thanks for your help. Did as instructed, list is below. Regards Pete Absolute MP3 Splitter version 2.3.8 Adobe Download Manager 2.0 (Remove Only) Adobe Flash Player Plugin AnvSoft Flash to iPod Converter 1.10 Apple Mobile Device Support Apple Software Update Ask Toolbar AVG Anti-Spyware 7.5 AVG Free Edition AVS DVDMenu Editor 1.2.1.19 AVS Video Tools 5.6 ConvertXtoDVD 2.2.3.258h Creative MediaSource DivX Codec DivX Content Uploader DivX Converter DivX Player DivX Web Player DVD Region+CSS Free 5.9.8.5 DVDFab Platinum 2.9.8.1 Beta File Scavenger 3.2 Form Fill (Windows Live Toolbar) Google Toolbar for Internet Explorer Google Toolbar for Internet Explorer Hijackthis 1.99.1 HijackThis 1.99.1 Hotfix for Microsoft .NET Framework 3.0 (KB932471) Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB896344) Hotfix for Windows XP (KB914440) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB926239) Hotfix for Windows XP (KB935448) Hotkey 2.0 ifs CeFA CDT 1.0 ImageMixer VCD2 Intel® 537EP Modem Intel® PRO Network Connections Drivers Internet Service iTunes J2SE Runtime Environment 5.0 Update 2 Juniper Networks Secure Application Manager L&H TTS3000 British English LaserJet 1020 series Map Button (Windows Live Toolbar) Marvell Miniport Driver MetaFrame Presentation Server Web Client for Win32 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 1 Microsoft .NET Framework 3.0 Service Pack 1 Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Encarta Premium Suite 2005 Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Professional Edition 2003 Microsoft Silverlight Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable Mozilla Firefox (2.0.0.14) MSN Messenger 7.5 MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 6.0 Parser (KB933579) MUSIC PLAYER Nero 7 Ultra Edition neroxml OneCare Advisor (Windows Live Toolbar) OpenMG Limited Patch 3.3-03-09-03-01 OpenMG Secure Module 3.3.01 OrderReminder HP LaserJet 1020 Picture Package Piolet 1.9.9 Popup Blocker (Windows Live Toolbar) PowerDVD PrimoPDF PrimoPDF Redistribution Package QuickTime RealPlayer Realtek High Definition Audio Driver SAMSUNG CDMA Modem Driver Set SAMSUNG Mobile USB Modem ^^ SAMSUNG Mobile USB Modem 1.0 Software SAMSUNG Mobile USB Modem Software Samsung PC Studio Secure Browsing Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Security Update for Windows XP (KB922760) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923694) Security Update for Windows XP (KB923789) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925454) Security Update for Windows XP (KB925486) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941568) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB941644) Security Update for Windows XP (KB941693) Security Update for Windows XP (KB943055) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB943485) Security Update for Windows XP (KB944653) Security Update for Windows XP (KB945553) Security Update for Windows XP (KB946026) Security Update for Windows XP (KB948590) Security Update for Windows XP (KB948881) Shockwave Smart Menus (Windows Live Toolbar) Sony USB Driver Sorenson Squeeze Trial Sound Blaster Live! 24-bit Spybot - Search & Destroy 1.4 SpywareBlaster v3.5.1 SpywareGuard v2.2 TubeHunter Ultra TubeHunter Ultra Ulead Photo Explorer 8.0 SE Basic Ulead Photo Express 5 SE Uniblue RegistryBooster 2 Update for Windows XP (KB894391) Update for Windows XP (KB900485) Update for Windows XP (KB904942) Update for Windows XP (KB908531) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB916595) Update for Windows XP (KB920342) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB925720) Update for Windows XP (KB925876) Update for Windows XP (KB927891) Update for Windows XP (KB929338) Update for Windows XP (KB930916) Update for Windows XP (KB931836) Update for Windows XP (KB933360) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Update for Windows XP (KB942763) VCRedistSetup VIA Register Tool Web Application Windows Genuine Advantage v1.3.0254.0 Windows Imaging Component Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Live Favorites for Windows Live Toolbar Windows Live Outlook Toolbar (Windows Live Toolbar) Windows Live Toolbar Windows Live Toolbar Windows Live Toolbar Extension (Windows Live Toolbar) Windows Live Toolbar Feed Detector (Windows Live Toolbar) Windows Media Encoder 9 Series Windows Media Encoder 9 Series Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows Presentation Foundation Windows Safety Alert Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 WinRAR archiver

#4 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 04 May 2008 - 01:59 PM

Hi

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

There is a tutorial on the basic use of Combofix here:
http://www.bleepingc...to-use-combofix

Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

Save it to your Desktop.
Disconnect from the Internet.
Click on this LINK to disable AVG & SpywareGuard
Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run

You too could train to help others- Join the Classroom

#5 GreatGuy

Authentic Member

Authentic Member
51 posts

Posted 04 May 2008 - 02:58 PM

Scotty

First of all, thanks for all your help.

Did as instructed. Logs below:

ComboFix 08-05-01.3 - Owner 2008-05-04 22:35:54.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.270 [GMT 2:00]
Running from: C:\Documents and Settings\Owner\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url
C:\Documents and Settings\Owner\Application Data\inst.exe
C:\Documents and Settings\Owner\Favorites\Online Security Test.url
C:\Program Files\NetProject
C:\Program Files\NetProject\ot.ico
C:\Program Files\NetProject\sbmdl.dll
C:\Program Files\NetProject\sbmntr.exe
C:\Program Files\NetProject\sbun.exe
C:\Program Files\NetProject\scu.exe
C:\Program Files\NetProject\ts.ico

.
((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-05-01 15:25 . 2008-05-02 15:06 <DIR> d-------- C:\WINDOWS\system32\527631
2008-04-28 06:22 . 2008-04-28 06:22 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-18 21:12 . 2008-04-18 21:12 <DIR> d-------- C:\Program Files\iPod
2008-04-18 21:12 . 2008-05-04 22:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-18 21:12 . 2008-04-18 21:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-18 21:11 . 2008-04-18 21:12 <DIR> d-------- C:\Program Files\iTunes
2008-04-18 00:41 . 2008-04-24 01:14 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-13 20:14 . 2008-04-13 21:08 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2008-04-10 18:45 . 2008-04-10 18:47 <DIR> d-------- C:\Program Files\File Scavenger 3.2
2008-04-10 18:14 . 2008-04-10 18:14 <DIR> d-------- C:\Program Files\Your Company Name
2008-04-10 18:14 . 2000-06-20 01:02 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-04-10 18:14 . 2001-11-28 03:58 1,950 --a------ C:\WINDOWS\system32\drivers\REGISTER.SYS
2008-04-10 17:34 . 2008-04-10 17:34 <DIR> d-------- C:\Program Files\Online Add-on
2008-04-10 17:31 . 2008-04-10 17:31 <DIR> d-------- C:\WINDOWS\system32\Resource
2008-04-10 17:31 . 2008-04-10 17:31 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Juniper Networks
2008-04-10 17:31 . 2008-04-10 17:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Juniper Networks
2008-04-08 19:16 . 2008-04-10 17:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-08 19:16 . 2008-04-08 19:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-08 19:16 . 2008-04-08 19:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-08 18:21 . 2008-04-10 17:34 <DIR> d-------- C:\Program Files\RegCure
2008-04-06 21:16 . 2008-04-10 17:36 <DIR> d-------- C:\Program Files\Visual Zip Password Recovery Processor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 20:34 --------- d-----w C:\Program Files\Piolet
2008-05-04 20:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-05-04 20:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\DNA
2008-05-03 12:43 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-02 14:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-01 14:08 --------- d-----w C:\Program Files\pio-DVD.Region+CSS.Free.5.9.8.5-crkexe
2008-04-28 04:22 --------- d-----w C:\Program Files\Common Files\Real
2008-04-18 19:13 --------- d-----w C:\Program Files\Apple Software Update
2008-04-18 19:10 --------- d-----w C:\Program Files\QuickTime
2008-04-10 15:36 --------- d-----w C:\Program Files\Ad-Aware
2008-04-10 15:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-10 15:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\ICAClient
2008-04-10 15:32 --------- d-----w C:\Program Files\Common Files\Nero
2008-04-10 15:30 --------- d-----w C:\Program Files\DVD Shrink
2008-04-09 17:36 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-07 19:16 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-06 20:23 2,492 ----a-w C:\Documents and Settings\Owner\Application Data\ViewerApp.dat
2008-03-23 16:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-16 18:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2008-03-07 17:18 --------- d-----w C:\Program Files\Nero
2008-02-24 19:22 2,817,536 ----a-w C:\Program Files\ica32t.exe
2008-01-16 22:58 58,903,352 ----a-w C:\Program Files\avsvideotools.exe
2008-01-16 22:14 3,143,399 ----a-w C:\Program Files\flash-to-ipod-converter_a9637.exe
2008-01-15 22:01 4,039 ----a-w C:\Program Files\DVD_Region_CSS_Free_5.9.8.5_-Christley[www.btmon.com].torrent
2008-01-15 20:57 1,241,914 ----a-w C:\Program Files\DVDRegionFree5985.exe
2008-01-13 15:27 192,237 ----a-w C:\Program Files\video_downloadhelper-2.6-fx.xpi
2008-01-13 14:59 17,021,984 ----a-w C:\Program Files\DivXInstaller.exe
2008-01-06 16:09 878,192 ----a-w C:\Program Files\BitTorrent-6.0.exe
2008-01-06 15:49 100,000,000 ----a-w C:\Program Files\Ahead.Nero.v8.2.8.0.Incl.Keymaker-EMBRACE.part1.rar
2008-01-05 13:29 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2007-12-11 10:19 54,330,664 ----a-w C:\Program Files\iTunes75Setup.exe
2007-08-11 11:07 1,262,829 ----a-w C:\Program Files\PPMenuUpdateUS.exe
2007-08-11 10:36 1,164,456 ----a-w C:\Program Files\install_flash_player.exe
2007-06-30 10:17 262,696 ----a-w C:\Program Files\PioletSetup.exe
2007-05-23 17:46 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2007-04-15 16:53 13,825,601 ----a-w C:\Program Files\FreePrimo32Setup.exe
2007-01-24 13:08 76 ----a-w C:\Program Files\www.9down.com.url
2007-01-16 19:59 5,727,280 ----a-w C:\Program Files\Firefox Setup 2.0.0.1.exe
2007-01-13 16:04 25,755,448 ----a-w C:\Program Files\wmp11-windowsxp-x86-enu.exe
2007-01-13 15:30 1,475,376 ----a-w C:\Program Files\GenuineCheck.exe
2007-01-13 14:49 10,809,322 ----a-w C:\Program Files\u7f433bg.bin
2007-01-03 16:46 425 ----a-w C:\Program Files\File_id.diz
2007-01-03 16:46 3,174 ----a-w C:\Program Files\pio-DVD Region+CSS Free 5.9.8.5.crk.nfo
2006-08-31 17:22 456,823 ----a-w C:\Program Files\Fixwareout.exe
2006-08-31 17:03 296,716 ----a-w C:\Program Files\setup.exe
2006-08-30 19:25 488,144 ----a-w C:\Program Files\Copy of HJTsetup.exe
2002-02-02 13:02 72,192 ----a-w C:\Program Files\patch.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54160F28-994B-48DD-8D83-1B2F6B9EB054}]
C:\WINDOWS\system32\527631\527631.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"= "C:\Program Files\NetProject\wamdl.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"= C:\Program Files\NetProject\wamdl.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 21:05 1498032]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 11:37 7094272]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-05-16 11:18 1856544]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-12 11:27 288576]
"Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-05-16 11:18 1856544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-17 17:09 579584]
"P17Helper"="P17.dll" [2005-05-03 13:38 64512 C:\WINDOWS\system32\P17.dll]
"Hotkey"="C:\Program Files\Hotkey\Hotkey.exe" [2004-04-03 18:38 36864]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]
"Piolet"="C:\Program Files\Piolet\Piolet.exe" [2007-04-13 10:52 5988352]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2008-04-28 06:21 69632]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 06:21 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-01 18:12 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2007-08-11 12:19:25 151552]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2007-08-11 12:19:21 106496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{4d51e91c-e917-4b7f-89ff-abe471e16927}"= C:\WINDOWS\system32\uyhjw.dll [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2004-10-09 16:18 49152]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
-ra------ 2005-01-31 13:11 2752000 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 14:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-08-12 17:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hotkey]
--a------ 2004-04-03 18:38 36864 C:\Program Files\Hotkey\Hotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
-ra------ 2005-03-18 13:18 98304 C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2005-01-05 09:40 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2005-05-20 03:11 925696 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 03:36 36975 C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Photo Express Calendar Checker]
--a------ 2004-01-12 21:40 69632 C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Piolet\\Piolet.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R1 NEOFLTR_530_10641;Juniper Networks TDI Filter Driver (NEOFLTR_530_10641);C:\WINDOWS\system32\Drivers\NEOFLTR_530_10641.SYS [2006-04-27 07:40]
S3 jswmidin;jswmidin;C:\DOCUME~1\Owner\LOCALS~1\Temp\jswmidin.sys []
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 18:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 18:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 18:59]
S4 sysbus32;32bit system bus driver;C:\WINDOWS\system32\drivers\sysbus32.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 19:18:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-04 10:58:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-05-04 20:39:32 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-09 17:17:38 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 22:39:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Piolet\Piolet.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-04 22:45:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-04 20:45:19
ComboFix2.txt 2007-08-01 21:15:49

Pre-Run: 77,099,917,312 bytes free
Post-Run: 77,341,634,560 bytes free

231 --- E O F --- 2008-04-10 18:54:12

Logfile of HijackThis v1.99.1
Scan saved at 22:58, on 2008-05-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Hotkey\Hotkey.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Piolet\Piolet.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 527631 helper - {54160F28-994B-48DD-8D83-1B2F6B9EB054} - C:\WINDOWS\system32\527631\527631.dll (file missing)
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Hotkey] C:\Program Files\Hotkey\Hotkey.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://start.hsbc.c...uniperSetup.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

#6 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 05 May 2008 - 05:30 AM

Hi A couple of questions. When you download installer files, are you saving them into your Program Files folders. You do know these could be the source of your problems and will need to go? C:\Program Files\Ahead.Nero.v8.2.8.0.Incl.Keymaker-EMBRACE.part1.rar C:\Program Files\pio-DVD Region+CSS Free 5.9.8.5.crk.nfo

You too could train to help others- Join the Classroom

#7 GreatGuy

Authentic Member

Authentic Member
51 posts

Posted 05 May 2008 - 12:15 PM

Scotty Thanks for your reply. Please excuse the delay but work and other commitments and probably different time zones hinder our communication at times. Yes, I do download installer files and save them in the Program Files folder. I have no problem deleting them if necessary. I use Nero 7 and only had version 8 for a trial. Other file link was sent to me to download. What should I do? Regards Pete

#8 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 06 May 2008 - 03:29 AM

Hi

Ill take care of the files. When i download installers, i just save them to my Desktop and run them then delete them.

Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.You must
also manually disable your anti-virus and anti-spyware programs. See the link below for instructions on doing this.
http://www.bleepingc...opic114351.html

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

KillAll::
 
File::
C:\Program Files\pio-DVD.Region+CSS.Free.5.9.8.5-crkexe
C:\Program Files\ica32t.exe
C:\Program Files\avsvideotools.exe
C:\Program Files\flash-to-ipod-converter_a9637.exe
C:\Program Files\DVD_Region_CSS_Free_5.9.8.5_-Christley[www.btmon.com].torrent
C:\Program Files\DVDRegionFree5985.exe
C:\Program Files\video_downloadhelper-2.6-fx.xpi
C:\Program Files\DivXInstaller.exe
C:\Program Files\BitTorrent-6.0.exe
C:\Program Files\iTunes75Setup.exe
C:\Program Files\PPMenuUpdateUS.exe
C:\Program Files\install_flash_player.exe
C:\Program Files\PioletSetup.exe
C:\Program Files\spybotsd14.exe
C:\Program Files\FreePrimo32Setup.exe
C:\Program Files\www.9down.com.url
C:\Program Files\Firefox Setup 2.0.0.1.exe
C:\Program Files\wmp11-windowsxp-x86-enu.exe
C:\Program Files\GenuineCheck.exe
C:\Program Files\u7f433bg.bin
C:\Program Files\File_id.diz
C:\Program Files\Fixwareout.exe
C:\Program Files\setup.exe
C:\Program Files\Copy of HJTsetup.exe
C:\Program Files\patch.exe

Folder::
C:\Program Files\Ahead.Nero.v8.2.8.0.Incl.Keymaker-EMBRACE.part1.rar

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54160F28-994B-48DD-8D83-1B2F6B9EB054}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"=-
[-HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"=-
[-HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{4d51e91c-e917-4b7f-89ff-abe471e16927}"=-

Driver::
jswmidin

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

*Note* If you do not have Firefox or Opera, those options will be greyed out.

Please do an online scan with Kaspersky Online Scanner.
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  
  + Extended(If available otherwise Standard)
- Scan Options:
  
  + Scan Archives
  + Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed
until the scan is complete. This includes your anti-virus. Once you have
installed the Scanner, and the updated definitions, you can disconnect from the Internet.Re-enable the anti-virus before reconnecting to the Internet.
Instructions on disabling a variety of security programs can be found at the link below.
http://www.bleepingc...opic114351.html

In your next reply post:
ComboFix.txt
Kaspersky report
New HijackThis log taken after the above scan has run

You too could train to help others- Join the Classroom

#9 GreatGuy

Authentic Member

Authentic Member
51 posts

Posted 06 May 2008 - 04:17 PM

Scotty

Thanks again for assistance. It took some time but below please find:
ComboFix.txt
Kaspersky report
New HijackThis log taken after the above scan has run

ComboFix 08-05-01.3 - Owner 2008-05-06 20:28:06.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.261 [GMT 2:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\avsvideotools.exe
C:\Program Files\BitTorrent-6.0.exe
C:\Program Files\Copy of HJTsetup.exe
C:\Program Files\DivXInstaller.exe
C:\Program Files\DVD_Region_CSS_Free_5.9.8.5_-Christley[www.btmon.com].torrent
C:\Program Files\DVDRegionFree5985.exe
C:\Program Files\File_id.diz
C:\Program Files\Firefox Setup 2.0.0.1.exe
C:\Program Files\Fixwareout.exe
C:\Program Files\flash-to-ipod-converter_a9637.exe
C:\Program Files\FreePrimo32Setup.exe
C:\Program Files\GenuineCheck.exe
C:\Program Files\ica32t.exe
C:\Program Files\install_flash_player.exe
C:\Program Files\iTunes75Setup.exe
C:\Program Files\patch.exe
C:\Program Files\pio-DVD.Region+CSS.Free.5.9.8.5-crkexe
C:\Program Files\PioletSetup.exe
C:\Program Files\PPMenuUpdateUS.exe
C:\Program Files\setup.exe
C:\Program Files\spybotsd14.exe
C:\Program Files\u7f433bg.bin
C:\Program Files\video_downloadhelper-2.6-fx.xpi
C:\Program Files\wmp11-windowsxp-x86-enu.exe
C:\Program Files\www.9down.com.url
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Ahead.Nero.v8.2.8.0.Incl.Keymaker-EMBRACE.part1.rar\
C:\Program Files\avsvideotools.exe
C:\Program Files\BitTorrent-6.0.exe
C:\Program Files\Copy of HJTsetup.exe
C:\Program Files\DivXInstaller.exe
C:\Program Files\DVD_Region_CSS_Free_5.9.8.5_-Christley[www.btmon.com].torrent
C:\Program Files\DVDRegionFree5985.exe
C:\Program Files\File_id.diz
C:\Program Files\Firefox Setup 2.0.0.1.exe
C:\Program Files\Fixwareout.exe
C:\Program Files\flash-to-ipod-converter_a9637.exe
C:\Program Files\FreePrimo32Setup.exe
C:\Program Files\GenuineCheck.exe
C:\Program Files\ica32t.exe
C:\Program Files\install_flash_player.exe
C:\Program Files\iTunes75Setup.exe
C:\Program Files\patch.exe
C:\Program Files\PioletSetup.exe
C:\Program Files\PPMenuUpdateUS.exe
C:\Program Files\setup.exe
C:\Program Files\spybotsd14.exe
C:\Program Files\u7f433bg.bin
C:\Program Files\video_downloadhelper-2.6-fx.xpi
C:\Program Files\wmp11-windowsxp-x86-enu.exe
C:\Program Files\www.9down.com.url

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JSWMIDIN
-------\Service_jswmidin

((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-01 15:25 . 2008-05-02 15:06 <DIR> d-------- C:\WINDOWS\system32\527631
2008-04-28 06:22 . 2008-04-28 06:22 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-18 21:12 . 2008-04-18 21:12 <DIR> d-------- C:\Program Files\iPod
2008-04-18 21:12 . 2008-05-06 20:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-18 21:12 . 2008-04-18 21:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-18 21:11 . 2008-04-18 21:12 <DIR> d-------- C:\Program Files\iTunes
2008-04-18 00:41 . 2008-04-24 01:14 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-13 20:14 . 2008-04-13 21:08 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2008-04-10 18:45 . 2008-04-10 18:47 <DIR> d-------- C:\Program Files\File Scavenger 3.2
2008-04-10 18:14 . 2008-04-10 18:14 <DIR> d-------- C:\Program Files\Your Company Name
2008-04-10 18:14 . 2000-06-20 01:02 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-04-10 18:14 . 2001-11-28 03:58 1,950 --a------ C:\WINDOWS\system32\drivers\REGISTER.SYS
2008-04-10 17:34 . 2008-04-10 17:34 <DIR> d-------- C:\Program Files\Online Add-on
2008-04-10 17:31 . 2008-04-10 17:31 <DIR> d-------- C:\WINDOWS\system32\Resource
2008-04-10 17:31 . 2008-04-10 17:31 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Juniper Networks
2008-04-10 17:31 . 2008-04-10 17:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Juniper Networks
2008-04-08 19:16 . 2008-04-10 17:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-08 19:16 . 2008-04-08 19:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-08 19:16 . 2008-04-08 19:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-08 18:21 . 2008-04-10 17:34 <DIR> d-------- C:\Program Files\RegCure
2008-04-06 21:16 . 2008-04-10 17:36 <DIR> d-------- C:\Program Files\Visual Zip Password Recovery Processor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 18:28 --------- d-----w C:\Program Files\Piolet
2008-05-06 18:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-05-06 18:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\DNA
2008-05-03 12:43 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-02 14:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-01 14:08 --------- d-----w C:\Program Files\pio-DVD.Region+CSS.Free.5.9.8.5-crkexe
2008-04-28 04:22 --------- d-----w C:\Program Files\Common Files\Real
2008-04-18 19:13 --------- d-----w C:\Program Files\Apple Software Update
2008-04-18 19:10 --------- d-----w C:\Program Files\QuickTime
2008-04-10 15:36 --------- d-----w C:\Program Files\Ad-Aware
2008-04-10 15:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-10 15:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\ICAClient
2008-04-10 15:32 --------- d-----w C:\Program Files\Common Files\Nero
2008-04-10 15:30 --------- d-----w C:\Program Files\DVD Shrink
2008-04-09 17:36 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-07 19:16 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-06 20:23 2,492 ----a-w C:\Documents and Settings\Owner\Application Data\ViewerApp.dat
2008-03-23 16:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-16 18:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2008-03-07 17:18 --------- d-----w C:\Program Files\Nero
2008-01-06 15:49 100,000,000 ----a-w C:\Program Files\Ahead.Nero.v8.2.8.0.Incl.Keymaker-EMBRACE.part1.rar
2008-01-05 13:29 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2007-01-03 16:46 3,174 ----a-w C:\Program Files\pio-DVD Region+CSS Free 5.9.8.5.crk.nfo
.

((((((((((((((((((((((((((((( snapshot@2008-05-04_22.44.59.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-04 20:39:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-06 18:33:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-03-13 08:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 21:05 1498032]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 11:37 7094272]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-05-16 11:18 1856544]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-12 11:27 288576]
"Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-05-16 11:18 1856544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-17 17:09 579584]
"P17Helper"="P17.dll" [2005-05-03 13:38 64512 C:\WINDOWS\system32\P17.dll]
"Hotkey"="C:\Program Files\Hotkey\Hotkey.exe" [2004-04-03 18:38 36864]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]
"Piolet"="C:\Program Files\Piolet\Piolet.exe" [2007-04-13 10:52 5988352]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2008-04-28 06:21 69632]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 06:21 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-01 18:12 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2007-08-11 12:19:25 151552]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2007-08-11 12:19:21 106496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2004-10-09 16:18 49152]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
-ra------ 2005-01-31 13:11 2752000 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 14:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-08-12 17:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hotkey]
--a------ 2004-04-03 18:38 36864 C:\Program Files\Hotkey\Hotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
-ra------ 2005-03-18 13:18 98304 C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2005-01-05 09:40 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2005-05-20 03:11 925696 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 03:36 36975 C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Photo Express Calendar Checker]
--a------ 2004-01-12 21:40 69632 C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Piolet\\Piolet.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R1 NEOFLTR_530_10641;Juniper Networks TDI Filter Driver (NEOFLTR_530_10641);C:\WINDOWS\system32\Drivers\NEOFLTR_530_10641.SYS [2006-04-27 07:40]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 18:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 18:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 18:59]
S4 sysbus32;32bit system bus driver;C:\WINDOWS\system32\drivers\sysbus32.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 19:18:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-05 21:58:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-05-06 18:33:12 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-09 17:17:38 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 20:33:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\savedump.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Piolet\Piolet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2008-05-06 20:37:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-06 18:37:24
ComboFix2.txt 2008-05-04 20:45:26
ComboFix3.txt 2007-08-01 21:15:49

Pre-Run: 76,968,857,600 bytes free
Post-Run: 76,982,140,928 bytes free

249 --- E O F --- 2008-04-10 18:54:12
_____________________________________________________________________________

KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 07, 2008 12:11:19 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/05/2008
Kaspersky Anti-Virus database records: 742676
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
G:\
H:\
Scan Statistics
Total number of scanned objects 80380
Number of viruses found 14
Number of infected objects 108
Number of suspicious objects 0
Duration of the scan process 01:12:03

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m225jtwg.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m225jtwg.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m225jtwg.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m225jtwg.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m225jtwg.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m225jtwg.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\m225jtwg.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\m225jtwg.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\m225jtwg.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\m225jtwg.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008050620080507\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\temp\fla240.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\temp\~DF18BC.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\temp\~DF6CCB.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\temp\~DFC3CE.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\My Documents\PC Security\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\AskTBar\bar\1.bin\A5POPSWT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped
C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped
C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped
C:\Program Files\Nero\Nero-8.2.8.0_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Program Files\Nero\Nero-8.2.8.0_eng_trial.exe 7-Zip: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\NetProject\sbmdl.dll.vir Infected: Trojan-Downloader.Win32.Zlob.lvl skipped
C:\QooBox\Quarantine\C\Program Files\NetProject\sbmntr.exe.vir Infected: Trojan-Downloader.Win32.Zlob.lvm skipped
C:\QooBox\Quarantine\C\Program Files\NetProject\sbun.exe.vir Infected: Trojan-Downloader.Win32.Zlob.lvn skipped
C:\QooBox\Quarantine\C\Program Files\NetProject\scu.exe.vir Infected: Trojan-Downloader.Win32.Zlob.mjr skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP76\A0022913.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP76\A0022914.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP76\A0022915.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP76\A0022916.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP76\A0022917.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP80\A0025615.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP80\A0025616.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP80\A0025617.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP80\A0025618.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP80\A0025619.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP81\A0034031.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP81\A0034032.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP81\A0034033.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP81\A0034034.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP81\A0034035.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP81\A0034157.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP81\A0034158.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP81\A0034159.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP81\A0034160.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP81\A0034161.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0039647.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0039648.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0039649.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0039650.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0039651.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0039710.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0039711.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0039712.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0039713.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0039714.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0040846.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0040847.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0040848.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0040849.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0040850.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0040889.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0040890.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0040891.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0040892.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP82\A0040893.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0043662.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0043663.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0043664.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0043665.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0043666.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0043801.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0043802.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0043803.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0043804.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0043805.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0045859.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0045860.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0045861.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0045862.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0045863.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0045920.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0045921.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0045922.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0045923.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0045924.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0048500.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0048501.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0048502.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0048503.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0048504.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0048541.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0048542.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0048543.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0048544.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0048545.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0049626.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0049627.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0049628.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0049629.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0049630.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0049669.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0049670.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0049671.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0049672.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP83\A0049673.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP87\A0052983.exe Infected: Trojan-Downloader.Win32.Zlob.lwq skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP87\A0053183.exe Infected: Trojan-Downloader.Win32.Zlob.mji skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP87\A0053184.dll Infected: Trojan-Downloader.Win32.Zlob.lvl skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP87\A0053185.exe Infected: Trojan-Downloader.Win32.Zlob.lvk skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP87\A0053214.dll Infected: Trojan-Downloader.Win32.Zlob.lvl skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP87\A0053216.exe Infected: Trojan-Downloader.Win32.Zlob.lvk skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP87\A0053221.dll Infected: Trojan-Downloader.Win32.Zlob.lvi skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP87\A0053222.dll Infected: not-a-virus:AdWare.Win32.E404.an skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP87\A0053230.exe Infected: Trojan-Downloader.Win32.Zlob.mep skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP87\A0053231.exe Infected: Trojan-Downloader.Win32.Zlob.mji skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP87\A0053247.dll Infected: Trojan-Downloader.Win32.Zlob.lvl skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP87\A0053327.dll Infected: Trojan-Downloader.Win32.Zlob.lvl skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP87\A0053348.dll Infected: Trojan-Downloader.Win32.Zlob.lvl skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP87\A0053367.dll Infected: Trojan-Downloader.Win32.Zlob.lvl skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP88\A0053390.dll Infected: Trojan-Downloader.Win32.Zlob.lvl skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP88\A0053391.exe Infected: Trojan-Downloader.Win32.Zlob.lvm skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP88\A0053392.exe Infected: Trojan-Downloader.Win32.Zlob.lvn skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP88\A0053393.exe Infected: Trojan-Downloader.Win32.Zlob.mjr skipped
C:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP89\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{E13A6A0D-FF7A-43EA-821C-6D9E855689E3}\RP89\change.log Object is locked skipped
Scan process completed.
_____________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 00:13, on 2008-05-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Hotkey\Hotkey.exe
C:\Program Files\Piolet\Piolet.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Hotkey] C:\Program Files\Hotkey\Hotkey.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://start.hsbc.c...uniperSetup.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

#10 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 07 May 2008 - 01:13 AM

Hi

Have a read of this
http://www.benedelma...e/ask-toolbars/

and decide if you really want to keep the Ask toolbar. I recommend it's removal.

Congratulations, you appear to be malware free.

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Delete the older versions of Java and download the newest.
Please follow these steps to remove older version Java components.

Close any programmes you may have running, ESPECIALLY your web browser
Click Start > Control Panel.
Click Add/Remove Programs.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.

Then download the latest version of Java Runtime Environment (JRE) (5th one down the list), which is JRE6u6, and click Yes at the page warning. Under "Platform" select Windows, then check the box to accept the Licence Agreement. Click Yes at the second page warning before downloading the Offline file.
There is no need to download the Sun Download manager but it is optional.

Malwarebytes Anti-Malware is a good program to keep. If you wish to keep it, use it to do a quick scan once a week and keep it updated.
Remember, only the paid for version offers real-time protection

Here is another couple of free programs I recommend.

Winpatrol
Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.

Spyware Blaster
SpywareBlaster is a program that is used to secure Internet Explorer by making it harder for ActiveX programs to run on your computer. It does this by disabling known offending ActiveX programs from running at all.

You can download SpywareBlaster from Javacool.

If you need help in using SpywareBlaster, you can read SpywareBlaster's tutorial at Bleeping Computer.

Hosts File
A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here is a good Hosts file:

MVPS Hosts File

A tutorial about Hosts File can be found at Malware Removal.

Make sure your Windows is ALWAYS up to date!

An unpatched Windows is vulnerable and even with the "best" Antivirus and Firewall installed, malware will find its way through.
So visit http://windowsupdate.microsoft.com/ to download and install the latest updates.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Here is some great information from experts in this field that will help you stay clean and safe online.
http://forum.malware...wtopic.php?t=14

Follow this list and your potential for being infected again will reduce dramatically.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

You too could train to help others- Join the Classroom

#11 GreatGuy

Authentic Member

Authentic Member
51 posts

Posted 07 May 2008 - 02:55 PM

Scotty Thanks. You are absolutely brilliant. All OK with PC now thanks to you and I also downloaded Winpatrol and Hosts to be even more secure. Thanks a million. Thread can be closed. Take Care. Pete

#12 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 07 May 2008 - 03:01 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

You too could train to help others- Join the Classroom

Body Background

skin color theme