Help please! I keep getting trojan detected via AVG

**Smouter** · 2007-10-16, 16:57

Hi as stated in the title AVG keeps detecting trojans but when I heal they keep coming back on start up.

Here is my Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:51:11, on 16/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Vtune\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Jessops\Picture Suite\InsDetect.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: 213.177.119.18 nprotect.lineage2.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {094EA1FF-9A31-447A-85E1-E02658FF8FF8} - C:\WINDOWS\system32\dpwsockd.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: H - {8FB29334-4C02-47f0-9CA3-4DC307398F9C} - rreesssvv.dll (file missing)
O2 - BHO: (no name) - {95DA1EF1-34E1-4887-8267-68AED928356C} - c:\windows\system32\asferrorr.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [Gainward] C:\Program Files\Vtune\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [k5r] C:\WINDOWS\system32\k5r.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Jessops Insert Detect] C:\Program Files\Jessops\Picture Suite\InsDetect.exe
O4 - HKCU\..\Run: [k5r] C:\WINDOWS\system32\k5r.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livewc01.custhelp.com/7540-b3.../java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A295A96-2E47-4B81-BFF3-0C207BDF26A5}: NameServer = 192.168.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {A8981DB9-B2B3-47D7-A890-9C9D9F4C5552} - C:\WINDOWS\mf4B.tmp
O20 - Winlogon Notify: btmczjfc - C:\WINDOWS\SYSTEM32\asferrorr.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

--
End of file - 8552 bytes

And I got this from Kaspersky

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\asferrorr.dll Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\dpwsockd.dll Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

The item in bold is the appart trojan AVG is trying to get rid of, if anyone could spare some of their precious time to help me out it would be much appreciated thanks alot

**random/random** · 2007-10-16, 23:11

Download the latest version of ComboFix from Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**Smouter** · 2007-10-17, 11:29

Thanks for the help here are the 2 logs you need

ComboFix 07-10-17.8 - Owner 2007-10-17 10:20:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1601 [GMT 1:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER\RB3.tmp
C:\WINDOWS\system32\asferrorr.dll
C:\WINDOWS\system32\asferrorr.dll.bak
C:\WINDOWS\system32\commands.xml
C:\WINDOWS\system32\dpwsockd.dll
C:\WINDOWS\system32\drivers\gzsdthvc.dat
C:\WINDOWS\system32\drivers\ibfywlxn.dat
C:\WINDOWS\system32\drivers\ibfywlxn.dat
C:\WINDOWS\system32\help.txt
C:\WINDOWS\system32\ps.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MMKSHAIW
-------\LEGACY_NOUPOFSZ
-------\mmkshaiw
-------\noupofsz

((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.

2007-10-16 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-16 15:12 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-15 16:33 <DIR> d-------- C:\Program Files\PlayOnline
2007-10-15 16:33 <DIR> d-------- C:\Program Files\Common Files\PlayOnline
2007-10-12 14:35 <DIR> d-------- C:\Program Files\Java
2007-10-12 14:35 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-11 14:03 <DIR> d-------- C:\Temp
2007-10-10 12:33 <DIR> d-------- C:\Program Files\Google
2007-10-08 10:07 <DIR> d-------- C:\Program Files\WinPcap
2007-09-26 21:03 <DIR> d-------- C:\Program Files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 09:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2007-10-17 09:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2007-10-15 18:14 --------- d-----w C:\Program Files\Warcraft III
2007-10-15 16:30 246,545 ----a-w C:\WINDOWS\system32\libssl32.dll
2007-10-15 16:30 1,188,375 ----a-w C:\WINDOWS\system32\libeay32.dll
2007-10-15 16:24 15,872 ----a-w C:\WINDOWS\system32\k5r.exe
2007-10-15 15:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-12 14:55 --------- d-----w C:\Program Files\Lineage II
2007-10-12 14:53 153,925 ----a-w C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-10-11 13:03 --------- d-----w C:\Program Files\Sony
2007-10-11 09:41 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-10-10 17:51 --------- d-----w C:\Program Files\Common Files\PestPatrol
2007-10-05 10:25 --------- d-----w C:\Program Files\World of Warcraft
2007-10-04 18:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\mIRC
2007-10-04 16:22 --------- d-----w C:\Program Files\mIRC
2007-09-11 19:44 491,540 ----a-w C:\L2.exe
2007-09-07 22:24 184,320 ----a-w C:\WINDOWS\system32\kDM8OD71.dll
2007-09-07 04:30 184,320 ----a-w C:\WINDOWS\system32\lgE5fW6U.dll
2007-09-06 17:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-09-06 02:29 184,320 ----a-w C:\WINDOWS\system32\2C0lJ0bN.dll
2007-07-26 03:06 144,704 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-26 02:53 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-07-26 02:53 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-07-26 02:53 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-07-26 02:53 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-07-26 02:53 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-07-26 02:53 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-07-26 02:53 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-07-26 02:50 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-07-26 02:50 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-07-26 02:50 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-07-26 02:50 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-07-26 02:50 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-07-26 02:50 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-07-26 02:50 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-07-26 02:50 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-07-26 02:50 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-07-26 02:50 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-07-26 02:50 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-07-26 02:50 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-07-26 02:49 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FB29334-4C02-47f0-9CA3-4DC307398F9C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 10:21 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 C:\WINDOWS\SkyTel.exe]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 13:44]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidSetup.exe" [2006-10-30 13:44]
"Gainward"="C:\Program Files\Vtune\TBPanel.exe" [2006-11-24 11:31]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-11-24 06:52]
"nwiz"="nwiz.exe" [2006-11-24 06:52 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-11-24 06:52]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 14:12]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 18:53]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-15 05:13]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"k5r"="C:\WINDOWS\system32\k5r.exe" [2007-10-15 17:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-06-08 15:18]
"Jessops Insert Detect"="C:\Program Files\Jessops\Picture Suite\InsDetect.exe" [2003-02-17 11:45]
"k5r"="C:\WINDOWS\system32\k5r.exe" [2007-10-15 17:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-08-03 11:10:00]

R0 JGOGO;JMicron Hot-Plug Driver;C:\WINDOWS\system32\DRIVERS\JGOGO.sys
R0 JRAID;JRAID;C:\WINDOWS\system32\DRIVERS\jraid.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-14 23:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\WL5Y405w.exe
"2007-10-15 08:00:00 C:\WINDOWS\Tasks\At10.job"
"2007-10-15 09:00:00 C:\WINDOWS\Tasks\At11.job"
"2007-10-15 10:00:00 C:\WINDOWS\Tasks\At12.job"
"2007-10-15 11:00:00 C:\WINDOWS\Tasks\At13.job"
"2007-10-15 12:00:00 C:\WINDOWS\Tasks\At14.job"
"2007-10-15 13:00:00 C:\WINDOWS\Tasks\At15.job"
"2007-10-16 14:00:00 C:\WINDOWS\Tasks\At16.job"
"2007-10-16 15:00:00 C:\WINDOWS\Tasks\At17.job"
"2007-10-15 16:00:00 C:\WINDOWS\Tasks\At18.job"
"2007-10-15 17:00:00 C:\WINDOWS\Tasks\At19.job"
"2007-10-15 00:00:00 C:\WINDOWS\Tasks\At2.job"
"2007-10-15 18:00:00 C:\WINDOWS\Tasks\At20.job"
"2007-10-15 19:00:00 C:\WINDOWS\Tasks\At21.job"
"2007-10-15 20:00:00 C:\WINDOWS\Tasks\At22.job"
"2007-10-15 21:00:00 C:\WINDOWS\Tasks\At23.job"
"2007-10-14 22:00:00 C:\WINDOWS\Tasks\At24.job"
"2007-10-15 01:00:00 C:\WINDOWS\Tasks\At3.job"
"2007-10-15 02:00:00 C:\WINDOWS\Tasks\At4.job"
"2007-10-15 03:00:00 C:\WINDOWS\Tasks\At5.job"
"2007-10-15 04:00:00 C:\WINDOWS\Tasks\At6.job"
"2007-10-15 05:00:00 C:\WINDOWS\Tasks\At7.job"
"2007-10-15 06:00:00 C:\WINDOWS\Tasks\At8.job"
"2007-10-15 07:00:00 C:\WINDOWS\Tasks\At9.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 10:24:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-17 10:25:55 - machine was rebooted
.
--- E O F ---

and Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:45, on 17/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Vtune\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Jessops\Picture Suite\InsDetect.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: H - {8FB29334-4C02-47f0-9CA3-4DC307398F9C} - rreesssvv.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [Gainward] C:\Program Files\Vtune\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [k5r] C:\WINDOWS\system32\k5r.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Jessops Insert Detect] C:\Program Files\Jessops\Picture Suite\InsDetect.exe
O4 - HKCU\..\Run: [k5r] C:\WINDOWS\system32\k5r.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livewc01.custhelp.com/7540-b3.../java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A295A96-2E47-4B81-BFF3-0C207BDF26A5}: NameServer = 192.168.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

--
End of file - 7923 bytes

Thanks again

**random/random** · 2007-10-17, 20:59

Did you install winpcap?

Open a new notepad window (Start>All programs>accessories>notepad)

Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard

Code:

File::
C:\WINDOWS\system32\k5r.exe
C:\WINDOWS\system32\kDM8OD71.dll
C:\WINDOWS\system32\lgE5fW6U.dll
C:\WINDOWS\system32\2C0lJ0bN.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\system32\WL5Y405w.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FB29334-4C02-47f0-9CA3-4DC307398F9C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"k5r"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"k5r"=-

Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**Smouter** · 2007-10-17, 23:22

Hi and thanks for helping me again, I did install winpcap, because it said I needed it to run a program I needed for a online game, should I delete it?

ComboFix 07-10-17.8 - Owner 2007-10-17 22:16:20.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1448 [GMT 1:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFscript_used_2007-10-17@22.16.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\2C0lJ0bN.dll
C:\WINDOWS\system32\k5r.exe
C:\WINDOWS\system32\kDM8OD71.dll
C:\WINDOWS\system32\lgE5fW6U.dll
C:\WINDOWS\system32\WL5Y405w.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.
/wow section - STAGE 1
/wow section - STAGE 7
/wow section - STAGE 8
/wow section - STAGE 11
/wow section - STAGE 12
/wow section - STAGE 25
/wow section - STAGE 31

/wow section not completed

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\2C0lJ0bN.dll
C:\WINDOWS\system32\k5r.exe
C:\WINDOWS\system32\k5r.exe
C:\WINDOWS\system32\kDM8OD71.dll
C:\WINDOWS\system32\kDM8OD71.dll
C:\WINDOWS\system32\lgE5fW6U.dll
C:\WINDOWS\system32\lgE5fW6U.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.

2007-10-17 10:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-16 15:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-16 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-16 15:12 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-15 17:30 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2007-10-15 17:30 741,632 --a------ C:\WINDOWS\system32\svplkaov.dat
2007-10-15 17:30 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2007-10-15 17:30 118,528 --a------ C:\WINDOWS\system32\btdjmrsw.dat
2007-10-15 17:30 41,728 --a------ C:\WINDOWS\system32\pevsjgaj.dat
2007-10-15 17:30 35,584 --a------ C:\WINDOWS\system32\errznpjp.dat
2007-10-15 17:30 34,560 --a------ C:\WINDOWS\system32\tkqsulog.dat
2007-10-15 17:24 <DIR> d-------- C:\WINDOWS\system32\AppCert
2007-10-15 16:34 4,096 --a------ C:\WINDOWS\d3dx.dat
2007-10-15 16:33 <DIR> d-------- C:\Program Files\PlayOnline
2007-10-15 16:33 <DIR> d-------- C:\Program Files\Common Files\PlayOnline
2007-10-12 14:38 <DIR> d-------- C:\WINDOWS\Sun
2007-10-12 14:35 <DIR> d-------- C:\Program Files\Java
2007-10-12 14:35 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-11 14:03 <DIR> d-------- C:\Temp
2007-10-10 12:33 <DIR> d-------- C:\Program Files\Google
2007-10-08 10:07 <DIR> d-------- C:\Program Files\WinPcap
2007-09-26 21:03 <DIR> d-------- C:\Program Files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 21:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2007-10-17 20:33 --------- d-----w C:\Program Files\Warcraft III
2007-10-17 09:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2007-10-15 15:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-12 14:55 --------- d-----w C:\Program Files\Lineage II
2007-10-12 14:53 153,925 ----a-w C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-10-11 13:03 --------- d-----w C:\Program Files\Sony
2007-10-11 09:41 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-10-10 17:51 --------- d-----w C:\Program Files\Common Files\PestPatrol
2007-10-05 10:25 --------- d-----w C:\Program Files\World of Warcraft
2007-10-04 18:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\mIRC
2007-10-04 16:22 --------- d-----w C:\Program Files\mIRC
2007-09-11 19:44 491,540 ----a-w C:\L2.exe
2007-09-06 17:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-07-26 03:06 144,704 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-26 02:53 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-07-26 02:53 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-07-26 02:53 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-07-26 02:53 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-07-26 02:53 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-07-26 02:53 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-07-26 02:53 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-07-26 02:50 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-07-26 02:50 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-07-26 02:50 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-07-26 02:50 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-07-26 02:50 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-07-26 02:50 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-07-26 02:50 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-07-26 02:50 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-07-26 02:50 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-07-26 02:50 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-07-26 02:50 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-07-26 02:50 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-07-26 02:49 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 10:21 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 C:\WINDOWS\SkyTel.exe]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 13:44]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidSetup.exe" [2006-10-30 13:44]
"Gainward"="C:\Program Files\Vtune\TBPanel.exe" [2006-11-24 11:31]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-11-24 06:52]
"nwiz"="nwiz.exe" [2006-11-24 06:52 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-11-24 06:52]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 14:12]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 18:53]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-15 05:13]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-06-08 15:18]
"Jessops Insert Detect"="C:\Program Files\Jessops\Picture Suite\InsDetect.exe" [2003-02-17 11:45]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-08-03 11:10:00]

R0 JGOGO;JMicron Hot-Plug Driver;C:\WINDOWS\system32\DRIVERS\JGOGO.sys
R0 JRAID;JRAID;C:\WINDOWS\system32\DRIVERS\jraid.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 22:18:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-17 22:19:33 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-17 22:14
C:\ComboFix3.txt ... 2007-10-17 10:25
.
--- E O F ---

and Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:22:40, on 17/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Vtune\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Jessops\Picture Suite\InsDetect.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [Gainward] C:\Program Files\Vtune\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Jessops Insert Detect] C:\Program Files\Jessops\Picture Suite\InsDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livewc01.custhelp.com/7540-b3.../java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A295A96-2E47-4B81-BFF3-0C207BDF26A5}: NameServer = 192.168.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

--
End of file - 7776 bytes

**random/random** · 2007-10-18, 19:11

I did install winpcap, because it said I needed it to run a program I needed for a online game, should I delete it?

No, so long as you installed it yourself, it's fine

Open a new notepad window (Start>All programs>accessories>notepad)

Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard

Code:

File::
C:\WINDOWS\system32\svplkaov.dat
C:\WINDOWS\system32\btdjmrsw.dat
C:\WINDOWS\system32\pevsjgaj.dat
C:\WINDOWS\system32\errznpjp.dat
C:\WINDOWS\system32\tkqsulog.dat

Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thread: Help please! I keep getting trojan detected via AVG

Thread Tools

Display

Hybrid View

Help please! I keep getting trojan detected via AVG

Posting Permissions