PDA

View Full Version : Dropper.Agent.dgo and other viruses



SLRHCristy
2008-01-31, 06:34
Hello,

I was on myspace (first mistake I suppose) using Mozilla and IE windows began popping up, and now my computer is infected wiith all sorts of viruses/spyware. I downloaded and ran AVG anti-virus and spyware, but each time I restart, the infections are back. I have followed all instructions in "before you post" section. Had to work hard to get the Kaspersky log-viruses seemed to infect it and could not run. Same with avg anti-virus. I have previously used Norton and AdAware, though I probably have not updated as I should. Please help! I will be heading to bed soon as it took all night last night to get Kaspersky to work, but will log in tomorrow morning (around 7am MST).

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:09 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Aegon\Updater\Updater.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjk.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Launcher] F:\setup.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [aca01c91] rundll32.exe "C:\WINDOWS\system32\ytdtdwrt.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA2999] command /c del "C:\WINDOWS\system32\jkkjk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1060] cmd /c del "C:\WINDOWS\system32\jkkjk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3803] command /c del "C:\WINDOWS\system32\jkkjk.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6672] cmd /c del "C:\WINDOWS\system32\jkkjk.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PiXPO] "C:\Program Files\ProPix Share\1.5\Pixpo.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-448539723-1801674531-682003330-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Anastasia')
O4 - HKUS\S-1-5-21-448539723-1801674531-682003330-1005\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 (User 'Anastasia')
O4 - HKUS\S-1-5-21-448539723-1801674531-682003330-1005\..\Run: [Ooba] "C:\PROGRA~1\YSTEM~1\userinit.exe" -vt ndrv (User 'Anastasia')
O4 - HKUS\S-1-5-21-448539723-1801674531-682003330-1005\..\Run: [Mxdbxgsi] "C:\Documents and Settings\Anastasia N\My Documents\?icrosoft\?ti2evxx.exe" (User 'Anastasia')
O4 - HKUS\S-1-5-21-448539723-1801674531-682003330-1005\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe (User 'Anastasia')
O4 - HKUS\S-1-5-21-448539723-1801674531-682003330-1005\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Anastasia')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8748 bytes

Kaspersky Log:

Scan My Computer
----------------
Scanned: 258856
Detected: 48
Untreated: 48
Start time: 1/29/2008 10:01:37 PM
Duration: 08:03:13
Finish time: 1/30/2008 6:04:50 AM
Signatures published: 1/29/2008 6:40:34 PM


Detected
--------
Status Object
------ ------
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: c:\windows\system32\jkkjk.exe
detected: adware not-a-virus:AdWare.Win32.PurityScan.gv File: c:\windows\system32\tup.dll//PE_Patch.PECompact//PecBundle//PECompact
detected: adware not-a-virus:AdWare.Win32.PurityScan.gt File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0082729.dll//PE_Patch.PECompact//PecBundle//PECompact
detected: adware not-a-virus:AdWare.Win32.ZenoSearch.ad File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0083872.dll
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084885.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084886.exe
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fn File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084890.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084894.exe
detected: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084902.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084913.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084920.exe
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0085907.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fn File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0085910.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0085914.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0085929.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0085932.exe
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP732\A0085947.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP732\A0085952.exe
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP732\A0085954.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP733\A0086015.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP733\A0086018.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086133.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086135.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086136.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086159.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086162.exe
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086164.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086167.exe
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086179.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086183.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP735\A0086208.exe
detected: adware not-a-virus:AdWare.Win32.PurityScan.gv File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP735\A0086212.dll//PE_Patch.PECompact//PecBundle//PECompact
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP736\A0086307.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP737\A0086320.exe
detected: adware not-a-virus:AdWare.Win32.PurityScan.gv File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP737\A0086321.dll//PE_Patch.PECompact//PecBundle//PECompact
detected: Trojan program Trojan.Win32.Scapur.k File: C:\Program Files\Common Files\Yazzle1552OinAdmin.exe//PE_Patch.PECompact//PecBundle//PECompact
detected: adware not-a-virus:AdWare.Win32.PurityScan.gp File: C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe//data0001
detected: Trojan program Trojan-Downloader.Win32.Adload.pr File: C:\Program Files\Dot1XCfg\Dot1XCfg .exe
detected: Trojan program Trojan.Java.ClassLoader.Dummy.a File: C:\Program Files\Norton AntiVirus\Quarantine\122C23D7.class//CryptFF
detected: Trojan program Trojan.Java.ClassLoader.c File: C:\Program Files\Norton AntiVirus\Quarantine\12304DD4.class//CryptFF
detected: malware Exploit.Java.ByteVerify File: C:\Program Files\Norton AntiVirus\Quarantine\59E31CF4.class//CryptFF
detected: Trojan program Trojan-Downloader.Java.OpenConnection.v File: C:\Program Files\Norton AntiVirus\Quarantine\7177607C.class//CryptFF
detected: adware not-a-virus:AdWare.Win32.ZenoSearch.ad File: C:\Program Files\Outerinfo\FF\components\FF.dll
detected: Trojan program Trojan.Win32.Agent.edq File: C:\Program Files\Temporary\kernInst.exe
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\Program Files\?ystem\userinit .exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.Agent.hvj File: C:\WINDOWS\b122.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\WINDOWS\system32\ctfmon.exe.tmp
detected: Trojan program Trojan.Win32.Scapur.k File: C:\WINDOWS\system32\LDBC0.tmp//data0002//PE_Patch.PECompact//PecBundle//PECompact


Events
------
Time Name Status Reason
---- ---- ------ ------
1/29/2008 10:01:37 PM Running module: smss.exe\smss.exe ok scanned


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology Yes
Enable iSwift technology Yes
Record information about dangerous objects to program statistics Yes

Shaba
2008-02-02, 12:21
Hi SLRHCristy

Rename HijackThis.exe to SLRHCristy.exe and post back a fresh HijackThis log, please :)

SLRHCristy
2008-02-03, 02:11
Shaba,

Thanks in advance for all your help. Virtumonde is really nasty. Here is my new HJT log.

Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:28 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Anastasia N\My Documents\?icrosoft\?ti2evxx.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\Aegon\Updater\Updater.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\YSTEM~1\userinit.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~2\NORTON~1\sysdoc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.utah.edu:8080
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjk.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Launcher] F:\setup.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [aca01c91] rundll32.exe "C:\WINDOWS\system32\ytdtdwrt.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA802] command /c del "C:\WINDOWS\system32\jkkjk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC372] cmd /c del "C:\WINDOWS\system32\jkkjk.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Ooba] "C:\PROGRA~1\YSTEM~1\userinit.exe" -vt ndrv
O4 - HKCU\..\Run: [Mxdbxgsi] "C:\Documents and Settings\Anastasia N\My Documents\?icrosoft\?ti2evxx.exe"
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7956 bytes

Shaba
2008-02-03, 12:26
Hi

That didn't go right.

Rename HijackThis.exe to SLRHCristy.exe by doing the following;

Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
Right-click on the HijackThis.exe
Choose from the pull-down menu; "Rename"
And now Rename HijackThis.exe to SLRHCristy.exe
When you've renamed HijackThis, open HijackThis again.
Take a fresh HijackThis log (click Do a system scan and save a log file)
Post the fresh HijackThis log here.

SLRHCristy
2008-02-03, 18:51
Sorry about that, lets try that again. Here's the new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:26 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Anastasia N\My Documents\?icrosoft\?ti2evxx.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\Aegon\Updater\Updater.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~2\NORTON~1\sysdoc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\SLRHCristy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.utah.edu:8080
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjk.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3BF08679-7C59-40FE-B23D-05EF777A5177} - C:\WINDOWS\system32\jkkjk.dll
O2 - BHO: (no name) - {426BD246-4EDA-3653-FCB8-69A3E6FCF8BA} - C:\WINDOWS\system32\agn.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6643BAB7-7672-0CA6-5117-5300CCCE8BBE} - C:\WINDOWS\system32\tup.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: {affb4f65-2e02-ad09-f764-ecb7680fa8fe} - {ef8af086-7bce-467f-90da-20e256f4bffa} - C:\WINDOWS\system32\imcflkci.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Launcher] F:\setup.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [aca01c91] rundll32.exe "C:\WINDOWS\system32\ytdtdwrt.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA802] command /c del "C:\WINDOWS\system32\jkkjk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC372] cmd /c del "C:\WINDOWS\system32\jkkjk.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Ooba] "C:\PROGRA~1\YSTEM~1\userinit.exe" -vt ndrv
O4 - HKCU\..\Run: [Mxdbxgsi] "C:\Documents and Settings\Anastasia N\My Documents\?icrosoft\?ti2evxx.exe"
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8840 bytes

Shaba
2008-02-03, 19:40
Hi

Are all AVG, Norton and Kaspersky up-to-date?

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

SLRHCristy
2008-02-03, 22:30
I believe AVG and Kaspersky are up-to-date as I just downloaded them when reading your "before you post" thread, though I am unable to open any of them to run them-it took hours to get kaspersky to work the first time. Also, Norton is not up to date, and seems to have been infected as well (or is not working properly because of the infection-not sure-don't know much about software or computers). Should I remove all of these and re-download?

Also, upon startup, three win32 command windows keep popping up, along with an error message stating that WINDOWS/system32/ytdtdwrt.dll cannot be found...is this related to the virus?

Here are my new logs. Thanks so much for your help, Shaba!!

ComboFix 08-02.03.1 - Anastasia 2008-02-03 12:58:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.208 [GMT -7:00]
Running from: C:\Documents and Settings\Anastasia N\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Anastasia N\Application Data\YSTEM~1
C:\Documents and Settings\Anastasia N\My Documents\ICROSO~1
C:\Documents and Settings\Anastasia N\My Documents\ICROSO~1\?ti2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\outerinfo
C:\Program Files\QdrDrive
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\Program Files\ystem~1
C:\Program Files\ystem~1\s?stem\
C:\Program Files\ystem~1\userinit .exe
C:\Program Files\ystem~1\userinit.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\diacooxh.ini
C:\WINDOWS\system32\jkkjk.exe
C:\WINDOWS\system32\kjkkj.ini
C:\WINDOWS\system32\kjkkj.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\system
C:\WINDOWS\system32\system\msxml4.dll
C:\WINDOWS\system32\system\msxml4r.dll
C:\WINDOWS\system32\trwdtdty.ini
C:\WINDOWS\system32\tup.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\nm


((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-01-30 21:17 . 2008-01-30 21:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 21:55 . 2008-01-29 21:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-29 21:55 . 2008-01-30 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-29 21:00 . 2008-01-30 21:53 2,155,808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-29 21:00 . 2008-01-30 21:53 62,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-29 21:00 . 2008-01-30 21:53 30,992 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-29 21:00 . 2008-01-30 21:53 7,952 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-29 20:49 . 2008-01-29 20:49 <DIR> d-------- C:\KAV
2008-01-29 20:17 . 2008-02-02 10:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-29 20:17 . 2008-01-29 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 21:51 . 2008-01-28 21:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-28 21:51 . 2008-01-29 18:47 <DIR> d-------- C:\Documents and Settings\Anastasia N\Application Data\AVG7
2008-01-28 21:50 . 2008-01-28 21:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-28 19:11 . 2008-01-29 21:05 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-28 17:43 . 2008-01-28 17:43 <DIR> d-------- C:\Documents and Settings\Anastasia N\Application Data\Grisoft
2008-01-28 17:43 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-28 17:42 . 2008-01-28 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 17:09 . 2008-01-28 17:09 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-28 17:09 . 2008-01-28 17:09 114,688 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-27 19:10 . 2008-01-27 19:10 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-27 18:41 . 2008-01-28 18:14 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-27 18:36 . 2008-01-27 18:36 270,698 --a------ C:\WINDOWS\system32\LE91E.tmp
2008-01-27 18:36 . 2008-01-30 21:10 181,965 --a------ C:\WINDOWS\system32\LDBC0.tmp
2008-01-19 18:48 . 2008-01-27 18:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 18:48 . 2008-01-19 18:48 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 01:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-30 01:17 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-29 23:57 --------- d-----w C:\Program Files\Lavasoft
2008-01-29 14:15 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-29 13:46 --------- d-----w C:\Program Files\QuickTime
2008-01-29 01:58 --------- d-----w C:\Program Files\SymNetDrv
2008-01-29 01:58 --------- d-----w C:\Program Files\PopUp Killer
2008-01-29 00:10 --------- d-----w C:\Program Files\iTunes
2008-01-29 00:09 --------- d-----w C:\Program Files\Lexmark X1100 Series
2007-12-16 19:59 --------- d-----w C:\Program Files\Java
2005-01-27 18:17 513 ----a-w C:\Program Files\INSTALL.LOG
2004-08-22 13:19 168 ----a-w C:\Program Files\setupfax.log
2004-08-19 08:28 1,599 ----a-w C:\Program Files\Remote Assistance.lnk
2004-08-18 20:10 2,002 ----a-w C:\Program Files\Open Office Document.lnk
2004-08-18 11:07 738 ----a-w C:\Program Files\Outlook Express.lnk
2004-08-18 09:58 398 ----a-w C:\Program Files\Windows Catalog.lnk
2004-08-18 09:58 1,507 ----a-w C:\Program Files\Windows Update.lnk
2004-08-18 09:55 786 ----a-w C:\Program Files\Windows Movie Maker.lnk
2004-08-18 09:52 1,986 ----a-w C:\Program Files\MSN.lnk
2001-09-29 00:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
.

<pre>
----a-w 313,472 2008-01-29 00:10:28 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w 71,280 2008-01-29 00:09:55 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 61,440 2008-01-31 04:10:36 C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w 579,072 2008-01-29 13:43:24 C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w 278,528 2008-01-29 00:10:11 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 132,496 2008-01-29 00:10:03 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 572,416 2008-01-31 04:08:05 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
----a-w 57,344 2008-01-29 00:09:59 C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
----a-w 53,248 2008-01-29 00:10:06 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
----a-w 74,920 2008-01-29 00:10:06 C:\Program Files\Norton AntiVirus\AdvTools\ADVCHK .EXE
----a-w 100,056 2008-01-29 00:10:04 C:\Program Files\SymNetDrv\SNDMon .exe
----a-w 1,126,400 2008-01-29 00:10:30 C:\Program Files\TGTSoft\StyleXP\StyleXP .exe
----a-w 15,360 2008-01-30 04:05:19 C:\WINDOWS\system32\ctfmon .exe
----a-w 114,688 2008-01-29 00:09:52 C:\WINDOWS\system32\hkcmd .exe
----a-w 155,648 2008-01-29 00:09:51 C:\WINDOWS\system32\igfxtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12561D4D-7C56-4B41-9A08-E3F52F346476}]
C:\WINDOWS\system32\jkkjk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{426BD246-4EDA-3653-FCB8-69A3E6FCF8BA}]
C:\WINDOWS\system32\agn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ef8af086-7bce-467f-90da-20e256f4bffa}]
C:\WINDOWS\system32\imcflkci.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56 15360]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Ooba"="C:\PROGRA~1\YSTEM~1\userinit.exe" [ ]
"Mxdbxgsi"="C:\Documents and Settings\Anastasia N\My Documents\?icrosoft\?ti2evxx.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-06-28 23:05 46592 C:\WINDOWS\SOUNDMAN.EXE]
"CHotkey"="mHotkey.exe" [2002-07-23 10:09 477184 C:\WINDOWS\mHotkey.exe]
"Launcher"="F:\setup.exe" [ ]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 17:46 28160 C:\WINDOWS\KHALMNPR.Exe]
"aca01c91"="C:\WINDOWS\system32\ytdtdwrt.dll" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe" [2008-01-30 21:08 572416]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-30 21:10 633344]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-10-31 16:58:50 532480]
Toolbox Updater.lnk - C:\Program Files\Aegon\Updater\Updater.exe [2003-01-31 17:08:36 258048]

S3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2003-09-10 04:12]
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2003-09-10 03:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-03 19:44:38 C:\WINDOWS\Tasks\Ad-aware.job"
- C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
"2008-02-02 16:35:00 C:\WINDOWS\Tasks\Checkup Scheduled.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2007-12-06 15:09:26 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-02-03 08:17:49 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Anastasia.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2008-02-03 17:25:01 C:\WINDOWS\Tasks\Norton System Doctor.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\sysdoc32.exe
"2007-12-06 15:09:24 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-01-24 14:00:23 C:\WINDOWS\Tasks\Speed Disk.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\sdntc.exe
"2008-02-03 07:00:03 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2008-02-03 12:20:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 13:06:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2008-02-03 13:13:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-03 20:13:16
.
2008-01-30 10:01:48 --- E O F ---

SLRHCristy
2008-02-03, 22:31
And here is the new HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:17 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\SLRHCristy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.utah.edu:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12561D4D-7C56-4B41-9A08-E3F52F346476} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O2 - BHO: (no name) - {426BD246-4EDA-3653-FCB8-69A3E6FCF8BA} - C:\WINDOWS\system32\agn.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: {affb4f65-2e02-ad09-f764-ecb7680fa8fe} - {ef8af086-7bce-467f-90da-20e256f4bffa} - C:\WINDOWS\system32\imcflkci.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Launcher] F:\setup.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [aca01c91] rundll32.exe "C:\WINDOWS\system32\ytdtdwrt.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Ooba] "C:\PROGRA~1\YSTEM~1\userinit.exe" -vt ndrv
O4 - HKCU\..\Run: [Mxdbxgsi] "C:\Documents and Settings\Anastasia N\My Documents\?icrosoft\?ti2evxx.exe"
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8117 bytes

Shaba
2008-02-04, 11:36
Hi

Yes you should but not now as you are infected.

Open notepad and copy/paste the text in the quotebox below into it:


RenV::
----a-w 313,472 2008-01-29 00:10:28 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w 71,280 2008-01-29 00:09:55 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 61,440 2008-01-31 04:10:36 C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w 579,072 2008-01-29 13:43:24 C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w 278,528 2008-01-29 00:10:11 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 132,496 2008-01-29 00:10:03 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 572,416 2008-01-31 04:08:05 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
----a-w 57,344 2008-01-29 00:09:59 C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
----a-w 53,248 2008-01-29 00:10:06 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
----a-w 74,920 2008-01-29 00:10:06 C:\Program Files\Norton AntiVirus\AdvTools\ADVCHK .EXE
----a-w 100,056 2008-01-29 00:10:04 C:\Program Files\SymNetDrv\SNDMon .exe
----a-w 1,126,400 2008-01-29 00:10:30 C:\Program Files\TGTSoft\StyleXP\StyleXP .exe
----a-w 15,360 2008-01-30 04:05:19 C:\WINDOWS\system32\ctfmon .exe
----a-w 114,688 2008-01-29 00:09:52 C:\WINDOWS\system32\hkcmd .exe
----a-w 155,648 2008-01-29 00:09:51 C:\WINDOWS\system32\igfxtray .exe

File::
C:\WINDOWS\system32\LE91E.tmp
C:\WINDOWS\system32\LDBC0.tmp

Folder::
C:\Program Files\Dot1XCfg

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12561D4D-7C56-4B41-9A08-E3F52F346476}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{426BD246-4EDA-3653-FCB8-69A3E6FCF8BA}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ef8af086-7bce-467f-90da-20e256f4bffa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ooba"=-
"Mxdbxgsi"=-
"Dot1XCfg"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"aca01c91"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

]http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

SLRHCristy
2008-02-05, 03:56
Here's the new combofix:

ComboFix 08-02.03.1 - Anastasia 2008-02-04 18:29:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.214 [GMT -7:00]
Running from: C:\Documents and Settings\Anastasia N\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anastasia N\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\LDBC0.tmp
C:\WINDOWS\system32\LE91E.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Dot1XCfg
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\WINDOWS\system32\LDBC0.tmp
C:\WINDOWS\system32\LE91E.tmp

.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-01-30 21:17 . 2008-01-30 21:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 21:55 . 2008-01-29 21:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-29 21:55 . 2008-01-30 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-29 21:00 . 2008-01-30 21:53 2,155,808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-29 21:00 . 2008-01-30 21:53 62,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-29 21:00 . 2008-01-30 21:53 30,992 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-29 21:00 . 2008-01-30 21:53 7,952 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-29 20:49 . 2008-01-29 20:49 <DIR> d-------- C:\KAV
2008-01-29 20:17 . 2008-02-02 10:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-29 20:17 . 2008-01-29 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 21:51 . 2008-01-28 21:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-28 21:51 . 2008-02-04 18:37 <DIR> d-------- C:\Documents and Settings\Anastasia N\Application Data\AVG7
2008-01-28 21:50 . 2008-01-28 21:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-28 17:43 . 2008-01-28 17:43 <DIR> d-------- C:\Documents and Settings\Anastasia N\Application Data\Grisoft
2008-01-28 17:43 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-28 17:42 . 2008-01-28 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 17:09 . 2008-01-28 17:09 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-28 17:09 . 2008-01-28 17:09 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-27 19:10 . 2008-01-27 19:10 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-19 18:48 . 2008-01-27 18:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 18:48 . 2008-01-19 18:48 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 01:37 347,648 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-02-05 01:37 330,752 ----a-w C:\WINDOWS\system32\jkkjk.exe
2008-02-05 01:36 327,168 ----a-w C:\WINDOWS\system32\jkkjk.dll
2008-02-05 01:29 --------- d-----w C:\Program Files\SymNetDrv
2008-02-05 01:29 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-02-05 01:29 --------- d-----w C:\Program Files\iTunes
2008-02-05 01:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-30 01:17 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-29 23:57 --------- d-----w C:\Program Files\Lavasoft
2008-01-29 14:15 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-29 13:46 --------- d-----w C:\Program Files\QuickTime
2008-01-29 01:58 --------- d-----w C:\Program Files\PopUp Killer
2007-12-16 19:59 --------- d-----w C:\Program Files\Java
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2005-01-27 18:17 513 ----a-w C:\Program Files\INSTALL.LOG
2004-08-22 13:19 168 ----a-w C:\Program Files\setupfax.log
2004-08-19 08:28 1,599 ----a-w C:\Program Files\Remote Assistance.lnk
2004-08-18 20:10 2,002 ----a-w C:\Program Files\Open Office Document.lnk
2004-08-18 11:07 738 ----a-w C:\Program Files\Outlook Express.lnk
2004-08-18 09:58 398 ----a-w C:\Program Files\Windows Catalog.lnk
2004-08-18 09:58 1,507 ----a-w C:\Program Files\Windows Update.lnk
2004-08-18 09:55 786 ----a-w C:\Program Files\Windows Movie Maker.lnk
2004-08-18 09:52 1,986 ----a-w C:\Program Files\MSN.lnk
2001-09-29 00:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
.

<pre>
----a-w 219,136 2008-02-05 01:36:27 C:\Program Files\Grisoft\AVG7\avgw .exe
----a-w 572,416 2008-01-31 04:08:05 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC2DD60D-6E06-4D4B-8AC6-0D43527A30FB}]
2008-02-04 18:36 327168 --a------ C:\WINDOWS\system32\jkkjk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56 15360]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2008-02-04 18:37 1488384]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-02-04 18:37 737280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-06-28 23:05 46592 C:\WINDOWS\SOUNDMAN.EXE]
"CHotkey"="mHotkey.exe" [2002-07-23 10:09 477184 C:\WINDOWS\mHotkey.exe]
"Launcher"="F:\setup.exe" [ ]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 17:46 28160 C:\WINDOWS\KHALMNPR.Exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-04 18:42 579072]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe" [2008-01-30 21:08 572416]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-30 21:10 633344]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-10-31 16:58:50 532480]
Toolbox Updater.lnk - C:\Program Files\Aegon\Updater\Updater.exe [2003-01-31 17:08:36 258048]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\jkkjk.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\jkkjk

S3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2003-09-10 04:12]
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2003-09-10 03:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-05 01:43:00 C:\WINDOWS\Tasks\Ad-aware.job"
- C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
"2008-02-02 16:35:00 C:\WINDOWS\Tasks\Checkup Scheduled.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2007-12-06 15:09:26 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-02-03 08:17:49 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Anastasia.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2008-02-03 17:25:01 C:\WINDOWS\Tasks\Norton System Doctor.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\sysdoc32.exe
"2007-12-06 15:09:24 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-01-24 14:00:23 C:\WINDOWS\Tasks\Speed Disk.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\sdntc.exe
"2008-02-03 07:00:03 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2008-02-04 04:20:20 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 18:36:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\jkkjk.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
.
**************************************************************************
.
Completion time: 2008-02-04 18:45:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-05 01:45:34
ComboFix2.txt 2008-02-03 20:13:26
.
2008-01-30 10:01:48 --- E O F ---

And HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:34 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Aegon\Updater\Updater.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\SLRHCristy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.utah.edu:8080
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjk.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FC2DD60D-6E06-4D4B-8AC6-0D43527A30FB} - C:\WINDOWS\system32\jkkjk.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Launcher] F:\setup.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7715 bytes

Shaba
2008-02-05, 15:34
Hi

Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\jkkjk.exe
C:\WINDOWS\system32\jkkjk.dll
C:\Program Files\Grisoft\AVG7\avgw .exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC2DD60D-6E06-4D4B-8AC6-0D43527A30FB}]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

SLRHCristy
2008-02-06, 05:03
ComboFix 08-02.03.1 - Anastasia 2008-02-05 19:16:49.3 - NTFSx86
Running from: C:\Documents and Settings\Anastasia N\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anastasia N\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\Grisoft\AVG7\avgw .exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\jkkjk.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\Program Files\Grisoft\AVG7\avgw .exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\WINDOWS\system32\jkkjk.exe
C:\WINDOWS\system32\kjkkj.ini
C:\WINDOWS\system32\kjkkj.ini2

.
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-01-30 21:17 . 2008-01-30 21:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 21:55 . 2008-01-29 21:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-29 21:55 . 2008-01-30 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-29 21:00 . 2008-01-30 21:53 2,155,808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-29 21:00 . 2008-01-30 21:53 62,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-29 21:00 . 2008-01-30 21:53 30,992 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-29 21:00 . 2008-01-30 21:53 7,952 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-29 20:49 . 2008-01-29 20:49 <DIR> d-------- C:\KAV
2008-01-29 20:17 . 2008-02-02 10:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-29 20:17 . 2008-01-29 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 21:51 . 2008-01-28 21:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-28 21:51 . 2008-02-05 18:52 <DIR> d-------- C:\Documents and Settings\Anastasia N\Application Data\AVG7
2008-01-28 21:50 . 2008-02-04 18:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-28 17:43 . 2008-01-28 17:43 <DIR> d-------- C:\Documents and Settings\Anastasia N\Application Data\Grisoft
2008-01-28 17:43 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-28 17:42 . 2008-01-28 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 17:09 . 2008-01-28 17:09 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-28 17:09 . 2008-01-28 17:09 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-27 19:10 . 2008-01-27 19:10 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-19 18:48 . 2008-01-27 18:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 18:48 . 2008-01-19 18:48 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 01:29 --------- d-----w C:\Program Files\SymNetDrv
2008-02-05 01:29 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-02-05 01:29 --------- d-----w C:\Program Files\iTunes
2008-02-05 01:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-30 01:17 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-29 23:57 --------- d-----w C:\Program Files\Lavasoft
2008-01-29 14:15 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-29 13:46 --------- d-----w C:\Program Files\QuickTime
2008-01-29 01:58 --------- d-----w C:\Program Files\PopUp Killer
2007-12-16 19:59 --------- d-----w C:\Program Files\Java
2005-01-27 18:17 513 ----a-w C:\Program Files\INSTALL.LOG
2004-08-22 13:19 168 ----a-w C:\Program Files\setupfax.log
2004-08-19 08:28 1,599 ----a-w C:\Program Files\Remote Assistance.lnk
2004-08-18 20:10 2,002 ----a-w C:\Program Files\Open Office Document.lnk
2004-08-18 11:07 738 ----a-w C:\Program Files\Outlook Express.lnk
2004-08-18 09:58 398 ----a-w C:\Program Files\Windows Catalog.lnk
2004-08-18 09:58 1,507 ----a-w C:\Program Files\Windows Update.lnk
2004-08-18 09:55 786 ----a-w C:\Program Files\Windows Movie Maker.lnk
2004-08-18 09:52 1,986 ----a-w C:\Program Files\MSN.lnk
2001-09-29 00:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
.

<pre>
----a-w 313,472 2008-02-06 01:51:24 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w 579,072 2008-02-06 01:51:22 C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w 1,126,400 2008-02-06 01:51:27 C:\Program Files\TGTSoft\StyleXP\StyleXP .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{945C7CD3-2C1F-4BB9-9922-BD5C5F33DC17}]
C:\WINDOWS\system32\jkkjk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56 15360]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP .exe" [2008-02-05 18:51 1126400]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-02-05 18:51 737280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-06-28 23:05 46592 C:\WINDOWS\SOUNDMAN.EXE]
"CHotkey"="mHotkey.exe" [2002-07-23 10:09 477184 C:\WINDOWS\mHotkey.exe]
"Launcher"="F:\setup.exe" [ ]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 17:46 28160 C:\WINDOWS\KHALMNPR.Exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-05 18:51 1107456]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-30 21:10 633344]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-10-31 16:58:50 532480]
Toolbox Updater.lnk - C:\Program Files\Aegon\Updater\Updater.exe [2003-01-31 17:08:36 258048]

S3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2003-09-10 04:12]
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2003-09-10 03:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 02:29:43 C:\WINDOWS\Tasks\Ad-aware.job"
- C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
"2008-02-02 16:35:00 C:\WINDOWS\Tasks\Checkup Scheduled.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2007-12-06 15:09:26 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-02-05 02:38:08 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Anastasia.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXE
"2008-02-05 04:29:23 C:\WINDOWS\Tasks\Norton System Doctor.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\sysdoc32.exe
"2007-12-06 15:09:24 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-01-24 14:00:23 C:\WINDOWS\Tasks\Speed Disk.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\sdntc.exe
"2008-02-03 07:00:03 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2008-02-05 04:20:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 19:38:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2008-02-05 19:44:39 - machine was rebooted [Anastasia]
ComboFix-quarantined-files.txt 2008-02-06 02:44:24
ComboFix2.txt 2008-02-05 01:45:46
ComboFix3.txt 2008-02-03 20:13:26
.
2008-01-30 10:01:48 --- E O F ---



And HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:50 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Aegon\Updater\Updater.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\SLRHCristy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.utah.edu:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {945C7CD3-2C1F-4BB9-9922-BD5C5F33DC17} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Launcher] F:\setup.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP .exe -Hide
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7589 bytes


Thanks, Shaba!!

Shaba
2008-02-06, 12:17
Hi

More deletions needed to stop infection.

Uninstall these programs:

AVG antivirus
Adobe Acrobat Reader 7.0
StyleXP

Delete these folders:

C:\Program Files\Adobe\Acrobat 7.0\Reader
C:\Program Files\Grisoft\AVG7
C:\Program Files\TGTSoft\StyleXP

Empty Recycle Bin.

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {945C7CD3-2C1F-4BB9-9922-BD5C5F33DC17} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP .exe -Hide
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe (file missing)

Close all windows including browser and press fix checked.

Reboot.

Re-run combofix.

Post:

- a fresh HijackThis log
- combofix report

SLRHCristy
2008-02-06, 14:45
Good morning! :)

I am not able to delete the folder for C:\Program Files\Grisoft\AVG7. I keep getting an error that states: "cannot delete context.dll: Access is denied. Make sure the disk is not full or write-protected and that the file is not currenlty in use...jsut wanted to check in with you before continuing with other steps.

Thanks, Shaba. You have been so helpful!!

Shaba
2008-02-06, 14:51
Hi

Delete those folders then in safe mode, please :)

SLRHCristy
2008-02-06, 15:19
Hi,

I'm trying to delete these in safe mode-the first time I tried to log into safe mode, a file (WINDOWS/System32/ntoskrnl.exe) was listed at the top of the screen, and the system would not log on. I shut down completely, and started up successfully in safe mode. Now when I try to delete the file in safe mode, I get the same error as below, except that it now states "cannot delete avgse.dll". Help! Am I doing something wrong?

Also, I cannot access the internet in safemode to check the forum, so I will have to get my laptop to continue the responses...

Let me know if I should proceed with the other steps, or wait until we resolve the issue with deleting the Grisoft folder.

Thanks!!

Shaba
2008-02-06, 16:23
Hi

Try this (http://support.microsoft.com/kb/308421) for that folder and if no go, just move on, please :)

SLRHCristy
2008-02-07, 05:09
Shaba, I am still unable to remove the Grisoft folder-still the same error, but with "avgamint.dll", "avgse.dll". Also, could not find O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized on the HJT scan, but successfully(i think) fixed all others.

Here is my new combofix log:

ComboFix 08-02.03.1 - Anastasia 2008-02-06 19:51:39.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.240 [GMT -7:00]
Running from: C:\Documents and Settings\Anastasia N\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-01-30 21:17 . 2008-01-30 21:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 21:55 . 2008-01-29 21:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-29 21:55 . 2008-01-30 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-29 21:00 . 2008-01-30 21:53 2,155,808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-29 21:00 . 2008-01-30 21:53 62,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-29 21:00 . 2008-01-30 21:53 30,992 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-29 21:00 . 2008-01-30 21:53 7,952 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-29 20:49 . 2008-01-29 20:49 <DIR> d-------- C:\KAV
2008-01-29 20:17 . 2008-02-02 10:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-29 20:17 . 2008-01-29 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 21:51 . 2008-01-28 21:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-28 21:51 . 2008-02-05 18:52 <DIR> d-------- C:\Documents and Settings\Anastasia N\Application Data\AVG7
2008-01-28 21:50 . 2008-02-04 18:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-28 17:42 . 2008-01-28 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 17:09 . 2008-01-28 17:09 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-28 17:09 . 2008-01-28 17:09 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-27 19:10 . 2008-01-27 19:10 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-19 18:48 . 2008-01-27 18:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 18:48 . 2008-01-19 18:48 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 02:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-05 01:29 --------- d-----w C:\Program Files\SymNetDrv
2008-02-05 01:29 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-02-05 01:29 --------- d-----w C:\Program Files\iTunes
2008-02-05 01:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-30 01:17 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-29 23:57 --------- d-----w C:\Program Files\Lavasoft
2008-01-29 14:15 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-29 13:46 --------- d-----w C:\Program Files\QuickTime
2008-01-29 01:58 --------- d-----w C:\Program Files\PopUp Killer
2007-12-16 19:59 --------- d-----w C:\Program Files\Java
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2005-01-27 18:17 513 ----a-w C:\Program Files\INSTALL.LOG
2004-08-22 13:19 168 ----a-w C:\Program Files\setupfax.log
2004-08-19 08:28 1,599 ----a-w C:\Program Files\Remote Assistance.lnk
2004-08-18 20:10 2,002 ----a-w C:\Program Files\Open Office Document.lnk
2004-08-18 11:07 738 ----a-w C:\Program Files\Outlook Express.lnk
2004-08-18 09:58 398 ----a-w C:\Program Files\Windows Catalog.lnk
2004-08-18 09:58 1,507 ----a-w C:\Program Files\Windows Update.lnk
2004-08-18 09:55 786 ----a-w C:\Program Files\Windows Movie Maker.lnk
2004-08-18 09:52 1,986 ----a-w C:\Program Files\MSN.lnk
2001-09-29 00:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
.

<pre>
----a-w 579,072 2008-02-06 01:51:22 C:\Program Files\Grisoft\AVG7\avgcc .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-06-28 23:05 46592 C:\WINDOWS\SOUNDMAN.EXE]
"CHotkey"="mHotkey.exe" [2002-07-23 10:09 477184 C:\WINDOWS\mHotkey.exe]
"Launcher"="F:\setup.exe" [ ]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 17:46 28160 C:\WINDOWS\KHALMNPR.Exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-10-31 16:58:50 532480]
Toolbox Updater.lnk - C:\Program Files\Aegon\Updater\Updater.exe [2003-01-31 17:08:36 258048]

S3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2003-09-10 04:12]
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2003-09-10 03:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 12:45:27 C:\WINDOWS\Tasks\Ad-aware.job"
- C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
"2008-02-02 16:35:00 C:\WINDOWS\Tasks\Checkup Scheduled.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2007-12-06 15:09:26 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-02-05 02:38:08 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Anastasia.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2008-02-05 04:29:23 C:\WINDOWS\Tasks\Norton System Doctor.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\sysdoc32.exe
"2007-12-06 15:09:24 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-01-24 14:00:23 C:\WINDOWS\Tasks\Speed Disk.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\sdntc.exe
"2008-02-03 07:00:03 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2008-02-07 00:20:17 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 19:54:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-02-06 19:56:25
ComboFix-quarantined-files.txt 2008-02-07 02:55:29
ComboFix2.txt 2008-02-06 02:44:40
ComboFix3.txt 2008-02-05 01:45:46
ComboFix4.txt 2008-02-03 20:13:26
.
2008-01-30 10:01:48 --- E O F ---



And HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:51 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Aegon\Updater\Updater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\SLRHCristy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.utah.edu:8080
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Launcher] F:\setup.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5774 bytes



When I first started trying to uninstall these programs, I kept getting popups labeled avg warnings, but they looked nothing like the normal avg...perhaps this has already been fixed with what we have done, just an fyi-also my login screen is completely different-it used to have all of our usernames listed on the right w/a box for our passwords, now it is the windows xp login screen where you type a username and then password. Is this also just due to the fixes we are running? Just trying to make sure I haven't goofed up along the way.

Thanks so much for all your patience with me thus far!!!

Shaba
2008-02-07, 11:39
Hi

"just an fyi-also my login screen is completely different-it used to have all of our usernames listed on the right w/a box for our passwords, now it is the windows xp login screen where you type a username and then password. Is this also just due to the fixes we are running?"

Likely it is, but haven't heard about such before.

Open notepad and copy/paste the text in the quotebox below into it:


Folder::
C:\PROGRA~1\Grisoft

Driver::
Avg7Alrt
Avg7UpdSvc


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

SLRHCristy
2008-02-08, 08:06
(At least I think it's morning there...):)
Here is the new comobfix:

ComboFix 08-02.03.1 - Anastasia 2008-02-07 22:44:03.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.234 [GMT -7:00]
Running from: C:\Documents and Settings\Anastasia N\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anastasia N\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\PROGRA~1\Grisoft
C:\PROGRA~1\Grisoft\AVG7\avg.snu
C:\PROGRA~1\Grisoft\AVG7\avg6cmpt.dll
C:\PROGRA~1\Grisoft\AVG7\avg7us.lng
C:\PROGRA~1\Grisoft\AVG7\avgabout.dll
C:\PROGRA~1\Grisoft\AVG7\avgamint.dll
C:\PROGRA~1\Grisoft\AVG7\avgamsps.dll
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgbat.bav
C:\PROGRA~1\Grisoft\AVG7\avgcc .exe
C:\PROGRA~1\Grisoft\AVG7\avgcckrn.dll
C:\PROGRA~1\Grisoft\AVG7\avgcfg.dll
C:\PROGRA~1\Grisoft\AVG7\avgcore.dll
C:\PROGRA~1\Grisoft\AVG7\avgctrl.dll
C:\PROGRA~1\Grisoft\AVG7\avgeud32.dll
C:\PROGRA~1\Grisoft\AVG7\avgf.dll
C:\PROGRA~1\Grisoft\AVG7\avghlog.dll
C:\PROGRA~1\Grisoft\AVG7\avginet.dll
C:\PROGRA~1\Grisoft\AVG7\avginet.exe
C:\PROGRA~1\Grisoft\AVG7\avgklib.dll
C:\PROGRA~1\Grisoft\AVG7\avglng.dll
C:\PROGRA~1\Grisoft\AVG7\avglog.dll
C:\PROGRA~1\Grisoft\AVG7\avgmail.dll
C:\PROGRA~1\Grisoft\AVG7\avgmvfl.dll
C:\PROGRA~1\Grisoft\AVG7\avgoff2k.dll
C:\PROGRA~1\Grisoft\AVG7\avgrep.dll
C:\PROGRA~1\Grisoft\AVG7\avgres.dll
C:\PROGRA~1\Grisoft\AVG7\avgresf.dll
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgscan.dll
C:\PROGRA~1\Grisoft\AVG7\avgscan.exe
C:\PROGRA~1\Grisoft\AVG7\avgse.dll
C:\PROGRA~1\Grisoft\AVG7\avgset.dll
C:\PROGRA~1\Grisoft\AVG7\avgtest.dll
C:\PROGRA~1\Grisoft\AVG7\avgtitle.dat
C:\PROGRA~1\Grisoft\AVG7\avgtmgr.dll
C:\PROGRA~1\Grisoft\AVG7\avgtres.dll
C:\PROGRA~1\Grisoft\AVG7\avgunarc.dll
C:\PROGRA~1\Grisoft\AVG7\avgupd.dll
C:\PROGRA~1\Grisoft\AVG7\avgupdln.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.dll
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avguss.chm
C:\PROGRA~1\Grisoft\AVG7\avgvault.dll
C:\PROGRA~1\Grisoft\AVG7\avgvv.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\PROGRA~1\Grisoft\AVG7\avgxch32.dll
C:\PROGRA~1\Grisoft\AVG7\avi7.avg
C:\PROGRA~1\Grisoft\AVG7\contact_us.txt
C:\PROGRA~1\Grisoft\AVG7\dbghelp.dll
C:\PROGRA~1\Grisoft\AVG7\dfncfg.dat
C:\PROGRA~1\Grisoft\AVG7\dfncfgfr.dat
C:\PROGRA~1\Grisoft\AVG7\incavi.avm
C:\PROGRA~1\Grisoft\AVG7\license_us.txt
C:\PROGRA~1\Grisoft\AVG7\microavi.avg
C:\PROGRA~1\Grisoft\AVG7\miniavi.avg
C:\PROGRA~1\Grisoft\AVG7\order_us.pdf
C:\PROGRA~1\Grisoft\AVG7\order_us.txt
C:\PROGRA~1\Grisoft\AVG7\register_us.pdf
C:\PROGRA~1\Grisoft\AVG7\register_us.txt
C:\PROGRA~1\Grisoft\AVG7\set_vers.cfg
C:\PROGRA~1\Grisoft\AVG7\setup.dat
C:\PROGRA~1\Grisoft\AVG7\setup.exe
C:\PROGRA~1\Grisoft\AVG7\setupus.lns
C:\PROGRA~1\Grisoft\AVG7\sporder.dll
C:\PROGRA~1\Grisoft\AVG7\upd_vers.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_AVG7ALRT
-------\LEGACY_AVG7UPDSVC
-------\Avg7Alrt
-------\Avg7UpdSvc


((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-01-30 21:17 . 2008-01-30 21:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 21:55 . 2008-01-29 21:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-29 21:55 . 2008-01-30 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-29 21:00 . 2008-01-30 21:53 2,155,808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-29 21:00 . 2008-01-30 21:53 62,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-29 21:00 . 2008-01-30 21:53 30,992 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-29 21:00 . 2008-01-30 21:53 7,952 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-29 20:49 . 2008-01-29 20:49 <DIR> d-------- C:\KAV
2008-01-29 20:17 . 2008-02-02 10:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-29 20:17 . 2008-01-29 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 21:51 . 2008-01-28 21:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-28 21:51 . 2008-02-05 18:52 <DIR> d-------- C:\Documents and Settings\Anastasia N\Application Data\AVG7
2008-01-28 21:50 . 2008-02-04 18:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-28 17:42 . 2008-01-28 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 17:09 . 2008-01-28 17:09 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-28 17:09 . 2008-01-28 17:09 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-27 19:10 . 2008-01-27 19:10 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-19 18:48 . 2008-01-27 18:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 18:48 . 2008-01-19 18:48 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 02:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-05 01:29 --------- d-----w C:\Program Files\SymNetDrv
2008-02-05 01:29 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-02-05 01:29 --------- d-----w C:\Program Files\iTunes
2008-02-05 01:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-30 01:17 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-29 23:57 --------- d-----w C:\Program Files\Lavasoft
2008-01-29 14:15 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-29 13:46 --------- d-----w C:\Program Files\QuickTime
2008-01-29 01:58 --------- d-----w C:\Program Files\PopUp Killer
2007-12-16 19:59 --------- d-----w C:\Program Files\Java
2005-01-27 18:17 513 ----a-w C:\Program Files\INSTALL.LOG
2004-08-22 13:19 168 ----a-w C:\Program Files\setupfax.log
2004-08-19 08:28 1,599 ----a-w C:\Program Files\Remote Assistance.lnk
2004-08-18 20:10 2,002 ----a-w C:\Program Files\Open Office Document.lnk
2004-08-18 11:07 738 ----a-w C:\Program Files\Outlook Express.lnk
2004-08-18 09:58 398 ----a-w C:\Program Files\Windows Catalog.lnk
2004-08-18 09:58 1,507 ----a-w C:\Program Files\Windows Update.lnk
2004-08-18 09:55 786 ----a-w C:\Program Files\Windows Movie Maker.lnk
2004-08-18 09:52 1,986 ----a-w C:\Program Files\MSN.lnk
2001-09-29 00:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-06-28 23:05 46592 C:\WINDOWS\SOUNDMAN.EXE]
"CHotkey"="mHotkey.exe" [2002-07-23 10:09 477184 C:\WINDOWS\mHotkey.exe]
"Launcher"="F:\setup.exe" [ ]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 17:46 28160 C:\WINDOWS\KHALMNPR.Exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-10-31 16:58:50 532480]
Toolbox Updater.lnk - C:\Program Files\Aegon\Updater\Updater.exe [2003-01-31 17:08:36 258048]

S3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2003-09-10 04:12]
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2003-09-10 03:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 02:55:52 C:\WINDOWS\Tasks\Ad-aware.job"
- C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
"2008-02-02 16:35:00 C:\WINDOWS\Tasks\Checkup Scheduled.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2007-12-06 15:09:26 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-02-05 02:38:08 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Anastasia.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2008-02-05 04:29:23 C:\WINDOWS\Tasks\Norton System Doctor.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\sysdoc32.exe
"2007-12-06 15:09:24 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-01-24 14:00:23 C:\WINDOWS\Tasks\Speed Disk.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\sdntc.exe
"2008-02-03 07:00:03 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2008-02-07 00:20:17 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 22:49:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2008-02-07 22:54:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 05:54:32
ComboFix2.txt 2008-02-07 02:56:26
ComboFix3.txt 2008-02-06 02:44:40
ComboFix4.txt 2008-02-05 01:45:46
ComboFix5.txt 2008-02-03 20:13:26
.
2008-01-30 10:01:48 --- E O F ---



And the new HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:18 PM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Aegon\Updater\Updater.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\SLRHCristy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.utah.edu:8080
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Launcher] F:\setup.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5512 bytes



Thanks!
Cristy

Shaba
2008-02-08, 11:58
Hi

Yes, now it looks like to be gone :)

Delete these folders:

C:\Documents and Settings\LocalService\Application Data\AVG7
C:\Documents and Settings\Anastasia N\Application Data\AVG7
C:\Documents and Settings\All Users\Application Data\avg7
C:\Documents and Settings\All Users\Application Data\Grisoft

Empty Recycle Bin.

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

SLRHCristy
2008-02-08, 16:17
Hi,

Glad to be rid of those folers :)

As for Kaspersky, the "accept" button on the link you provided is not working.

Also, I cannot get IE to let me go to any website besides myspace or yahoo. When I try to go to another site via IE, I got a message that IE was having a problem with add-on flash8.ocx. That error went away after a few times. When I tried again to go to another site, it kept saying Windows cannot find "null". When I tried to download kaspersky from the kaspersky site, I copy/pasted the link from firefox to IE, and it would just pop over to firefox and open it.

Firefox is working fine, but I cannot figure out what's up with IE.
Urgh.

Help!

SLRHCristy
2008-02-08, 16:19
Also,

Here's a new HJT log just in case you need that also. Thanks so much for all your help!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:17 AM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\SLRHCristy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.utah.edu:8080
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Launcher] F:\setup.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5299 bytes

Shaba
2008-02-08, 19:04
Hi

Then we do this instead:

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download MWav (http://www.spywareinfo.dk/download/mwav.exe):

Unzip it to its predetermined directory (C:\Kaspersky)
Locate kavupd.exe in the new folder and double-click to Update.
If your firewall gives any messages about this program accessing to internet, allow it.
If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
When you see Updates Downloaded Successfully, hit Enter to continue.
Restart onto Safe Mode (http://www.pchell.com/support/safemode.shtml) and locate the Kaspersky folder.
Locate mwavscan.com and double-click on it to launch the MWAV Scanner.Now lets do the settings:
Leave the Default Settings checked.
Add a check to Drives
This will light up All Drives
Add a check to Scan all Files
Click Scan Clean to begin.
This scan might take around 3+ hours to finish when set to scan everything.
Please be sure it has finished before proceeding.
Once the Scan has finished, all entries identified as Infected, will be displayed in the lower panel.
Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).Reboot into normal Windows and post the results here along with a fresh HijackThis log.

SLRHCristy
2008-02-09, 22:32
Shaba,

I knew you'd have an answer! :D:

Here is the new MWav scan result:

File C:\Program Files\Norton AntiVirus\Quarantine\122C23D7.class infected by "Trojan.Java.ClassLoader.Dummy.a" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\12304DD4.class infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\59E31CF4.class infected by "Exploit.Java.ByteVerify" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\7177607C.class infected by "Trojan-Downloader.Java.OpenConnection.v" Virus. Action Taken: File Deleted.
File C:\QooBox\Quarantine\C\Program Files\Grisoft\AVG7\avgw.exe.vir infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\QooBox\Quarantine\C\WINDOWS\system32\ctfmon.exe.tmp.vir infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\QooBox\Quarantine\C\WINDOWS\system32\jkkjk.exe.vir infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\QooBox\Quarantine\C\WINDOWS\system32\LDBC0.tmp.vir infected by "Trojan.Win32.Scapur.k" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0083872.dll tagged as not-a-virus:AdWare.Win32.ZenoSearch.ad. No Action Taken.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0083873.exe infected by "Trojan-Downloader.Win32.Small.cdy" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084885.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084886.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084894.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084902.exe infected by "Trojan-Downloader.Win32.Agent.gwe" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084913.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084920.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0085914.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0085929.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0085932.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP732\A0085952.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086133.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086136.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086159.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086162.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086167.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP735\A0086208.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP736\A0086307.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP737\A0086320.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP737\A0086323.exe infected by "Trojan.Win32.Scapur.k" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP737\A0086324.exe tagged as not-a-virus:AdWare.Win32.PurityScan.gp. No Action Taken.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP737\A0086326.dll tagged as not-a-virus:AdWare.Win32.ZenoSearch.ad. No Action Taken.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086338.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086340.exe infected by "Trojan.Win32.Scapur.k" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086341.exe tagged as not-a-virus:AdWare.Win32.PurityScan.gp. No Action Taken.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086343.dll tagged as not-a-virus:AdWare.Win32.ZenoSearch.ad. No Action Taken.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086358.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086362.dll tagged as not-a-virus:AdWare.Win32.ZenoSearch.ad. No Action Taken.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086367.exe tagged as not-a-virus:AdWare.Win32.PurityScan.gp. No Action Taken.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086368.exe infected by "Trojan.Win32.Scapur.k" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086378.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086380.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086381.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086385.exe infected by "Trojan-Downloader.Win32.Agent.gwe" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086393.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086408.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086425.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP738\A0086427.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP739\A0086439.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP739\A0086441.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP739\A0086443.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP741\A0086489.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP743\A0086605.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP743\A0086666.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP743\A0086667.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP743\A0086669.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP744\A0086679.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP745\A0086746.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP746\A0086846.rbf infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP746\A0086903.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP749\A0087162.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP749\A0087169.exe infected by "Trojan-Dropper.Win32.Agent.dgo" Virus. Action Taken: File Deleted.

SLRHCristy
2008-02-09, 22:32
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:47 PM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Aegon\Updater\Updater.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Trend Micro\HijackThis\SLRHCristy.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjk.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5210 bytes



Thanks!!!

Shaba
2008-02-10, 12:25
Hi

Empty these folders:

C:\Program Files\Norton AntiVirus\Quarantine

C:\QooBox\Quarantine

Empty Recycle Bin.

I can re-direct you to some windows forum for that IE issue if you like to.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?

SLRHCristy
2008-02-10, 12:54
Hi,

I'm not entirely sure how to empty those folders, vs. deleting them...do I just delete everything inside the folders?

As for any other issues, my computer seems to be working as it should, and I don't see anymore strange windows or commands popping up. Great news! Thanks so much for all of your help and patience!!

As for IE, I actually never use it-I only use Firefox-but if there is a virus infecting IE or something, please do point me in the right direction so I can make sure the whole system is clean.

Also, when the virus infected my computer, it seemed to have infected my Adaware and Norton. I'd like to just un-install those when we get to that point, and follow your recommendations for protecting my system.

I wait to hear from you.

Thanks!

Shaba
2008-02-10, 12:57
Hi

Actually there seems to be one bad entry left, my bad.

Let's find out if there is more:

Delete your copy of combofix.

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

SLRHCristy
2008-02-10, 20:11
Hi,

Here is my new combofix log:

ComboFix 08-02.05.3 - Anastasia 2008-02-10 10:38:56.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.276 [GMT -7:00]
Running from: C:\Documents and Settings\Anastasia N\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-09 12:34 . 2008-02-09 12:34 0 --a------ C:\23990098.$$$
2008-02-09 10:35 . 2008-02-09 10:44 <DIR> d-------- C:\Downloads
2008-02-09 10:32 . 2008-02-09 10:33 <DIR> d-------- C:\Kaspersky
2008-01-30 21:17 . 2008-01-30 21:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 21:55 . 2008-01-29 21:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-29 21:00 . 2008-02-09 10:49 2,211,360 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-29 21:00 . 2008-02-09 10:49 77,344 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-29 21:00 . 2008-02-09 10:49 31,736 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-29 21:00 . 2008-02-09 10:49 9,344 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-29 20:49 . 2008-01-29 20:49 <DIR> d-------- C:\KAV
2008-01-29 20:17 . 2008-02-02 10:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-29 20:17 . 2008-01-29 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 21:50 . 2008-02-08 06:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-28 17:42 . 2008-02-08 06:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 17:09 . 2008-01-28 17:09 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-28 17:09 . 2008-01-28 17:09 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-27 19:10 . 2008-01-27 19:10 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-19 18:48 . 2008-01-27 18:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 18:48 . 2008-01-19 18:48 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 02:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-05 01:29 --------- d-----w C:\Program Files\SymNetDrv
2008-02-05 01:29 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-02-05 01:29 --------- d-----w C:\Program Files\iTunes
2008-02-05 01:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-30 01:17 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-29 23:57 --------- d-----w C:\Program Files\Lavasoft
2008-01-29 14:15 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-29 13:46 --------- d-----w C:\Program Files\QuickTime
2008-01-29 01:58 --------- d-----w C:\Program Files\PopUp Killer
2007-12-16 19:59 --------- d-----w C:\Program Files\Java
2005-01-27 18:17 513 ----a-w C:\Program Files\INSTALL.LOG
2004-08-22 13:19 168 ----a-w C:\Program Files\setupfax.log
2004-08-19 08:28 1,599 ----a-w C:\Program Files\Remote Assistance.lnk
2004-08-18 20:10 2,002 ----a-w C:\Program Files\Open Office Document.lnk
2004-08-18 11:07 738 ----a-w C:\Program Files\Outlook Express.lnk
2004-08-18 09:58 398 ----a-w C:\Program Files\Windows Catalog.lnk
2004-08-18 09:58 1,507 ----a-w C:\Program Files\Windows Update.lnk
2004-08-18 09:55 786 ----a-w C:\Program Files\Windows Movie Maker.lnk
2004-08-18 09:52 1,986 ----a-w C:\Program Files\MSN.lnk
2001-09-29 00:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-06-28 23:05 46592 C:\WINDOWS\SOUNDMAN.EXE]
"CHotkey"="mHotkey.exe" [2002-07-23 10:09 477184 C:\WINDOWS\mHotkey.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 17:46 28160 C:\WINDOWS\KHALMNPR.Exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-10-31 16:58:50 532480]
Toolbox Updater.lnk - C:\Program Files\Aegon\Updater\Updater.exe [2003-01-31 17:08:36 258048]

S3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2003-09-10 04:12]
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2003-09-10 03:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-10 17:32:59 C:\WINDOWS\Tasks\Ad-aware.job"
- C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
"2008-02-08 14:15:06 C:\WINDOWS\Tasks\Checkup Scheduled.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2007-12-06 15:09:26 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-02-09 21:53:09 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Anastasia.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2008-02-10 05:45:48 C:\WINDOWS\Tasks\Norton System Doctor.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\sysdoc32.exe
"2007-12-06 15:09:24 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-01-24 14:00:23 C:\WINDOWS\Tasks\Speed Disk.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\sdntc.exe
"2008-02-10 07:00:01 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2008-02-10 08:20:20 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 10:41:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-02-10 10:43:28
ComboFix-quarantined-files.txt 2008-02-10 17:42:34
ComboFix2.txt 2008-02-08 05:54:49
.
2008-01-30 10:01:48 --- E O F ---


And HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:08 AM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Aegon\Updater\Updater.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\SLRHCristy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.utah.edu:8080
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5289 bytes


I'll wait to hear from you regarding emptying those other folders.

Thanks!

Shaba
2008-02-10, 20:17
Hi

Now it looks good :)

There was one bad entry re-appearing which is gone now.

As for emptying, it's just as you said: delete everything inside the folders

Any other issues left?

SLRHCristy
2008-02-10, 22:34
Yes, looking good from here! :D:

Shaba
2008-02-11, 12:20
Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

You can now uninstall and re-install any programs that might not work.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 4 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it saysThe J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the Download button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

Next we remove all used tools.

Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and save it to desktop.

Double-click OTMoveIt2.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

Instructions for Spybot S & D (http://www.bleepingcomputer.com/forums/?showtutorial=43)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean! :bigthumb:

SLRHCristy
2008-02-12, 04:13
Hi,

I have run through the steps you listed for getting my system back in order, and I think I have run into some residual issues. I completed the steps for Java and for OTMoveIt2.exe. (have not yet uninstalled and re-installed programs that might not work-I missed that line in your message somehow.)

I moved on to reading the Windows XP system restore guide-I logged out of my normal account and re-started in the administrative user account-when it booted up after I entered my password, two error messages popped up on the screen.

First: "Unable to install 'C:/WINDOWS/System32/jkkjk.exe'. Make sure you typed the name correctly then try again...

Second: "Could not load or run 'C:/WINDOWS/System32/jkkjk.exe' specified in the registry. Make sure the file exists in your computer or remove it from your registry.

Are these normal errors due to the cleanup and removing the infections?

Also, I may just be a bit paranoid now from all of this, but each time I start up, WRL Active Update is running-it shows in the task manager as "Updater". When we were cleaning up, I just always ignored it, but just want to make sure this is normal. It has a small white blue and green diamond shaped icon located by my clock. (again, probably just paranoia) :)

I will wait to hear from you that these are normal before I continue. Thanks so much for all your help...I apologize for the length of the process on my part-work and school, etc...make it hard to post as quickly as I would like.

Shaba
2008-02-12, 11:56
Hi

"I moved on to reading the Windows XP system restore guide-I logged out of my normal account and re-started in the administrative user account-when it booted up after I entered my password, two error messages popped up on the screen.

First: "Unable to install 'C:/WINDOWS/System32/jkkjk.exe'. Make sure you typed the name correctly then try again...

Second: "Could not load or run 'C:/WINDOWS/System32/jkkjk.exe' specified in the registry. Make sure the file exists in your computer or remove it from your registry.

Are these normal errors due to the cleanup and removing the infections?"

Have you sent HijackThis log from that admin account, too?

That sounds like infection leftover.

If not, please do it next :)

SLRHCristy
2008-02-14, 06:59
Hi,

Apologies, I did not know it was all user-specific. I have had to log into the admin account for several processes, but have always posted from my normal user account. Here is the HJT log for the admin account.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:06 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Aegon\Updater\Updater.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Trend Micro\HijackThis\SLRHCristy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjk.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 5321 bytes



Thanks!!

Shaba
2008-02-14, 11:48
Hi

Open HijackThis, click do a system scan only and checkmark this:

F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjk.exe

Close all windows including browser and press fix checked.

Reboot.

Still problems?

SLRHCristy
2008-02-15, 05:58
Much better, no more pop-ups!

Thanks, Shaba!! I will continue with your previous instructions with regard to getting my system clean and secure.

Thanks so much for all your help!!!!

SLRHCristy
2008-02-15, 06:12
Is the Updater task with the blue white and green icon normal? (running every time I start the computer?)

Thanks!

Shaba
2008-02-15, 11:37
Hi

Not sure what you mean.

Can you maybe take a screenshot of it?

SLRHCristy
2008-02-20, 06:18
Hi,

Sorry for the delayed response. We had a bit of an emergency here-my daughter threw the ball to my dogs in the house, which hit our turtle tank and flooded my dining room with 40 gallons of water. :red:

Back to the computer issue:

I cannot get the screenshot to work, as I cannot find my paint program-and oddly, my calculator no longer works-I'm sure this will be fixed with the remaining cleanup steps you have given before I got back to these other issues.

I don't see any problems being caused by the updater icon, so I will continue with the cleanup process if that is what you recommend. Let me know.

Thanks!

Shaba
2008-02-20, 11:59
Hi

See here (http://support.microsoft.com/kb/310747)
and run sfc /scannow (start - run - sfc /scannow - ok).

Did it help?

Shaba
2008-02-25, 12:09
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.