hello, i tried using antivirus to delete this but it wont go away, can anyone PLEASE help me? my Hijackthis log is down there






Logfile of HijackThis v1.99.1
Scan saved at 2:27:27 AM, on 9/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\program files\steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\system32\dllhost.exe
C:\DOCUME~1\DAMON~1.DAM\LOCALS~1\Temp\winhost.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Covey Inc\EliteSwitch\EliteSwitch.exe
C:\Documents and Settings\Damon.DAMON-200C1A6A8\Desktop\Blupig's All-In-One Cheat Package\Magers\Jake's AutoAlch\Alcher.exe
C:\Documents and Settings\Damon.DAMON-200C1A6A8\Desktop\HijackThis.exe

O2 - BHO: (no name) - {14CA24CC-1CCC-48C9-B87D-13F2B6D9308E} - C:\WINDOWS\system32\jkhff.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\egityqta.dll (file missing)
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\system32\cbxxuvw.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [{62-25-57-7D-ZN}] C:\DOCUME~1\DAMON~1.DAM\LOCALS~1\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\nqrogjml.dll",forkonce
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Damon.DAMON-200C1A6A8\Local Settings\Temp\thinksnet.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: cbxxuvw - C:\WINDOWS\SYSTEM32\cbxxuvw.dll
O20 - Winlogon Notify: jkhff - C:\WINDOWS\system32\jkhff.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

Hi and welcome to the forums. :)
I'm Markka and I will be helping you with your malware issues.

I'll check your HijackThis log. Right now I'm MRU Undergrad, everything that I post to you must be checked by
teachers of Malware Removal University.
Please be patient. :)

Hello :)

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall!

Post:
- A fresh HijackThis log
- Contents of C:\ComboFix.txt

Hello, i did as you asked and this is the log here
also thanks for helping me =]

ComboFix 07-08-30.3 - "Damon" 2007-09-02 12:40:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.892 [GMT -7:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Damon\APPLIC~1\WinAntiSpyware 2006
C:\DOCUME~1\Damon\STARTM~1\Programs\Startup\ta_start.lnk
C:\DOCUME~1\DAMON~1.DAM\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\DAMON~1.DAM\STARTM~1\Programs\Startup\ta_start.lnk
C:\Program Files\inetget2
C:\Program Files\svhost
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\cbxxuvw.dll
C:\WINDOWS\system32\ddccyya.dll
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\ffhkj.bak1
C:\WINDOWS\system32\ffhkj.bak2
C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\ffhkj.tmp
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\vtursss.dll
C:\WINDOWS\system32\wvuuvvv.dll
C:\WINDOWS\system32\yayvsqr.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-08-02 to 2007-09-02 )))))))))))))))))))))))))))))))


2007-09-02 12:39 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-31 22:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\AntiVir PersonalEdition Classic
2007-08-31 17:30 73,728 --a------ C:\WINDOWS\system32\lxdapwr.dll
2007-08-31 17:30 311,296 --a------ C:\WINDOWS\system32\LEXBCES.EXE
2007-08-31 17:30 201,216 --a------ C:\WINDOWS\system32\LEXP2P32.DLL
2007-08-31 17:30 200,704 --a------ C:\WINDOWS\system32\lexlmpm.dll
2007-08-31 17:30 198,144 --a------ C:\WINDOWS\system32\LEX2KUSB.DLL
2007-08-31 17:30 174,592 --a------ C:\WINDOWS\system32\LEXPPS.EXE
2007-08-31 17:30 147,456 --a------ C:\WINDOWS\system32\LEXBCE.DLL
2007-08-31 17:30 <DIR> d-------- C:\Program Files\Lexmark 640 Series
2007-08-31 17:29 299,520 --a------ C:\WINDOWS\uninst.exe
2007-08-31 17:27 <DIR> d-------- C:\Lexmark
2007-08-31 17:27 <DIR> d-------- C:\DOCUME~1\DAMON~1.DAM\WINDOWS
2007-08-31 17:25 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-08-31 17:25 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-08-31 00:11 602,160 --a------ C:\WINDOWS\system32\ksslatre.exe
2007-08-29 22:15 671 --a------ C:\WINDOWS\mozver.dat
2007-08-29 16:31 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-08-29 16:31 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-08-29 16:31 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-08-29 16:31 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-08-29 16:31 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-08-29 16:31 <DIR> d-------- C:\DOCUME~1\DAMON~1.DAM\APPLIC~1\MailFrontier
2007-08-29 16:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\MailFrontier
2007-08-29 16:19 <DIR> d-------- C:\DOCUME~1\DAMON~1.DAM\APPLIC~1\Ventrilo
2007-08-29 16:13 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-08-29 16:13 <DIR> d-------- C:\DOCUME~1\DAMON~1.DAM\APPLIC~1\Aim
2007-08-29 16:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Viewpoint
2007-08-29 16:10 0 --a------ C:\WINDOWS\nsreg.dat
2007-08-29 16:08 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-08-29 16:07 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-08-29 16:06 94,208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2007-08-29 16:06 356,096 --a------ C:\WINDOWS\system32\rt61.sys
2007-08-29 16:06 243,328 --a------ C:\WINDOWS\system32\rt2500.sys
2007-08-29 16:06 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-08-29 16:06 17,992 --a------ C:\WINDOWS\system32\drivers\bcm42rly.sys
2007-08-29 16:06 17,992 --a------ C:\WINDOWS\system32\bcm42rly.sys
2007-08-29 16:06 17,992 --a------ C:\WINDOWS\bcm42rly.sys
2007-08-29 16:06 15,872 --a------ C:\WINDOWS\system32\GTNDIS5.sys
2007-08-29 16:05 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-08-29 16:05 <DIR> d-------- C:\DOCUME~1\DAMON~1.DAM\APPLIC~1\WinRAR
2007-08-29 15:56 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1.WIN\DRM
2007-08-29 15:13 <DIR> d-------- C:\DOCUME~1\Damon\APPLIC~1\PC Tools
2007-08-29 15:12 <DIR> d-------- C:\DOCUME~1\Damon\APPLIC~1\Help
2007-08-29 14:57 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-08-29 13:29 <DIR> d-------- C:\Program Files\BitComet
2007-08-29 13:29 <DIR> d-------- C:\Downloads
2007-08-29 13:25 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-08-29 13:24 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-08-29 13:18 <DIR> d-------- C:\Program Files\DAP
2007-08-29 08:48 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-08-29 08:47 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-08-29 08:47 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-08-29 08:47 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys
2007-08-29 08:45 <DIR> dr------- C:\DOCUME~1\ALLUSE~1.WIN\Documents
2007-08-28 16:55 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-08-28 16:52 <DIR> d-------- C:\Program Files\World of Warcraft
2007-08-28 11:54 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-08-28 03:52 <DIR> d-------- C:\DOCUME~1\Damon\APPLIC~1\Viewpoint
2007-08-27 14:18 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-27 14:05 <DIR> d--hs---- C:\WINDOWS\RGFtb24
2007-08-27 14:05 <DIR> d-------- C:\WINDOWS\system32\tempsz11
2007-08-27 14:05 <DIR> d-------- C:\WINDOWS\system32\IBD4
2007-08-27 14:05 <DIR> d-------- C:\WINDOWS\system32\drvfig32
2007-08-27 14:05 <DIR> d-------- C:\Temp
2007-08-27 14:05 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\NetMon
2007-08-26 23:40 <DIR> d-------- C:\Program Files\middle_man
2007-08-26 18:17 <DIR> d-------- C:\Program Files\Steam
2007-08-26 17:50 <DIR> d-------- C:\DOCUME~1\Damon\APPLIC~1\Ventrilo
2007-08-26 17:40 <DIR> d-------- C:\Program Files\Warcraft III
2007-08-26 16:45 <DIR> d-------- C:\Program Files\OGPlanet
2007-08-26 13:57 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-08-26 13:46 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2007-08-26 13:46 732,928 --a------ C:\WINDOWS\system32\drivers\senfilt.sys
2007-08-26 13:46 311,296 --a------ C:\WINDOWS\system32\Edcrypt.dll
2007-08-26 13:46 260,352 --a------ C:\WINDOWS\system32\drivers\smwdm.sys
2007-08-26 13:46 23,040 --a------ C:\WINDOWS\system32\PostProc.dll
2007-08-26 13:46 <DIR> d-------- C:\WINDOWS\VirtualEar
2007-08-26 13:46 <DIR> d-------- C:\Program Files\Analog Devices
2007-08-26 13:38 <DIR> d-------- C:\Program Files\Viewpoint
2007-08-26 13:38 <DIR> d-------- C:\Program Files\AOD
2007-08-26 13:38 <DIR> d-------- C:\Program Files\AIM
2007-08-26 13:38 <DIR> d-------- C:\DOCUME~1\Damon\APPLIC~1\Aim
2007-08-26 13:36 <DIR> d-------- C:\WINDOWS\nview
2007-08-26 13:36 <DIR> d-------- C:\WINDOWS\NV9722044.TMP
2007-08-26 13:36 <DIR> d-------- C:\Program Files\Covey Inc
2007-08-26 13:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-26 13:35 <DIR> d-------- C:\NVIDIA
2007-08-26 13:34 356,096 --a------ C:\WINDOWS\system32\drivers\rt61.sys
2007-08-26 13:34 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-08-26 13:34 <DIR> d-------- C:\Program Files\Ventrilo
2007-08-26 13:34 <DIR> d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2007-08-26 13:34 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-08-26 13:34 <DIR> d-------- C:\Linksys Driver
2007-08-26 13:34 <DIR> d-------- C:\DOCUME~1\Damon\APPLIC~1\WinRAR
2007-08-26 13:08 618,605 --a--c--- C:\WINDOWS\system32\dllcache\fp4autl.dll
2007-08-26 13:08 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-08-26 13:08 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-08-26 13:08 <DIR> d-------- C:\DELL
2007-08-26 13:07 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1\DRM


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-02 12:48 10242080 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-02 12:46 121028 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-06-29 00:43 8466432 --a------ C:\WINDOWS\system32\nvcpl.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvmctray.dll
2007-06-29 00:43 753664 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43 6729728 --a------ C:\WINDOWS\system32\nvoglnt.dll
2007-06-29 00:43 6234112 --a------ C:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43 5690624 --a------ C:\WINDOWS\system32\nv4_disp.dll
2007-06-29 00:43 5455872 --a------ C:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcodins.dll
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcod.dll
2007-06-29 00:43 360448 --a------ C:\WINDOWS\system32\nvapi.dll
2007-06-29 00:43 3600384 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43 3518464 --a------ C:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43 3321856 --a------ C:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43 3072000 --a------ C:\WINDOWS\system32\nvgamesr.dll
2007-06-29 00:43 307200 --a------ C:\WINDOWS\system32\nvexpbar.dll
2007-06-29 00:43 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2007-06-29 00:43 2854912 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2007-06-29 00:43 2416640 --a------ C:\WINDOWS\system32\nvwssr.dll
2007-06-29 00:43 2330624 --a------ C:\WINDOWS\system32\nvwss.dll
2007-06-29 00:43 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2007-06-29 00:43 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2007-06-29 00:43 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-06-29 00:43 155716 --a------ C:\WINDOWS\system32\nvsvc32.exe
2007-06-29 00:43 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-06-29 00:43 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2007-06-29 00:43 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-06-29 00:43 1142784 --a------ C:\WINDOWS\system32\nvmobls.dll
2007-06-29 00:43 1073152 --a------ C:\WINDOWS\system32\nvcpluir.dll
2007-06-29 00:43 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-06-29 00:43 1018772 --a------ C:\WINDOWS\system32\nvucode.bin
2007-06-21 21:54 1086952 --a------ C:\WINDOWS\system32\zpeng24.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43]
"nwiz"="nwiz.exe" [2007-06-29 00:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
"svhost"="C:\WINDOWS\svhost.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2007-08-29 16:12]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06]



**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-02 12:47:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-02 12:48:58 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-02 12:48

--- E O F ---

Please post a fresh HijackThis log too :bigthumb:

sorry about that, this is the hijack log


Logfile of HijackThis v1.99.1
Scan saved at 10:04:18 AM, on 9/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wpabaln.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Covey Inc\EliteSwitch\EliteSwitch.exe
C:\Documents and Settings\Damon.DAMON-200C1A6A8\Desktop\Blupig's All-In-One Cheat Package\Magers\Jake's AutoAlch\Alcher.exe
C:\Documents and Settings\Damon.DAMON-200C1A6A8\Desktop\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

this is also a log of a scan i just did


AntiVir PersonalEdition Classic
Report file date: Tuesday, September 04, 2007 12:00

Scanning for 1043410 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: DAMON-200C1A6A8

Version information:
BUILD.DAT : 247 14437 Bytes 5/10/2007 11:55:00
AVSCAN.EXE : 7.0.4.15 282664 Bytes 4/20/2007 20:37:14
AVSCAN.DLL : 7.0.4.4 33832 Bytes 3/27/2007 20:31:54
LUKE.DLL : 7.0.4.11 143400 Bytes 3/27/2007 20:26:04
LUKERES.DLL : 7.0.4.0 10280 Bytes 3/19/2007 20:18:59
ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 5/31/2006 22:08:58
ANTIVIR1.VDF : 6.39.0.129 7251968 Bytes 7/10/2007 05:19:05
ANTIVIR2.VDF : 6.39.1.74 1637376 Bytes 9/2/2007 05:12:11
ANTIVIR3.VDF : 6.39.1.81 20992 Bytes 9/3/2007 05:11:45
AVEWIN32.DLL : 7.4.1.66 2789888 Bytes 9/1/2007 05:19:06
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 18:36:26
AVPREF.DLL : 7.0.2.1 24616 Bytes 3/27/2007 20:31:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 21:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 9/1/2007 05:19:06
AVREG.DLL : 7.0.1.2 31784 Bytes 3/15/2007 17:05:08
AVEVTLOG.DLL : 7.0.0.18 86056 Bytes 3/27/2007 20:16:05
AVARKT.DLL : 1.0.0.17 278568 Bytes 5/2/2007 19:32:26
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 19:09:42
RCIMAGE.DLL : 7.0.1.15 2228264 Bytes 3/13/2007 18:46:18
RCTEXT.DLL : 7.0.45.0 86056 Bytes 3/19/2007 20:42:42

Configuration settings for the scan:
Jobname..........................: Local Hard Disks
Configuration file...............: C:\Program Files\AntiVir PersonalEdition Classic\alldiscs.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, September 04, 2007 12:00

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'Ventrilo.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'Alcher.exe' - '1' Module(s) have been scanned
Scan process 'EliteSwitch.exe' - '1' Module(s) have been scanned
Scan process 'wpabaln.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'aim.exe' - '1' Module(s) have been scanned
Scan process 'Steam.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'WMP54Gv4.exe' - '1' Module(s) have been scanned
Scan process 'WLService.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
36 processes with 36 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[NOTE] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '10' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{8E94C75C-577E-4DDE-A885-F203306B3FE8}\RP10\A0001719.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was moved to '470dae6c.qua'!
C:\System Volume Information\_restore{8E94C75C-577E-4DDE-A885-F203306B3FE8}\RP11\A0001820.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was moved to '470dae73.qua'!
C:\System Volume Information\_restore{8E94C75C-577E-4DDE-A885-F203306B3FE8}\RP11\A0002010.exe
[DETECTION] Is the Trojan horse TR/Spy.Agent.HZ.8
[INFO] The file was moved to '470dae94.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP10\A0000369.exe
[DETECTION] Is the Trojan horse TR/Agent.1374314
[INFO] The file was moved to '470daeb8.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP10\A0000370.exe
[DETECTION] Is the Trojan horse TR/Agent.1374314
[INFO] The file was moved to '466acd0d.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP10\A0000374.exe
[DETECTION] Is the Trojan horse TR/Agent.1374314
[INFO] The file was moved to '470daeba.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP10\A0000425.dll
[DETECTION] Is the Trojan horse TR/Vundo.DMP.9
[INFO] The file was moved to '466acd0f.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP10\A0000426.exe
[DETECTION] Is the Trojan horse TR/Agent.1374314
[INFO] The file was moved to '470daea4.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP10\A0000427.exe
[DETECTION] Is the Trojan horse TR/Agent.1374314
[INFO] The file was moved to '470daebb.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP10\A0000428.exe
[DETECTION] Is the Trojan horse TR/Fotomoto.E
[INFO] The file was moved to '466acd08.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP10\A0000432.exe
[DETECTION] Is the Trojan horse TR/Drop.Agen.26778.A
[INFO] The file was moved to '470daebc.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP10\A0000433.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '466acd09.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP10\A0000434.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '470daebe.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP10\A0000435.exe
[DETECTION] Is the Trojan horse TR/Drop.Agen.26778.A
[INFO] The file was moved to '466acd0b.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP10\A0000436.dll
[DETECTION] Is the Trojan horse TR/Spy.Delf.VO.14
[INFO] The file was moved to '470daebd.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP10\A0000437.exe
[DETECTION] Is the Trojan horse TR/Drop.Agen.26778.A
[INFO] The file was moved to '466acd0a.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP10\A0000619.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '470daec5.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP10\A0000676.dll
[DETECTION] Is the Trojan horse TR/Vundo.DMP.8
[INFO] The file was moved to '470daec7.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP10\A0000678.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was moved to '470daec8.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP8\A0000114.exe
[DETECTION] Is the Trojan horse TR/Dldr.Winfixer.E.2
[INFO] The file was moved to '470daecf.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP8\A0000147.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.alr.46
[INFO] The file was moved to '470daed0.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP9\A0000251.exe
[DETECTION] Is the Trojan horse TR/Fotomoto.E
[INFO] The file was moved to '470daed3.qua'!
C:\System Volume Information\_restore{B57E79C3-C9B4-4233-B782-69D3507A82B2}\RP9\A0000358.exe
[DETECTION] Is the Trojan horse TR/Agent.1374314
[INFO] The file was moved to '470daed5.qua'!


End of the scan: Tuesday, September 04, 2007 12:22
Used time: 22:13 min

The scan has been done completely.

2583 Scanning directories
82221 Files were scanned
23 viruses and/or unwanted programs were found
0 classified as suspicious:
0 files were deleted
0 files were repaired
23 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
82198 Files not concerned
807 Archives were scanned
1 Warnings
4 Notes
0 Hidden objects were found

Hello :)

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
_________________

Create a new folder here called HJT

C:\HJT

Now move HijackThis.exe from the desktop into the HJT folder.
______________

Open HijackThis, Click Do a system scan only, checkmark this. Then close all other windows except HijackThis and press fix checked.

O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
______________________

Make your hidden files visible:
Click start
Click my computer
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.
__________________

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
______________

Please download ATF-cleaner (http://www.atribune.org/ccount/click.php?id=1) and save it to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser:

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser:

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
_____________

Please then reboot your computer in Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
__________________

Delete this file:

C:\WINDOWS\svhost.exe
____________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

________________

Run SDFix in safe mode:

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
_________________

Post:
- A fresh HijackThis log
- AVG Anti-Spyware's report
- Contents of Report.txt

Quote: "__________________

Delete this file:

C:\WINDOWS\svhost.exe
____________________"


In safe mode, where do i find svhost.exe and how do i delete it

i found a svchost.exe in system32 folder in C:\windows\



is that it?

i couldnt find the schost, when i did everything u said about setting on AVG anti-spyware, i scaned it, but it didnt let me click on 'Save Report'

but here is the other 2 reports you asked for

Logfile of HijackThis v1.99.1
Scan saved at 5:31:06 PM, on 9/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Damon.DAMON-200C1A6A8\Desktop\HijackThis.exe

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)


_________________________________________________________

SDFix: Version 1.102

Run by Damon on Wed 09/05/2007 at 05:26 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\DAMON~1.DAM\Desktop\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

C:\Program Files\Steam\steamapps\aznbboii2002@hotmail.com\counter-strike\cstrike\radial.cdb
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG

Finished

Hello :)

If you have some questions, then stop and ask :bigthumb:

This is bad file:

C:\WINDOWS\svhost.exe

And this is good file ;)

C:\WINDOWS\System32\svchost.exe
_______________

Kaspersky online scanner works only with Internet Explorer!

Please run an online scanner with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
____________________

Post:
- A fresh HijackThis log
- Kaspersky's report

it says, im unable to dl it cause there is a missing file

Hello :)

Ok, then run Drweb-cureit:

Please Download Dr.Web-CureIt (ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe) and save it to your desktop.

Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

i downloaded and scaned my computer, but after the first quick scan, the program freezes and closes.


but here is my hijack log


Logfile of HijackThis v1.99.1
Scan saved at 3:47:09 PM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Covey Inc\EliteSwitch\EliteSwitch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Documents and Settings\Damon.DAMON-200C1A6A8\Desktop\Blupig's All-In-One Cheat Package\Talkers\RuneOwn AutoSpammer\AutoSpammer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\calc.exe
C:\Documents and Settings\Damon.DAMON-200C1A6A8\Desktop\Blupig's All-In-One Cheat Package\Magers\Jake's AutoAlch\Alcher.exe
C:\Documents and Settings\Damon.DAMON-200C1A6A8\Desktop\HijackThis.exe

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

Hello :)

How is your computer running now? Your HijackThis log is clean.

Here are a couple of things how to stay clean:

Clean speech:

Use Mozilla firefox or Opera as your browser!
Mozilla firefox or Opera are better than Internet Explorer.
Download Mozilla firefox from here! (http://www.mozilla.org/download.html)
Download Opera from here! (http://www.opera.com/download/)

Install Hosts-file!
Hosts-file blocks bad web addresses. Remember to update hosts-file regularly.
Download Hosts-file from here! (http://mvps.org/winhelp2002/hosts.zip)

Install Winpatrol!
Winpatrol monitors your system and blocks hijacks.
Download Winpatrol from here! (http://www.filepedia.com/desktop_software/desktop_security/winpatrol.cfm)

Install AVG Anti-Spyware!
AVG anti-spyware detecs and removes malware and cleans your register too. Run a scan with Ad-aware regularly and update it before the scan.
Download AVG anti-spyware from here! (http://www.ewido.net/en/download/)

Install Ccleaner!
CCleaner cleans your temporary files and also cleans your register. Run CCleaner regularly.
Download CCleaner from here! (http://www.filepedia.com/desktop_software/desktop_security/ccleaner.cfm)

Install Ad-Aware!
Ad-aware detecs and removes malware and cleans your register too. Run a scan with Ad-aware regularly and update it before the scan.
Download Ad-aware from here! (http://www.filepedia.com/desktop_software/desktop_security/ad-aware.cfm)

Install SpywareBlaster!
Spywareblaster blocks bad activeX-components. Update it regularly.
Download Spywareblaster from here! (http://www.filepedia.com/desktop_software/desktop_security/spywareblaster.cfm)

System restore!
Clean and create a new system restore point regularly. (Remove old system restore points 1-2 times in year.)
How do I clean my system restore and the create new system restore point?
Here are instructions! (http://www.pchell.com/virus/systemrestore.shtml)

Keep all programs updated!
Remember to keep all programs up-to-date, also Windows. So please visit here (http://windowsupdate.microsoft.com./) regularly and install all critical updates.

Thank you so much, and yes my computer is running great, no detections at all i hope u make it at the malware removal university, big vouch =]. Thanks again and i will download a few of those programs

Nice to hear and you're welcome! :bigthumb: