PDA

View Full Version : Xlavra victim



bilen
2007-10-16, 22:25
Hi,

Followed instructions to remove this "pest", but everytime I reboot it seems to respawn in the windows directory, can anyone give advice as to what I need to do to permanently destroy this and how to best protect my pc from it in the future?

Thanks

Blade81
2007-10-17, 20:06
Hi

Download and install TrendMicro HijackThis (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe)
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.

bilen
2007-10-21, 17:08
Blade81
Thanks for getting back to me, please see below for log details

Many thanks


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:07:23, on 21/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482E-80C0-3A1E5238A565} - (no file)
N4 - Mozilla: user_pref("browser.startup.homepage", "http://home.netscape.com/uk/bookmark/7_0/tnetscape.html"); (C:\Documents and Settings\CARL\Application Data\Mozilla\Profiles\default\gcb3dujt.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_UK.src"); (C:\Documents and Settings\CARL\Application Data\Mozilla\Profiles\default\gcb3dujt.slt\prefs.js)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: (no name) - {8B224779-3B0E-4FEA-8AE1-B66C20DD840F} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [freesurfer] G:\Program Files\Free Surfer\fs20.exe
O4 - HKLM\..\Run: [DownloadAccelerator] G:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ultimate Popup Blocker] G:\Program Files\Pop-up\Popup Blocker.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - G:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download &all with DAP - G:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight - G:\TEMP Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - G:\TEMP Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C61F824E-DAA6-4167-A11E-BFBF94DDD28E}: NameServer = 194.72.0.114 62.6.40.162
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 10205 bytes

Blade81
2007-10-21, 17:38
Hi

1. Download this file -
combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply with a fresh hjt log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall

bilen
2007-10-23, 23:33
Combofix log:

ComboFix 07-10-23.1 - Carl 2007-10-23 20:59:03.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.66 [GMT 1:00]
Running from: G:\Downloads\Temp\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\sulimo.dat
.
---- Previous Run -------
.
C:\WINDOWS\system32\sulimo.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SFSYNC02
-------\sfsync02




((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 )))))))))))))))))))))))))))))))
.

2007-10-23 20:56 16,384 --a------ C:\WINDOWS\xlavba3.exe
2007-10-21 15:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-14 21:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-14 18:17 <DIR> d-------- C:\Documents and Settings\Carl\Phone Browser
2007-10-12 09:18 7,849 --a------ C:\WINDOWS\system32\sulimo.dat
2007-10-11 16:02 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-09-26 18:25 <DIR> d-------- C:\Program Files\Thomson SpeedTouch

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 20:23 --------- d-----w C:\Program Files\Common Files\WinTools
2007-10-21 15:50 --------- d-----w C:\Documents and Settings\Carl\Application Data\uTorrent
2007-10-15 11:06 --------- d-----w C:\Documents and Settings\Carl\Application Data\AVG7
2007-10-14 18:40 --------- d-----w C:\Program Files\VVSN
2007-10-14 18:40 --------- d-----w C:\Program Files\MyWay
2007-09-28 07:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-08-23 10:00 --------- d-----w C:\Program Files\iTunes
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 18:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 18:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 18:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 18:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 18:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 18:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-14_21.20.56.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 08:06:08 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-20 05:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-10-05 09:07:31 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-04-02 13:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
- 2004-10-26 22:11:30 245,408 -c--a-w C:\WINDOWS\system32\unicows.dll
+ 2004-12-07 10:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
+ 2007-03-15 11:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
+ 2007-03-15 11:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87766247-311C-43B4-8499-3D5FEC94A183}]
2005-04-06 02:03 190976 --a------ C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 01:00]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2001-10-03 10:09]
"nwiz"="nwiz.exe" [2005-05-12 00:34 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-05-12 00:34]
"freesurfer"="G:\Program Files\Free Surfer\fs20.exe" []
"DownloadAccelerator"="G:\PROGRA~1\DAP\DAP.exe" []
"DIAGENT"="C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.exe" [2001-08-30 02:00]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-03-21 18:05]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 12:38]
"PromulGate"="C:\Program Files\DelFin\PromulGate\PgMonitr.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 22:05]
"SearchUpgrader"="C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-26 09:03]
"VVSN"="C:\Program Files\VVSN\VVSN.exe" []
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 18:15]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-05-12 00:34]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-24 00:38]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"diagnostics"="C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" [2007-09-26 18:27]
"WinTools"="C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe" [2005-03-31 02:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"Ultimate Popup Blocker"="G:\Program Files\Pop-up\Popup Blocker.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"WinTools"=C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=
"SpecifyDefaultButtons"=1 (0x1)
"Btn_Search"=2 (0x2)
"NoBandCustomize"=1 (0x1)
"NoToolbarCustomize"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\sulimo.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinTools"=C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
"P2P Networking"=C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
"AHQInit"=C:\Program Files\Creative\SBLive\Program\AHQInit.exe

R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
S2 nvTUNEP;nVidia WDM TVTuner;C:\WINDOWS\system32\DRIVERS\nvtunep.sys
S2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINDOWS\system32\DRIVERS\nvtvsnd.sys
S3 ldiskl;ldiskl;\??\C:\DOCUME~1\Carl\LOCALS~1\Temp\ldiskl.sys
S3 VisorUsb;Handspring USB;C:\WINDOWS\system32\DRIVERS\VisorUsb.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-11 17:40:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

disk not found C:\

scanning hidden processes ...

Blade81
2007-10-24, 21:29
Hi

Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\xlavba3.exe
C:\WINDOWS\system32\sulimo.dat

Folder::
C:\Program Files\Common Files\WinTools
C:\Program Files\VVSN
C:\Program Files\Common files\SearchUpgrader

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87766247-311C-43B4-8499-3D5FEC94A183}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SearchUpgrader"=-
"VVSN"=-
"WinTools"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"WinTools"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-



Save this as
CFScript


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.

bilen
2007-11-05, 14:17
Sorry for the delay, combofix was a little temperamental and crashed pc on 2 occasions before running ok.

Please see below for the log- thanks again!:bigthumb:

ComboFix 07-11-05.2 - Carl 2007-11-05 12:01:52.6 - NTFSx86
Running from: G:\Downloads\Temp\ComboFix.exe
Command switches used :: C:\Documents and Settings\Carl\Desktop\cfscript_used_2007-10-31@9.05_used_2007-11-05@11.37.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\sulimo.dat
C:\WINDOWS\xlavba3.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINDOWS\system32\sulimo.dat
.
---- Previous Run -------
.
C:\Program Files\Common Files\WinTools
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WToolsB.dll
C:\Program Files\VVSN
C:\WINDOWS\system32\4_exception.nls
C:\WINDOWS\system32\sulimo.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\runtime






((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

2007-11-05 11:33 16,384 --a------ C:\WINDOWS\xlavba8.exe
2007-10-21 14:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-14 20:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-14 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-14 17:17 <DIR> d-------- C:\Documents and Settings\Carl\Phone Browser
2007-10-11 15:02 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-02 16:33 --------- d-----w C:\Documents and Settings\Carl\Application Data\uTorrent
2007-10-15 11:06 --------- d-----w C:\Documents and Settings\Carl\Application Data\AVG7
2007-10-14 18:40 --------- d-----w C:\Program Files\MyWay
2007-10-02 18:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2007-09-28 07:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-26 17:25 --------- d-----w C:\Program Files\Thomson SpeedTouch
.

((((((((((((((((((((((((((((( snapshot@2007-10-14_21.20.56.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 08:06:08 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 18:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-03-13 09:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-03-13 10:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2004-08-03 22:00:08 29,056 -c--a-w C:\WINDOWS\system32\dllcache\ip6fw.sys
- 2007-09-26 08:03:45 821,728 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2007-10-27 20:21:54 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
- 2007-03-25 18:18:09 45,524 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-29 19:14:59 45,524 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-03-25 18:18:09 364,042 -c--a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-29 19:14:59 364,042 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-10-05 09:07:31 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-07-22 18:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
- 2004-10-26 22:11:30 245,408 -c--a-w C:\WINDOWS\system32\unicows.dll
+ 2004-12-07 10:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
+ 2007-03-15 11:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
+ 2007-03-15 11:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 00:00]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2001-10-03 09:09]
"nwiz"="nwiz.exe" [2005-05-11 23:34 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-05-11 23:34]
"freesurfer"="G:\Program Files\Free Surfer\fs20.exe" []
"DownloadAccelerator"="G:\PROGRA~1\DAP\DAP.exe" []
"DIAGENT"="C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.exe" [2001-08-30 01:00]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-03-21 17:05]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 17:44]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 11:38]
"PromulGate"="C:\Program Files\DelFin\PromulGate\PgMonitr.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 21:05]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-10-27 20:22]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-05-11 23:34]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-23 23:38]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 14:10]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18]
"diagnostics"="C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" [2007-09-26 17:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
"Ultimate Popup Blocker"="G:\Program Files\Pop-up\Popup Blocker.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=
"SpecifyDefaultButtons"=1 (0x1)
"Btn_Search"=2 (0x2)
"NoBandCustomize"=1 (0x1)
"NoToolbarCustomize"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinTools"=C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
"P2P Networking"=C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
"AHQInit"=C:\Program Files\Creative\SBLive\Program\AHQInit.exe

R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
S2 nvTUNEP;nVidia WDM TVTuner;C:\WINDOWS\system32\DRIVERS\nvtunep.sys
S2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINDOWS\system32\DRIVERS\nvtvsnd.sys
S2 WinToolsSvc;WinTools for IE service;C:\Program Files\Common Files\WinTools\WToolsS.exe
S3 ldiskl;ldiskl;\??\C:\DOCUME~1\Carl\LOCALS~1\Temp\ldiskl.sys
S3 VisorUsb;Handspring USB;C:\WINDOWS\system32\DRIVERS\VisorUsb.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-11 17:40:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\

**************************************************************************
.
Completion time: 2007-11-05 12:14:25 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-23 20:29
C:\ComboFix3.txt ... 2007-10-14 20:23
.
--- E O F ---

Blade81
2007-11-05, 19:23
Hi

Please post a fresh hjt log too. :)

bilen
2007-11-07, 20:54
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:53:52, on 07/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482E-80C0-3A1E5238A565} - (no file)
N4 - Mozilla: user_pref("browser.startup.homepage", "http://home.netscape.com/uk/bookmark/7_0/tnetscape.html"); (C:\Documents and Settings\CARL\Application Data\Mozilla\Profiles\default\gcb3dujt.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_UK.src"); (C:\Documents and Settings\CARL\Application Data\Mozilla\Profiles\default\gcb3dujt.slt\prefs.js)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {8B224779-3B0E-4FEA-8AE1-B66C20DD840F} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [freesurfer] G:\Program Files\Free Surfer\fs20.exe
O4 - HKLM\..\Run: [DownloadAccelerator] G:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ultimate Popup Blocker] G:\Program Files\Pop-up\Popup Blocker.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - G:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download &all with DAP - G:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight - G:\TEMP Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - G:\TEMP Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C61F824E-DAA6-4167-A11E-BFBF94DDD28E}: NameServer = 194.72.0.114 62.6.40.162
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9726 bytes

Thanks for all your help so far!

Blade81
2007-11-07, 21:22
Hi


Start hjt, click do a system scan only, check:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482E-80C0-3A1E5238A565} - (no file)
O3 - Toolbar: (no name) - {8B224779-3B0E-4FEA-8AE1-B66C20DD840F} - (no file)
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Close browsers and other windows. Click fix checked.


Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop. (If you are still unsure on how to do this there is a little tutorial with pictures here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File))
@echo off
sc stop WinToolsSvc
sc delete WinToolsSvc

Double-click on fixes.bat file to execute it.


Delete following file if found:
C:\WINDOWS\xlavba8.exe

Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please do an online scan with
Kaspersky
WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
The program will launch and then begin downloading the latest
definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise
Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been
infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post with a fresh hjt log.




Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.

Blade81
2007-11-15, 18:32
Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.