Can't remove win32.murlo.ff

[madstyles]

Spybot detects win32.murlo.ff. After choosing to fix the problem, it reappears after a restart. Occasionally it disappears, but Virtumonde appears in its place. When this happens, win32.murlo.ff reappears upon restart after fixing virtumonde. I'm not sure whether the two are connected in any way.

I have tried using fixvundo.exe aswell as the virtumundobegone alternative, both of them seem to freeze before they even begin scanning, I have tried numerous times in the hope that they will run smoothly, but to no avail. I have used panda online active scan, and etrust online scanner but I can't seem to find an option to save a log. Neither of them seem to find the above problems though.

Virtumonde and win32.murlo.ff appear to be the remnants of a larger group of viruses I had on the computer, after fixing them, these are the ones that don't want to die.

Below is a copy of my HJT report. Also worth noting is that the executable has already been renamed to "analyse.exe" before being run. I have read the "before you post" thread, but I'm still not sure whether I've done things right, so I apologise in advance if I do anything wrong or miss anything out in my reports. The dashes in paths in the HJT report are in replacement of the username on my pc, there are only 2 instances of this I believe.

Also, Spybot S & D is the only scanner to pick up that win32.murlo.ff is apparent on my pc. The HJT scan was done in safe mode with netowrking. I hope all the info I have provided is of use Thanks in advance for your assistance.

Logfile of HijackThis v1.99.1
Scan saved at 14:46:36, on 02/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\Analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: MSEvents Object - {00D0E786-A9E4-4EC5-82BA-E4E57D285B83} - C:\WINDOWS\system32\gebawxu.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSEvents Object - {BD8C25A0-021F-4B4A-986B-E88A75B73C68} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: MSEvents Object - {EC596F28-E16F-45D9-8925-9EDE4741B1E1} - C:\WINDOWS\system32\wvussqp.dll (file missing)
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: Shortcut to YzDock.lnk = C:\Documents and Settings\---\Desktop\ock\YzDock.exe
O4 - Startup: Shortcut to YzShadow.lnk = C:\Documents and Settings\---\Desktop\ock\Shadow\YzShadow.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://ve.ukie.capgemini.com/dana-c...erSetupSP1.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winexy32 - winexy32.dll (file missing)
O20 - Winlogon Notify: wvussqp - wvussqp.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Digital Home 8\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

[Shaba]

Hi madstyles

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
- vundofix report

[madstyles]

Hi, thanks for helping

The logs are posted below and were done in "normal" mode, my pc doesn't seem to restart or shutdown properly anymore, have to press the reset button, don't think that would have effected anything, but thought I'd better say just in case :P :-
_____________________

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 10:58:58 03/08/2007

Listing files found while scanning....

No infected files were found.

____________________

ComboFix 07-08-03.4 - "W---" 2007-08-03 10:41:47.1 [GMT 1:00] - NTFS [SAFE MODE]
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\winpop
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\tuvuusp.dll
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASC3550U
-------\LEGACY_MSUPDATE
-------\LEGACY_NDNET1
-------\LEGACY_NTMLSVC
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_SFSYNC02
-------\msupdate
-------\NtmlSvc
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-07-03 to 2007-08-03 )))))))))))))))))))))))))))))))


2007-08-03 10:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-03 10:25 <DIR> d-------- C:\VundoFix Backups
2007-08-01 22:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-01 15:49 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-07-31 17:23 <DIR> d--hs---- C:\WINDOWS\CSC
2007-07-31 17:09 <DIR> d-------- C:\!KillBox
2007-07-30 20:59 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-30 20:12 <DIR> d-------- C:\Program Files\CCleaner
2007-07-30 20:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-30 19:18 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2007-07-30 19:17 <DIR> d-------- C:\DOCUME~1\W--\APPLIC~1\Sunbelt Software
2007-07-30 19:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-07-30 19:16 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-07-30 19:03 <DIR> d-------- C:\Antivirus
2007-07-30 17:25 126,016 --a------ C:\WINDOWS\system32\ufxdelhd.dll
2007-07-29 20:43 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-07-29 19:30 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-07-29 19:29 <DIR> d-------- C:\Program Files\Avi2Dvd
2007-07-29 16:14 41,984 --------- C:\WINDOWS\Ctregrun.exe
2007-07-29 16:09 90,112 --------- C:\WINDOWS\Updreg.EXE
2007-07-29 16:08 <DIR> d-------- C:\Program Files\OpenAL
2007-07-29 16:00 77,824 --------- C:\WINDOWS\system32\ctdvda32.dll
2007-07-28 17:56 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-28 17:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-28 17:12 1,071,455 ---hs---- C:\WINDOWS\system32\qqtss.bak2
2007-07-27 13:49 6,506 ---hs---- C:\WINDOWS\system32\qqtss.bak1
2007-07-26 20:20 <DIR> d-------- C:\DOCUME~1\Ali\APPLIC~1\WinRAR
2007-07-18 23:59 <DIR> d-------- C:\Program Files\CStartup
2007-07-18 23:59 <DIR> d-------- C:\DOCUME~1\W---\APPLIC~1\CustomStartUp
2007-07-18 01:52 <DIR> d-------- C:\Program Files\Winamp
2007-07-18 01:52 <DIR> d-------- C:\DOCUME~1\W---\APPLIC~1\Winamp
2007-07-18 01:32 <DIR> d-------- C:\Program Files\Rainmeter
2007-07-18 00:53 <DIR> d-------- C:\DOCUME~1\W---\.rainlendar2
2007-07-18 00:43 <DIR> d-------- C:\Program Files\Rainlendar2
2007-07-18 00:37 <DIR> d-------- C:\Program Files\Samurize
2007-07-17 15:02 <DIR> d-------- C:\DOCUME~1\W---\APPLIC~1\Juniper Networks
2007-07-16 15:27 <DIR> d-------- C:\Priv WoW
2007-07-14 14:44 <DIR> dr-h----- C:\DOCUME~1\Ali\APPLIC~1\SecuROM
2007-07-14 13:40 38,832 --a------ C:\DOCUME~1\Ali\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-07-12 18:05 <DIR> d-------- C:\Program Files\SoftwareRevenue.org
2007-07-12 18:03 12,666,128 --a------ C:\WINDOWS\system32\mi2.exe
2007-07-12 17:38 <DIR> d-------- C:\Program Files\ItweakU
2007-07-12 11:50 <DIR> d-------- C:\Program Files\BFU
2007-07-11 18:22 1,572,864 --ah----- C:\DOCUME~1\Ka----\NTUSER.DAT
2007-07-11 18:22 <DIR> d-------- C:\DOCUME~1\Ka----\APPLIC~1\Roxio
2007-07-11 18:22 <DIR> d-------- C:\DOCUME~1\Ka----\APPLIC~1\Real
2007-07-11 18:22 <DIR> d-------- C:\DOCUME~1\Ka----\APPLIC~1\ATI
2007-07-10 17:40 <DIR> d-------- C:\WinRAR
2007-07-10 17:37 <DIR> d-------- C:\DOCUME~1\W---\APPLIC~1\WinRAR
2007-07-09 13:46 <DIR> d-------- C:\Program Files\Google
2007-07-03 13:14 55,296 --a------ C:\WINDOWS\system32\disable.exe
2007-07-03 13:14 116 --a------ C:\WINDOWS\system32\enabledvd.vbs


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-03 10:35 3672 --a------ C:\WINDOWS\mozver.dat
2007-08-02 14:21 --------- d-------- C:\Program Files\iTunes
2007-08-01 23:08 --------- d-------- C:\Program Files\BPK
2007-07-30 17:27 --------- d-------- C:\DOCUME~1\W---\APPLIC~1\Creative
2007-07-29 16:14 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-29 16:14 --------- d-------- C:\Program Files\Creative
2007-07-29 16:08 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-07-29 16:08 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-07-28 17:56 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-20 20:27 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-07-20 12:59 --------- d-------- C:\Program Files\World of Warcraft
2007-07-18 00:54 --------- d-------- C:\DOCUME~1\W---\APPLIC~1\Skype
2007-07-02 21:17 --------- d-------- C:\Program Files\Ubisoft
2007-07-02 20:24 --------- d-------- C:\Program Files\HP
2007-07-02 20:24 --------- d-------- C:\Program Files\Hewlett-Packard
2007-06-24 13:50 --------- d-------- C:\DOCUME~1\W---\APPLIC~1\Roxio
2007-06-24 13:49 --------- d-------- C:\Program Files\PCFriendly
2007-06-23 22:09 --------- d-------- C:\DOCUME~1\W---\APPLIC~1\Apple Computer
2007-06-15 14:37 27376 --a------ C:\WINDOWS\system32\SBBD.exe
2007-06-13 20:50 43152 --a------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-06-13 20:25 339968 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-06-13 20:24 268288 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-06-13 20:24 2155520 --a--c--- C:\WINDOWS\system32\dllcache\ati2mtag.sys
2007-06-13 20:24 2155520 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-06-13 20:23 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-06-13 20:17 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-06-13 20:17 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-06-13 20:17 139264 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-06-13 20:17 118784 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-06-13 20:16 118784 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-06-13 20:15 483328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-06-13 20:14 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-06-13 20:10 8097792 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-06-13 20:07 2922208 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-06-13 19:57 972072 --a------ C:\WINDOWS\system32\ativva6x.dat
2007-06-13 19:57 3107788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2007-06-13 19:57 3107788 --a------ C:\WINDOWS\system32\ativva5x.dat
2007-06-13 19:57 1512960 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-06-13 19:46 5431296 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-06-13 19:43 262144 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-06-13 19:42 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-06-13 19:41 50176 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-06-13 19:41 49152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll
2007-06-13 19:36 368640 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-06-13 14:29 520192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-06-04 15:18 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-17 16:30 318976 --a------ C:\WINDOWS\system32\avisynth.dll
2007-05-16 16:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 16:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 16:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 16:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 16:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 16:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-08 10:24 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-05-03 18:05 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-02-26 09:25 38440 --a------ C:\DOCUME~1\W---\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-04-24 11:13:11 56 --sh--r C:\WINDOWS\system32\14DF88B73C.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-04-25 03:52]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00]
"RCSystem"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 11:34]
"CTHelper"="CTHELPER.EXE" [2006-06-01 11:34 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-06-01 11:34 C:\WINDOWS\system32\CTXFIHLP.EXE]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2006-08-18 22:42]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-06-15 15:17]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-12 11:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]

C:\Documents and Settings\W---\Start Menu\Programs\Startup\
Shortcut to YzDock.lnk - C:\Documents and Settings\W---\Desktop\ock\YzDock.exe [2007-02-16 11:59:35]
Shortcut to YzShadow.lnk - C:\Documents and Settings\W---\Desktop\ock\Shadow\YzShadow.exe [2007-07-18 00:41:53]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexy32]
winexy32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvussqp]
wvussqp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^W---^Start Menu^Programs^Startup^Rainmeter.lnk]
path=C:\Documents and Settings\W---\Start Menu\Programs\Startup\Rainmeter.lnk
backup=C:\WINDOWS\pss\Rainmeter.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startdrv]
C:\WINDOWS\Temp\startdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\valve\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"UpdReg"=C:\WINDOWS\UpdReg.EXE

R0 a347bus;a347bus;C:\WINDOWS\system32\DRIVERS\a347bus.sys
R0 a347scsi;a347scsi;C:\WINDOWS\system32\Drivers\a347scsi.sys
R0 JGOGO;JMicron Hot-Plug Driver;C:\WINDOWS\system32\DRIVERS\JGOGO.sys
R0 JRAID;JRAID;C:\WINDOWS\system32\DRIVERS\jraid.sys
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
R0 sfvfs02;StarForce Protection VFS Driver (version 2.x);C:\WINDOWS\system32\drivers\sfvfs02.sys
R1 AsIO;AsIO;C:\WINDOWS\system32\drivers\AsIO.sys
R1 mbmiodrvr;mbmiodrvr;\??\C:\WINDOWS\system32\mbmiodrvr.sys
R1 RxFilter;RxFilter;C:\WINDOWS\system32\DRIVERS\RxFilter.sys
R1 StyleXPHelper;StyleXPHelper;\??\C:\Program Files\TGTSoft\StyleXP\StyleXPHelper.exe
R2 X4HSX32;X4HSX32;\??\C:\Program Files\Metaboli Player\X4HSX32.Sys
R3 ATIAVAIW;ATI T200 Unified AVStream service;C:\WINDOWS\system32\DRIVERS\atinavt2.sys
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys
R3 MTsensor;ATK0110 ACPI UTILITY;C:\WINDOWS\system32\DRIVERS\ASACPI.sys
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys
R3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys
S3 Asushwio;Asushwio;\??\C:\WINDOWS\system32\drivers\Asushwio.sys
S3 efipsk;efipsk;\??\C:\DOCUME~1\W---\LOCALS~1\Temp\efipsk.sys
S3 MPE;BDA MPE Filter;C:\WINDOWS\system32\DRIVERS\MPE.sys
S3 SjyPkt;SjyPkt;\??\C:\WINDOWS\System32\Drivers\SjyPkt.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ssm_bus.sys
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys
S3 vaxscsi;vaxscsi;C:\WINDOWS\system32\Drivers\vaxscsi.sys

*Newly Created Service* - SBAPIFS

Contents of the 'Scheduled Tasks' folder
2007-07-28 21:08:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-03 10:46:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120"

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-03 10:49:36 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-03 10:49

--- E O F ---

[madstyles]

Logfile of HijackThis v1.99.1
Scan saved at 10:52:20, on 03/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Documents and Settings\W---\Desktop\ock\Shadow\YzShadow.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\Analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: Shortcut to YzDock.lnk = C:\Documents and Settings\W---\Desktop\ock\YzDock.exe
O4 - Startup: Shortcut to YzShadow.lnk = C:\Documents and Settings\W---\Desktop\ock\Shadow\YzShadow.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://ve.ukie.capgemini.com/dana-c...erSetupSP1.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winexy32 - winexy32.dll (file missing)
O20 - Winlogon Notify: wvussqp - wvussqp.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Digital Home 8\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

_____________________

Usernames were replaced with dashes after the first/second letter again Thanks for helping once again

[Shaba]

Hi

Do you know what these are ? ->

2007-07-12 18:03 12,666,128 --a------ C:\WINDOWS\system32\mi2.exe
2007-07-03 13:14 55,296 --a------ C:\WINDOWS\system32\disable.exe
2007-07-03 13:14 116 --a------ C:\WINDOWS\system32\enabledvd.vbs

Open HijackThis, click do a system scan only and checkmark these:

O20 - Winlogon Notify: winexy32 - winexy32.dll (file missing)
O20 - Winlogon Notify: wvussqp - wvussqp.dll (file missing)

Close all windows including browser and press fix checked.

Reboot.Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\system32\ufxdelhd.dll
C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.bak1

Save this as "CFScript"



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

[madstyles]

Thank you for the fast reply

I have no idea what the files you mentioned were, I guess that can only be a bad thing :P

Here is the log :

ComboFix 07-08-03.4 - "W---" 2007-08-03 11:21:57.2 [GMT 1:00] - NTFS [SAFE MODE]
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Downloads\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\ufxdelhd.dll


((((((((((((((((((((((((( Files Created from 2007-07-03 to 2007-08-03 )))))))))))))))))))))))))))))))


2007-08-03 10:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-03 10:25 <DIR> d-------- C:\VundoFix Backups
2007-08-01 22:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-01 15:49 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-07-31 17:23 <DIR> d--hs---- C:\WINDOWS\CSC
2007-07-31 17:09 <DIR> d-------- C:\!KillBox
2007-07-30 20:59 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-30 20:12 <DIR> d-------- C:\Program Files\CCleaner
2007-07-30 20:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-30 19:18 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2007-07-30 19:17 <DIR> d-------- C:\DOCUME~1\W---\APPLIC~1\Sunbelt Software
2007-07-30 19:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-07-30 19:16 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-07-30 19:03 <DIR> d-------- C:\Antivirus
2007-07-29 20:43 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-07-29 19:30 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-07-29 19:29 <DIR> d-------- C:\Program Files\Avi2Dvd
2007-07-29 16:14 41,984 --------- C:\WINDOWS\Ctregrun.exe
2007-07-29 16:09 90,112 --------- C:\WINDOWS\Updreg.EXE
2007-07-29 16:08 <DIR> d-------- C:\Program Files\OpenAL
2007-07-29 16:00 77,824 --------- C:\WINDOWS\system32\ctdvda32.dll
2007-07-28 17:56 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-28 17:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-26 20:20 <DIR> d-------- C:\DOCUME~1\Ali\APPLIC~1\WinRAR
2007-07-18 23:59 <DIR> d-------- C:\Program Files\CStartup
2007-07-18 23:59 <DIR> d-------- C:\DOCUME~1\W---\APPLIC~1\CustomStartUp
2007-07-18 01:52 <DIR> d-------- C:\Program Files\Winamp
2007-07-18 01:52 <DIR> d-------- C:\DOCUME~1\W---\APPLIC~1\Winamp
2007-07-18 01:32 <DIR> d-------- C:\Program Files\Rainmeter
2007-07-18 00:53 <DIR> d-------- C:\DOCUME~1\W---\.rainlendar2
2007-07-18 00:43 <DIR> d-------- C:\Program Files\Rainlendar2
2007-07-18 00:37 <DIR> d-------- C:\Program Files\Samurize
2007-07-17 15:02 <DIR> d-------- C:\DOCUME~1\W---\APPLIC~1\Juniper Networks
2007-07-16 15:27 <DIR> d-------- C:\Priv WoW
2007-07-14 14:44 <DIR> dr-h----- C:\DOCUME~1\Ali\APPLIC~1\SecuROM
2007-07-14 13:40 38,832 --a------ C:\DOCUME~1\Ali\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-07-12 18:05 <DIR> d-------- C:\Program Files\SoftwareRevenue.org
2007-07-12 18:03 12,666,128 --a------ C:\WINDOWS\system32\mi2.exe
2007-07-12 17:38 <DIR> d-------- C:\Program Files\ItweakU
2007-07-12 11:50 <DIR> d-------- C:\Program Files\BFU
2007-07-11 18:22 1,572,864 --ah----- C:\DOCUME~1\Ka----\NTUSER.DAT
2007-07-11 18:22 <DIR> d-------- C:\DOCUME~1\Ka----\APPLIC~1\Roxio
2007-07-11 18:22 <DIR> d-------- C:\DOCUME~1\Ka----\APPLIC~1\Real
2007-07-11 18:22 <DIR> d-------- C:\DOCUME~1\Ka----\APPLIC~1\ATI
2007-07-10 17:40 <DIR> d-------- C:\WinRAR
2007-07-10 17:37 <DIR> d-------- C:\DOCUME~1\W---\APPLIC~1\WinRAR
2007-07-09 13:46 <DIR> d-------- C:\Program Files\Google
2007-07-03 13:14 55,296 --a------ C:\WINDOWS\system32\disable.exe
2007-07-03 13:14 116 --a------ C:\WINDOWS\system32\enabledvd.vbs


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-03 10:35 3672 --a------ C:\WINDOWS\mozver.dat
2007-08-02 14:21 --------- d-------- C:\Program Files\iTunes
2007-08-01 23:08 --------- d-------- C:\Program Files\BPK
2007-07-30 17:27 --------- d-------- C:\DOCUME~1\W---\APPLIC~1\Creative
2007-07-29 16:14 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-29 16:14 --------- d-------- C:\Program Files\Creative
2007-07-29 16:08 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-07-29 16:08 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-07-28 17:56 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-20 20:27 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-07-20 12:59 --------- d-------- C:\Program Files\World of Warcraft
2007-07-18 00:54 --------- d-------- C:\DOCUME~1\W---\APPLIC~1\Skype
2007-07-02 21:17 --------- d-------- C:\Program Files\Ubisoft
2007-07-02 20:24 --------- d-------- C:\Program Files\HP
2007-07-02 20:24 --------- d-------- C:\Program Files\Hewlett-Packard
2007-06-24 13:50 --------- d-------- C:\DOCUME~1\W---\APPLIC~1\Roxio
2007-06-24 13:49 --------- d-------- C:\Program Files\PCFriendly
2007-06-23 22:09 --------- d-------- C:\DOCUME~1\W---\APPLIC~1\Apple Computer
2007-06-15 14:37 27376 --a------ C:\WINDOWS\system32\SBBD.exe
2007-06-13 20:50 43152 --a------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-06-13 20:25 339968 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-06-13 20:24 268288 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-06-13 20:24 2155520 --a--c--- C:\WINDOWS\system32\dllcache\ati2mtag.sys
2007-06-13 20:24 2155520 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-06-13 20:23 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-06-13 20:17 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-06-13 20:17 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-06-13 20:17 139264 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-06-13 20:17 118784 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-06-13 20:16 118784 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-06-13 20:15 483328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-06-13 20:14 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-06-13 20:10 8097792 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-06-13 20:07 2922208 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-06-13 19:57 972072 --a------ C:\WINDOWS\system32\ativva6x.dat
2007-06-13 19:57 3107788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2007-06-13 19:57 3107788 --a------ C:\WINDOWS\system32\ativva5x.dat
2007-06-13 19:57 1512960 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-06-13 19:46 5431296 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-06-13 19:43 262144 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-06-13 19:42 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-06-13 19:41 50176 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-06-13 19:41 49152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll
2007-06-13 19:36 368640 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-06-13 14:29 520192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-06-04 15:18 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-17 16:30 318976 --a------ C:\WINDOWS\system32\avisynth.dll
2007-05-16 16:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 16:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 16:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 16:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 16:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 16:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-08 10:24 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-05-03 18:05 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-02-26 09:25 38440 --a------ C:\DOCUME~1\W---\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-04-24 11:13:11 56 --sh--r C:\WINDOWS\system32\14DF88B73C.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-04-25 03:52]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00]
"RCSystem"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 11:34]
"CTHelper"="CTHELPER.EXE" [2006-06-01 11:34 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-06-01 11:34 C:\WINDOWS\system32\CTXFIHLP.EXE]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2006-08-18 22:42]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-06-15 15:17]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-12 11:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]

C:\Documents and Settings\W---\Start Menu\Programs\Startup\
Shortcut to YzDock.lnk - C:\Documents and Settings\W---\Desktop\ock\YzDock.exe [2007-02-16 11:59:35]
Shortcut to YzShadow.lnk - C:\Documents and Settings\W---\Desktop\ock\Shadow\YzShadow.exe [2007-07-18 00:41:53]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^W---^Start Menu^Programs^Startup^Rainmeter.lnk]
path=C:\Documents and Settings\W---\Start Menu\Programs\Startup\Rainmeter.lnk
backup=C:\WINDOWS\pss\Rainmeter.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startdrv]
C:\WINDOWS\Temp\startdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\valve\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"UpdReg"=C:\WINDOWS\UpdReg.EXE

R0 a347bus;a347bus;C:\WINDOWS\system32\DRIVERS\a347bus.sys
R0 a347scsi;a347scsi;C:\WINDOWS\system32\Drivers\a347scsi.sys
R0 JGOGO;JMicron Hot-Plug Driver;C:\WINDOWS\system32\DRIVERS\JGOGO.sys
R0 JRAID;JRAID;C:\WINDOWS\system32\DRIVERS\jraid.sys
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
R0 sfvfs02;StarForce Protection VFS Driver (version 2.x);C:\WINDOWS\system32\drivers\sfvfs02.sys
R3 MTsensor;ATK0110 ACPI UTILITY;C:\WINDOWS\system32\DRIVERS\ASACPI.sys
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys
S1 AsIO;AsIO;C:\WINDOWS\system32\drivers\AsIO.sys
S1 mbmiodrvr;mbmiodrvr;\??\C:\WINDOWS\system32\mbmiodrvr.sys
S1 RxFilter;RxFilter;C:\WINDOWS\system32\DRIVERS\RxFilter.sys
S1 StyleXPHelper;StyleXPHelper;\??\C:\Program Files\TGTSoft\StyleXP\StyleXPHelper.exe
S2 X4HSX32;X4HSX32;\??\C:\Program Files\Metaboli Player\X4HSX32.Sys
S3 Asushwio;Asushwio;\??\C:\WINDOWS\system32\drivers\Asushwio.sys
S3 ATIAVAIW;ATI T200 Unified AVStream service;C:\WINDOWS\system32\DRIVERS\atinavt2.sys
S3 efipsk;efipsk;\??\C:\DOCUME~1\W---\LOCALS~1\Temp\efipsk.sys
S3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys
S3 MPE;BDA MPE Filter;C:\WINDOWS\system32\DRIVERS\MPE.sys
S3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys
S3 SjyPkt;SjyPkt;\??\C:\WINDOWS\System32\Drivers\SjyPkt.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ssm_bus.sys
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys
S3 vaxscsi;vaxscsi;C:\WINDOWS\system32\Drivers\vaxscsi.sys


Contents of the 'Scheduled Tasks' folder
2007-07-28 21:08:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-03 11:24:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120"

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-03 11:25:08
C:\ComboFix-quarantined-files.txt ... 2007-08-03 11:24
C:\ComboFix2.txt ... 2007-08-03 10:49

--- E O F ---

[Shaba]

Hi

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\disable.exe

Please post back the results of the scan in your next post.

Repeat step for

C:\WINDOWS\system32\enabledvd.vbs
C:\WINDOWS\system32\mi2.exe <--- might be too large to upload

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

[madstyles]

These come out a bit untidy, but:

Results for disable.exe:

Packers detected: -
Bit9 reports: File not found

Scan taken on 03 Aug 2007 10:35:59 (GMT)

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Last file scanned at least one scanner reported something about: INDEX.HTM (MD5: b411b1776e809e2a204208de7cf6aad2, size: 1130 bytes), detected by:

Scanner Malware name
AVG Antivirus JS/Psyme.AD
BitDefender Trojan.Downloader.Js.Psyme.HZ
CPsecure Troj.Downloader.JS.Psyme.hz
F-Secure Anti-Virus Trojan-Downloader.JS.Psyme.hz
Fortinet JS/Psyme.HZ!tr.dldr
Kaspersky Anti-Virus Trojan-Downloader.JS.Psyme.hz
NOD32 probably a variant of JS/TrojanDownloader.Psyme
Sophos Antivirus Troj/Psyme-ER

_________________________________________

enabledvd.vbs:

Instead of copying all the above again, it said found nothing for all :P But underneath in the table it said:

Last file scanned at least one scanner reported something about: 003加彩.exe (MD5: 36d1fd90ba70b6a6814f34c803628392, size: 72292 bytes), detected by:

Scanner Malware name
AntiVir TR/Drop.VB.26
Avast Win32:Small-HGY
ClamAV Trojan.Downloader.Agent-166
CPsecure BackDoor.W32.Banito.ae
Dr.Web BackDoor.Bandito.18
NOD32 a variant of Win32/Banito
Norman Virus Control Hupigon.gen130
Sophos Antivirus Mal/Behav-053
VBA32 Downloader.Small.18

______________________________

mi2.exe takes a long time to load but the only report is:

Last file scanned at least one scanner reported something about: 004.exe (MD5: 56fc349f4772c52537ad1707f67da2ff, size: 355328 bytes), detected by:

AntiVir HEUR/Malware

virustool.com says that it is too large to upload :(

Thanks for all the help so far

[Shaba]

Hi

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startdrv]

It should look like this ->

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  
  o Scan using the following Anti-Virus database:
  
  + Extended (If available otherwise Standard)
  
  o Scan Options:
  
  + Scan Archives
  + Scan Mail Bases
  
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button
• Save the file to your desktop.
• Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

[madstyles]

Logfile of HijackThis v1.99.1
Scan saved at 19:39:35, on 03/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\Analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: Shortcut to YzDock.lnk = C:\Documents and Settings\W---\Desktop\ock\YzDock.exe
O4 - Startup: Shortcut to YzShadow.lnk = C:\Documents and Settings\W---\Desktop\ock\Shadow\YzShadow.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://ve.ukie.capgemini.com/dana-c...erSetupSP1.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Digital Home 8\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

Kapersky report will be in post below