PDA

View Full Version : 2nd try. BHO.DBU



niplub
2008-02-10, 00:53
I can't seem to shake to shake this one...

Logfile of HijackThis v1.99.1
Scan saved at 14:52, on 2008-02-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\Program Files\DU Meter\DUMeter.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wa56.exe
E:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
E:\Program Files\uTorrent\uTorrent.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\alg.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Teleca Shared\Generic.exe
E:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
E:\Program Files\Windows Live\Messenger\usnsvc.exe
E:\Documents and Settings\Rich\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.shaw.ca/start/enca/addons/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A67C830-8A27-4F78-B530-02931DA524EA} - e:\windows\system32\ds16gtp.dll
O2 - BHO: (no name) - {24B26903-6CB7-4AE4-A560-D7E19CFCE18D} - E:\WINDOWS\system32\audiosrvc.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DU Meter] E:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] E:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [wa56] E:\WINDOWS\system32\wa56.exe
O4 - HKLM\..\Run: [SpybotSnD] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofix
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Active Desktop Calendar] E:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [uTorrent] "E:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [wa56] E:\WINDOWS\system32\wa56.exe
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n031p/EN/install/gtdownlr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176328460015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176329388623
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes/SonyISUpload.cab?v=1,0,0,38
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://www.easypix.ca/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\WINDOW~2\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - E:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\WINDOW~2\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - E:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: eynuoops - E:\WINDOWS\SYSTEM32\ds16gtp.dll
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[I]Edit: http://forums.spybot.info/showthread.php?t=22659

Shaba
2008-02-11, 12:40
Hi niplub

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

niplub
2008-02-16, 04:22
ComboFix log.

ComboFix 08-02-16.2 - Rich 2008-02-15 17:04:38.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.989 [GMT -8:00]
Running from: E:\Documents and Settings\Rich\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\system32\audiosrvc.dll
E:\WINDOWS\system32\drivers\xriidqdx.dat
E:\WINDOWS\system32\ds16gtp.dll
E:\Documents and Settings\Rich\Application Data\inst.exe
E:\WINDOWS\system32\audiosrvc.dll
E:\WINDOWS\system32\drivers\xriidqdx.dat
E:\WINDOWS\system32\ds16gtp.dll
E:\WINDOWS\Tasks.\At1.job
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete
.
---- Previous Run -------
.
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
E:\Documents and Settings\Rich\Application Data\inst.exe
E:\WINDOWS\Tasks.\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_BVSRVGPL
-------\LEGACY_ZIIFMEMG
-------\bvsrvgpl
-------\ziifmemg


-------\ziifmemg


((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-15 16:33 . 2006-02-28 04:00 1,875,968 --a--c--- E:\WINDOWS\system32\dllcache\msir3jp.lex
2008-02-15 16:32 . 2006-02-28 04:00 13,463,552 --a--c--- E:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-15 16:30 . 2008-02-15 16:30 749 -rah----- E:\WINDOWS\WindowsShell.Manifest
2008-02-15 16:30 . 2008-02-15 16:30 749 -rah----- E:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-15 16:30 . 2008-02-15 16:30 749 -rah----- E:\WINDOWS\system32\sapi.cpl.manifest
2008-02-15 16:30 . 2008-02-15 16:30 749 -rah----- E:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-15 16:30 . 2008-02-15 16:30 488 -rah----- E:\WINDOWS\system32\logonui.exe.manifest
2008-02-15 16:17 . 2006-02-28 04:00 1,086,058 -ra------ E:\WINDOWS\SET209.tmp
2008-02-15 16:17 . 2006-02-28 04:00 1,042,903 -ra------ E:\WINDOWS\SET206.tmp
2008-02-11 06:48 . 2008-02-11 06:48 60,416 --a------ E:\WINDOWS\system32\drivers\ComboFix.sys
2008-02-10 23:06 . 2008-02-10 23:06 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\Talkback
2008-02-09 14:38 . 2006-02-28 04:00 388,608 --a------ E:\kmd.exe
2008-02-06 19:06 . 2008-02-06 19:06 1,203 --a------ E:\WINDOWS\mozver.dat
2008-02-01 19:27 . 2008-02-01 19:27 <DIR> d-------- E:\Program Files\Microsoft Silverlight
2008-02-01 19:22 . 2008-02-01 19:22 <DIR> d-------- E:\WINDOWS\system32\XPSViewer
2008-02-01 19:22 . 2008-02-01 19:22 <DIR> d-------- E:\Program Files\Reference Assemblies
2008-02-01 19:21 . 2008-02-01 19:21 <DIR> d-------- E:\Program Files\MSXML 6.0
2008-02-01 19:21 . 2008-02-01 19:21 <DIR> d-------- E:\a8e1482b6bc3a98542
2008-02-01 19:21 . 2006-06-29 13:07 14,048 --a------ E:\WINDOWS\system32\spmsg2.dll
2008-02-01 19:16 . 2006-11-12 22:02 288,768 --a------ E:\WINDOWS\system32\rhttpaa.dll
2008-02-01 19:16 . 2006-11-12 22:02 116,736 --a------ E:\WINDOWS\system32\aaclient.dll
2008-02-01 19:16 . 2006-11-12 22:02 36,352 --a------ E:\WINDOWS\system32\tsgqec.dll
2008-02-01 06:32 . 2008-02-01 06:32 <DIR> d-------- E:\Program Files\Lavasoft
2008-02-01 06:32 . 2008-02-01 06:32 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2008-02-01 06:32 . 2008-02-01 06:33 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 15:03 . 2008-01-31 15:03 0 --a------ E:\t5k
2008-01-29 13:08 . 2008-01-29 13:08 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-19 17:07 . 2008-01-19 17:08 <DIR> d-------- E:\Program Files\iTunes
2008-01-19 17:07 . 2008-01-19 17:07 <DIR> d-------- E:\Program Files\iPod
2008-01-19 17:05 . 2008-01-19 17:05 <DIR> d-------- E:\Program Files\QuickTime
2008-01-18 17:34 . 2008-01-18 17:34 <DIR> d-------- E:\Program Files\Oxin's Style!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 01:13 --------- d-----w E:\Documents and Settings\Rich\Application Data\uTorrent
2008-02-15 23:55 --------- d-----w E:\Documents and Settings\Rich\Application Data\AVG7
2008-02-15 23:55 --------- d-----w E:\Documents and Settings\All Users\Application Data\avg7
2008-02-10 19:30 --------- d-----w E:\Program Files\DU Meter
2008-02-09 23:59 --------- d-----w E:\Documents and Settings\Rich\Application Data\Azureus
2008-02-09 14:52 --------- d-----w E:\Program Files\Common Files\Adobe
2008-02-02 21:31 --------- d-----w E:\Documents and Settings\Rich\Application Data\ZoomBrowser EX
2008-02-02 21:18 --------- d-----w E:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-02-01 14:34 --------- d-----w E:\Program Files\Windows Media Connect 2
2008-02-01 14:34 --------- d-----w E:\Program Files\Combined Community Codec Pack
2008-02-01 02:11 --------- d-----w E:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-26 00:34 --------- d-----w E:\Documents and Settings\Rich\Application Data\Vso
2008-01-13 20:18 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 19:45 --------- d-----w E:\Program Files\Spybot - Search & Destroy
2008-01-11 01:41 --------- d-----w E:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-10 05:45 --------- d-----w E:\Documents and Settings\Rich\Application Data\Talkback
2008-01-05 23:37 --------- d-----w E:\Program Files\Aimersoft
2008-01-05 03:58 --------- d-----w E:\Documents and Settings\All Users\Application Data\vsosdk
2008-01-05 03:34 47,360 ----a-w E:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-05 03:34 47,360 ----a-w E:\Documents and Settings\Rich\Application Data\pcouffin.sys
2008-01-05 03:34 --------- d-----w E:\Program Files\VSO
2008-01-04 01:55 --------- d-----w E:\Documents and Settings\Rich\Application Data\Media Player Classic
2007-12-28 14:56 --------- d-----w E:\Program Files\Azureus
2007-12-24 05:18 --------- d-----w E:\Documents and Settings\Rich\Application Data\Teleca
2007-12-23 20:48 --------- d-----w E:\Documents and Settings\Rich\Application Data\Sony Ericsson
2007-12-23 20:46 --------- d-----w E:\Program Files\Common Files\Teleca Shared
2007-12-23 20:46 --------- d-----w E:\Documents and Settings\All Users\Application Data\Teleca
2007-12-23 20:46 --------- d-----w E:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-12-23 20:45 --------- d-----w E:\Program Files\Sony Ericsson
2007-12-22 20:58 --------- d-----w E:\Program Files\Super_DVD_Creator_9.5
2007-11-11 06:10 938 ----a-w E:\Program Files\Common Files\Xnews.ini
2007-11-11 06:10 1,386,772 ----a-w E:\Program Files\Common Files\SHAW news.newsrc
2007-11-10 15:24 1,385,080 ----a-w E:\Program Files\Common Files\SHAW news.newsrc.bak
2007-11-10 15:13 94 ----a-w E:\Program Files\Common Files\servers.ini
2007-11-10 15:12 89,626 ----a-w E:\Program Files\Common Files\changes.txt
2007-11-10 15:12 834 ----a-w E:\Program Files\Common Files\sample-score.ini
2007-11-10 15:12 6,414 ----a-w E:\Program Files\Common Files\scoring.txt
2007-11-10 15:12 42,598 ----a-w E:\Program Files\Common Files\pcre.html
2007-11-10 15:12 359 ----a-w E:\Program Files\Common Files\groups.ini
2007-11-10 15:12 12,800 --sha-w E:\Program Files\Common Files\Thumbs.db
2007-11-10 15:12 102,699 ----a-w E:\Program Files\Common Files\manual.html
2007-11-10 15:12 1,427 ----a-w E:\Program Files\Common Files\readme.txt
2007-11-10 15:12 1,255,936 ----a-w E:\Program Files\Common Files\Xnews.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2006-02-28 04:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 18:04 139264]
"MsnMsgr"="E:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Active Desktop Calendar"="E:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2007-01-11 14:13 3330048]
"uTorrent"="E:\Program Files\uTorrent\uTorrent.exe" [2007-12-01 13:48 250672]
"wa56"="E:\WINDOWS\system32\wa56.exe" [2008-01-10 07:11 16384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="E:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-19 08:38 579072]
"RegistryMechanic"="E:\Program Files\Registry Mechanic\RegMech.exe" [2005-12-25 18:27 7634944]
"SoundMAXPnP"="E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 08:11 1388544]
"SoundMAX"="E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 11:41 860160]
"NeroFilterCheck"="E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40 155648]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"DU Meter"="E:\Program Files\DU Meter\DUMeter.exe" [2005-02-01 18:28 1469952]
"GrooveMonitor"="E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"WinampAgent"="E:\Program Files\Winamp\winampa.exe" [2007-05-14 14:22 35328]
"PC Pitstop Optimize Scheduler"="E:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" [2007-10-26 15:53 2577120]
"Sony Ericsson PC Suite"="E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17 159744]
"wa56"="E:\WINDOWS\system32\wa56.exe" [2008-01-10 07:11 16384]
"SpybotSnD"="E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2007-08-31 16:46 4943184]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\System32\CTFMON.EXE" [2006-02-28 04:00 15360]
"AVG7_Run"="E:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 08:50 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="E:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 21:59 44544]

E:\Documents and Settings\Rich\Start Menu\Programs\Startup\
Adobe Gamma.lnk - E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
OneNote 2007 Screen Clipper and Launcher.lnk - E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]

S3 UXDCMN;UXDCMN;F:\UXDCMN.SYS []
S3 w200bus;Sony Ericsson W200 driver (WDM);E:\WINDOWS\system32\DRIVERS\w200bus.sys [2006-11-07 09:42]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 23:53:04 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 17:13:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Common Files\Teleca Shared\Generic.exe
E:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2008-02-15 17:18:44 - machine was rebooted [Rich]
ComboFix-quarantined-files.txt 2008-02-16 01:18:41
.
2008-02-16 00:50:25 --- E O F ---

Shaba
2008-02-16, 12:17
Hi

Please post a fresh HijackThis log, too :)

niplub
2008-02-16, 17:37
Logfile of HijackThis v1.99.1
Scan saved at 7:36:33 AM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\DU Meter\DUMeter.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
E:\Program Files\Winamp\winampa.exe
E:\WINDOWS\system32\wa56.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
E:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
E:\Program Files\uTorrent\uTorrent.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\WINDOWS\system32\svchost.exe
E:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Windows Live\Messenger\usnsvc.exe
E:\Program Files\Common Files\Teleca Shared\Generic.exe
E:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Documents and Settings\Rich\Desktop\HijackThis.exe
E:\WINDOWS\SoftwareDistribution\Download\e995acae9f2591ac009a4ad305efa874\update\update.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.shaw.ca/start/enca/addons/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DU Meter] E:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] E:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [wa56] E:\WINDOWS\system32\wa56.exe
O4 - HKLM\..\Run: [SpybotSnD] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofix
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Active Desktop Calendar] E:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [uTorrent] "E:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [wa56] E:\WINDOWS\system32\wa56.exe
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n031p/EN/install/gtdownlr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176328460015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176329388623
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes/SonyISUpload.cab?v=1,0,0,38
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://www.easypix.ca/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\WINDOW~2\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - E:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\WINDOW~2\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - E:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Shaba
2008-02-16, 17:43
Hi

Please click this link-->Jotti (http://virusscan.jotti.org/)

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

E:\WINDOWS\system32\wa56.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

niplub
2008-02-16, 17:54
File: wa56.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 6560c17438970b229537f5cf734870d7
Packers detected: -
Bit9 reports: File not found
________________________________________

Scan taken on 16 Feb 2008 15:48:44 (GMT)
A-Squared Found nothing
AntiVir Found TR/Crypt.Morphine.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found Trojan.Agent-13262
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan.Win32.Agent.edh
Fortinet Found nothing
Ikarus Found Trojan.Win32.Agent.edh
Kaspersky Anti-Virus Found Trojan.Win32.Agent.edh
NOD32 Found a variant of Win32/Small.BB
Norman Virus Control Found W32/Agent.EFNR
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.Win32.Agent.edh

Shaba
2008-02-16, 18:40
Hi

Download suspicious file packer from here (http://www.safer-networking.org/files/sfp.zip)

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

E:\WINDOWS\system32\wa56.exe

Go to spykiller (http://www.thespykiller.co.uk/index.php?PHPSESSID=d65884362fbc872b70e1a9a9a7e13700&board=1.0)

Press new topic, make threads title "Files for Shaba"
Include to your message a link to here, then attach the cab/zip file to your message and post the topic
If you cant locate it through the browse button just copy/paste the filename and path.

After that, please reply here and we'll continue :)

niplub
2008-02-17, 00:15
ok I've done what you asked... i think.
Thanks.

tashi
2008-02-17, 08:55
Shaba, infected files that were posted in another topic removed. :)

Previous topic: http://forums.spybot.info/showthread.php?t=22659

Shaba
2008-02-17, 12:14
Hi

Yes, you did it right :)

Open notepad and copy/paste the text in the quotebox below into it:


File::
E:\WINDOWS\system32\wa56.exe
E:\WINDOWS\SET209.tmp
E:\WINDOWS\SET206.tmp

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wa56"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wa56"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

niplub
2008-02-21, 16:46
Wow.. sorry i didn't realise there was a second page to the thread! dummy. ok here is the log... il follow with the hijackthis.

ComboFix 08-02-16.2 - Rich 2008-02-21 6:39:28.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1044 [GMT -8:00]
Running from: E:\Documents and Settings\Rich\Desktop\ComboFix.exe
Command switches used :: E:\Documents and Settings\Rich\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
E:\WINDOWS\SET206.tmp
E:\WINDOWS\SET209.tmp
E:\WINDOWS\system32\wa56.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\SET206.tmp
E:\WINDOWS\SET209.tmp
E:\WINDOWS\system32\wa56.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-17 03:00 . 2008-02-17 03:00 <DIR> d-------- E:\WINDOWS\LastGood
2008-02-16 07:46 . 2008-02-16 07:46 5,120 --ahs---- E:\WINDOWS\system32\Thumbs.db
2008-02-15 18:02 . 2006-11-07 09:42 97,056 -ra------ E:\WINDOWS\system32\drivers\w200mdm.sys
2008-02-15 18:02 . 2006-11-07 09:42 9,328 -ra------ E:\WINDOWS\system32\drivers\w200mdfl.sys
2008-02-15 18:02 . 2006-11-07 09:42 6,208 -ra------ E:\WINDOWS\system32\drivers\w200cmnt.sys
2008-02-15 18:02 . 2006-11-07 09:42 6,208 -ra------ E:\WINDOWS\system32\drivers\w200cm.sys
2008-02-15 16:33 . 2006-02-28 04:00 1,875,968 --a--c--- E:\WINDOWS\system32\dllcache\msir3jp.lex
2008-02-15 16:32 . 2006-02-28 04:00 13,463,552 --a--c--- E:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-15 16:30 . 2008-02-15 16:30 749 -rah----- E:\WINDOWS\WindowsShell.Manifest
2008-02-15 16:30 . 2008-02-15 16:30 749 -rah----- E:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-15 16:30 . 2008-02-15 16:30 749 -rah----- E:\WINDOWS\system32\sapi.cpl.manifest
2008-02-15 16:30 . 2008-02-15 16:30 749 -rah----- E:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-15 16:30 . 2008-02-15 16:30 488 -rah----- E:\WINDOWS\system32\logonui.exe.manifest
2008-02-11 06:48 . 2008-02-11 06:48 60,416 --a------ E:\WINDOWS\system32\drivers\ComboFix.sys
2008-02-10 23:06 . 2008-02-10 23:06 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\Talkback
2008-02-09 14:38 . 2006-02-28 04:00 388,608 --a------ E:\kmd.exe
2008-02-06 19:06 . 2008-02-06 19:06 1,203 --a------ E:\WINDOWS\mozver.dat
2008-02-01 19:27 . 2008-02-01 19:27 <DIR> d-------- E:\Program Files\Microsoft Silverlight
2008-02-01 19:22 . 2008-02-01 19:22 <DIR> d-------- E:\WINDOWS\system32\XPSViewer
2008-02-01 19:22 . 2008-02-01 19:22 <DIR> d-------- E:\Program Files\Reference Assemblies
2008-02-01 19:21 . 2008-02-01 19:21 <DIR> d-------- E:\Program Files\MSXML 6.0
2008-02-01 19:21 . 2008-02-01 19:21 <DIR> d-------- E:\a8e1482b6bc3a98542
2008-02-01 19:21 . 2006-06-29 13:07 14,048 --a------ E:\WINDOWS\system32\spmsg2.dll
2008-02-01 19:16 . 2006-11-12 22:02 288,768 --a------ E:\WINDOWS\system32\rhttpaa.dll
2008-02-01 19:16 . 2006-11-12 22:02 116,736 --a------ E:\WINDOWS\system32\aaclient.dll
2008-02-01 19:16 . 2006-11-12 22:02 36,352 --a------ E:\WINDOWS\system32\tsgqec.dll
2008-02-01 06:32 . 2008-02-01 06:32 <DIR> d-------- E:\Program Files\Lavasoft
2008-02-01 06:32 . 2008-02-01 06:32 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2008-02-01 06:32 . 2008-02-01 06:33 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 15:03 . 2008-01-31 15:03 0 --a------ E:\t5k
2008-01-29 13:08 . 2008-01-29 13:08 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 14:37 --------- d-----w E:\Documents and Settings\Rich\Application Data\uTorrent
2008-02-20 16:00 --------- d-----w E:\Documents and Settings\Rich\Application Data\AVG7
2008-02-15 23:55 --------- d-----w E:\Documents and Settings\All Users\Application Data\avg7
2008-02-10 19:30 --------- d-----w E:\Program Files\DU Meter
2008-02-09 23:59 --------- d-----w E:\Documents and Settings\Rich\Application Data\Azureus
2008-02-09 14:52 --------- d-----w E:\Program Files\Common Files\Adobe
2008-02-02 21:31 --------- d-----w E:\Documents and Settings\Rich\Application Data\ZoomBrowser EX
2008-02-02 21:18 --------- d-----w E:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-02-01 14:34 --------- d-----w E:\Program Files\Windows Media Connect 2
2008-02-01 14:34 --------- d-----w E:\Program Files\Combined Community Codec Pack
2008-02-01 02:11 --------- d-----w E:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-26 00:34 --------- d-----w E:\Documents and Settings\Rich\Application Data\Vso
2008-01-20 01:08 --------- d-----w E:\Program Files\iTunes
2008-01-20 01:07 --------- d-----w E:\Program Files\iPod
2008-01-20 01:05 --------- d-----w E:\Program Files\QuickTime
2008-01-19 01:34 --------- d-----w E:\Program Files\Oxin's Style!
2008-01-13 20:18 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 19:45 --------- d-----w E:\Program Files\Spybot - Search & Destroy
2008-01-11 01:41 --------- d-----w E:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-10 15:23 246,545 ----a-w E:\WINDOWS\system32\libssl32.dll
2008-01-10 15:23 1,188,375 ----a-w E:\WINDOWS\system32\libeay32.dll
2008-01-10 05:45 --------- d-----w E:\Documents and Settings\Rich\Application Data\Talkback
2008-01-05 23:37 --------- d-----w E:\Program Files\Aimersoft
2008-01-05 03:58 --------- d-----w E:\Documents and Settings\All Users\Application Data\vsosdk
2008-01-05 03:34 47,360 ----a-w E:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-05 03:34 47,360 ----a-w E:\Documents and Settings\Rich\Application Data\pcouffin.sys
2008-01-05 03:34 --------- d-----w E:\Program Files\VSO
2008-01-04 01:55 --------- d-----w E:\Documents and Settings\Rich\Application Data\Media Player Classic
2007-12-28 14:56 --------- d-----w E:\Program Files\Azureus
2007-12-24 05:18 --------- d-----w E:\Documents and Settings\Rich\Application Data\Teleca
2007-12-23 20:48 --------- d-----w E:\Documents and Settings\Rich\Application Data\Sony Ericsson
2007-12-23 20:46 --------- d-----w E:\Program Files\Common Files\Teleca Shared
2007-12-23 20:46 --------- d-----w E:\Documents and Settings\All Users\Application Data\Teleca
2007-12-23 20:46 --------- d-----w E:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-12-23 20:45 --------- d-----w E:\Program Files\Sony Ericsson
2007-12-22 20:58 --------- d-----w E:\Program Files\Super_DVD_Creator_9.5
2007-12-14 19:32 12,632 ----a-w E:\WINDOWS\system32\lsdelete.exe
2007-11-11 06:10 938 ----a-w E:\Program Files\Common Files\Xnews.ini
2007-11-11 06:10 1,386,772 ----a-w E:\Program Files\Common Files\SHAW news.newsrc
2007-11-10 15:24 1,385,080 ----a-w E:\Program Files\Common Files\SHAW news.newsrc.bak
2007-11-10 15:13 94 ----a-w E:\Program Files\Common Files\servers.ini
2007-11-10 15:12 89,626 ----a-w E:\Program Files\Common Files\changes.txt
2007-11-10 15:12 834 ----a-w E:\Program Files\Common Files\sample-score.ini
2007-11-10 15:12 6,414 ----a-w E:\Program Files\Common Files\scoring.txt
2007-11-10 15:12 42,598 ----a-w E:\Program Files\Common Files\pcre.html
2007-11-10 15:12 359 ----a-w E:\Program Files\Common Files\groups.ini
2007-11-10 15:12 12,800 --sha-w E:\Program Files\Common Files\Thumbs.db
2007-11-10 15:12 102,699 ----a-w E:\Program Files\Common Files\manual.html
2007-11-10 15:12 1,427 ----a-w E:\Program Files\Common Files\readme.txt
2007-11-10 15:12 1,255,936 ----a-w E:\Program Files\Common Files\Xnews.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2006-02-28 04:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 18:04 139264]
"MsnMsgr"="E:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Active Desktop Calendar"="E:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2007-01-11 14:13 3330048]
"uTorrent"="E:\Program Files\uTorrent\uTorrent.exe" [2007-12-01 13:48 250672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="E:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-19 08:38 579072]
"RegistryMechanic"="E:\Program Files\Registry Mechanic\RegMech.exe" [2005-12-25 18:27 7634944]
"SoundMAXPnP"="E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 08:11 1388544]
"SoundMAX"="E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 11:41 860160]
"NeroFilterCheck"="E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40 155648]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"DU Meter"="E:\Program Files\DU Meter\DUMeter.exe" [2005-02-01 18:28 1469952]
"GrooveMonitor"="E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"WinampAgent"="E:\Program Files\Winamp\winampa.exe" [2007-05-14 14:22 35328]
"PC Pitstop Optimize Scheduler"="E:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" [2007-10-26 15:53 2577120]
"Sony Ericsson PC Suite"="E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17 159744]
"SpybotSnD"="E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2007-08-31 16:46 4943184]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\System32\CTFMON.EXE" [2006-02-28 04:00 15360]
"AVG7_Run"="E:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 08:50 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="E:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 21:59 44544]

E:\Documents and Settings\Rich\Start Menu\Programs\Startup\
Adobe Gamma.lnk - E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
OneNote 2007 Screen Clipper and Launcher.lnk - E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]

S3 UXDCMN;UXDCMN;F:\UXDCMN.SYS []
S3 w200bus;Sony Ericsson W200 driver (WDM);E:\WINDOWS\system32\DRIVERS\w200bus.sys [2006-11-07 09:42]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;E:\WINDOWS\system32\DRIVERS\w200mdfl.sys [2006-11-07 09:42]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;E:\WINDOWS\system32\DRIVERS\w200mdm.sys [2006-11-07 09:42]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-16 23:53:02 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 06:43:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-21 6:44:03
ComboFix-quarantined-files.txt 2008-02-21 14:44:01
ComboFix2.txt 2008-02-16 01:18:45
.
2008-02-21 11:00:28 --- E O F ---

niplub
2008-02-21, 16:47
Logfile of HijackThis v1.99.1
Scan saved at 6:46:40 AM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\DU Meter\DUMeter.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\system32\svchost.exe
E:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Common Files\Teleca Shared\Generic.exe
E:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
E:\Program Files\Windows Live\Messenger\usnsvc.exe
E:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
E:\WINDOWS\explorer.exe
E:\Documents and Settings\Rich\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.shaw.ca/start/enca/addons/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DU Meter] E:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] E:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SpybotSnD] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofix
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Active Desktop Calendar] E:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [uTorrent] "E:\Program Files\uTorrent\uTorrent.exe"
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n031p/EN/install/gtdownlr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176328460015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176329388623
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes/SonyISUpload.cab?v=1,0,0,38
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://www.easypix.ca/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\WINDOW~2\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - E:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\WINDOW~2\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - E:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

niplub
2008-02-21, 16:50
just fyi.. before i did the this latest fix, I have been unable to update windows (yes, it's a legit version). I have 91 available updates but they won't "successfully install." I have to go to work now and then i will be away untill Sunday night. Thanks again for your help.

Shaba
2008-02-21, 16:57
Hi

We will handle that update issue after you're clean.

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

Shaba
2008-02-26, 15:23
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.