PDA

View Full Version : Virtumonde & virtumonde.dll ...HELP!



Katyp
2008-06-03, 21:26
Hello

Hope you can help. I can't get rid of Virtumonde and Virtumonde.dll - ive tried a few things but my computer keeps crashing so haven't managed to get very far!

I have installed Spybot. I've tried to run Kaspersky online scanner but part way through the scan it crashes. I can't access spybot in safe mode as it crashes..


I have however downloaded HijackThis and have had the following report...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:24:57, on 03/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {00758478-20CA-40C0-AD17-AB1EEDFAD161} - C:\WINDOWS\system32\fccyaXnn.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A6242B5-08C3-44FF-8AB4-7DC31CECB849} - (no file)
O2 - BHO: (no name) - {1D99C806-FE81-439C-8C64-C62B90DD5A5F} - C:\WINDOWS\system32\opnlJdcc.dll (file missing)
O2 - BHO: (no name) - {23D98D7A-C829-4556-ADE2-D9B8CDE2B6E2} - C:\WINDOWS\system32\mlJCRigF.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4F26BEDB-D89B-44A1-948B-5D523292DADF} - C:\WINDOWS\system32\ljJaYQKC.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D136803-6767-4D9F-9C25-8B30D4DAE0FD} - C:\WINDOWS\system32\xxyvwuUm.dll (file missing)
O2 - BHO: (no name) - {70B2E676-1FAA-4774-8CDC-974E3B0B1343} - C:\WINDOWS\system32\yayvWpOE.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {72D4E25A-AC54-4739-A4A6-DC5E8D5CE2CA} - C:\WINDOWS\system32\ddcCTnKc.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {91CB6129-C854-498B-A875-66E118214CCB} - C:\WINDOWS\system32\hgGvtQKd.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {B40D7178-E5FA-45D2-B9EB-F7B2C431BFB1} - C:\WINDOWS\system32\fccyaWnk.dll (file missing)
O2 - BHO: (no name) - {F8AE5AC5-7061-419E-98F2-3D57C7FD3BD0} - C:\WINDOWS\system32\ddcBRiHa.dll (file missing)
O2 - BHO: (no name) - {FC5A885A-B015-4D17-BDF5-E7A995EC4299} - C:\WINDOWS\system32\vtUnolMg.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [6496c8a6] rundll32.exe "C:\WINDOWS\system32\edrlmyyg.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8308] command /c del "C:\WINDOWS\system32\ddcBRiHa.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7870] cmd /c del "C:\WINDOWS\system32\ddcBRiHa.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7566] command /c del "C:\WINDOWS\system32\opnlJdcc.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1440] cmd /c del "C:\WINDOWS\system32\opnlJdcc.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191271915046
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://203.217.10.160/activex/AxisCamControl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: WIKI.DLL,avgrsstx.dll
O20 - Winlogon Notify: ljJaYQKC - C:\WINDOWS\SYSTEM32\ljJaYQKC.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 9648 bytes

pskelley
2008-06-05, 02:59
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

The hackers have learned what tools we use and they hide their junk from HJT, that is why we need the Kaspersky Online Scan so badly, to show us that hidden junk. Without it, let's start like this.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

4) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

5) Windows Defender: Click on "Tools"
Click on "General Settings"
Scroll down to "Real-time protection options"
Uncheck "Turn on Real-time protection (recommended)"
Click "Save"
Make sure to turn your protection back on when you finish.

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {00758478-20CA-40C0-AD17-AB1EEDFAD161} - C:\WINDOWS\system32\fccyaXnn.dll (file missing)
O2 - BHO: (no name) - {0A6242B5-08C3-44FF-8AB4-7DC31CECB849} - (no file)
O2 - BHO: (no name) - {1D99C806-FE81-439C-8C64-C62B90DD5A5F} - C:\WINDOWS\system32\opnlJdcc.dll (file missing)
O2 - BHO: (no name) - {23D98D7A-C829-4556-ADE2-D9B8CDE2B6E2} - C:\WINDOWS\system32\mlJCRigF.dll (file missing)
O2 - BHO: (no name) - {4F26BEDB-D89B-44A1-948B-5D523292DADF} - C:\WINDOWS\system32\ljJaYQKC.dll
O2 - BHO: (no name) - {6D136803-6767-4D9F-9C25-8B30D4DAE0FD} - C:\WINDOWS\system32\xxyvwuUm.dll (file missing)
O2 - BHO: (no name) - {70B2E676-1FAA-4774-8CDC-974E3B0B1343} - C:\WINDOWS\system32\yayvWpOE.dll (file missing)
O2 - BHO: (no name) - {72D4E25A-AC54-4739-A4A6-DC5E8D5CE2CA} - C:\WINDOWS\system32\ddcCTnKc.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {91CB6129-C854-498B-A875-66E118214CCB} - C:\WINDOWS\system32\hgGvtQKd.dll (file missing)
O2 - BHO: (no name) - {B40D7178-E5FA-45D2-B9EB-F7B2C431BFB1} - C:\WINDOWS\system32\fccyaWnk.dll (file missing)
O2 - BHO: (no name) - {F8AE5AC5-7061-419E-98F2-3D57C7FD3BD0} - C:\WINDOWS\system32\ddcBRiHa.dll (file missing)
O2 - BHO: (no name) - {FC5A885A-B015-4D17-BDF5-E7A995EC4299} - C:\WINDOWS\system32\vtUnolMg.dll (file missing)
O4 - HKLM\..\Run: [6496c8a6] rundll32.exe "C:\WINDOWS\system32\edrlmyyg.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA8308] command /c del "C:\WINDOWS\system32\ddcBRiHa.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7870] cmd /c del "C:\WINDOWS\system32\ddcBRiHa.dll_old" G
O4 - HKLM\..\RunOnce: [SpybotDeletingA7566] command /c del "C:\WINDOWS\system32\opnlJdcc.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1440] cmd /c del "C:\WINDOWS\system32\opnlJdcc.dll_old"
O20 - Winlogon Notify: ljJaYQKC - C:\WINDOWS\SYSTEM32\ljJaYQKC.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) Right click Start > Explore and navigate to these files/folders and delete them if there.

(delete the files in red)

C:\WINDOWS\system32\edrlmyyg.dll
C:\WINDOWS\system32\ljJaYQKC.dll
C:\WINDOWS\SYSTEM32\WinCtrl32.dll

8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

9) Download Malwarebytes' Anti-Malware to your desktop.
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

We have fired the first shots in our battle, we may have to drag out bigger guns, I will know more when I see the information I reqested.

Thanks

Katyp
2008-06-07, 14:42
Hello

Thank you so much for helping.

I did as listed below but couldn't find ...

O4 - HKLM\..\RunOnce: [SpybotDeletingA8308] command /c del "C:\WINDOWS\system32\ddcBRiHa.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7870] cmd /c del "C:\WINDOWS\system32\ddcBRiHa.dll_old" G
O4 - HKLM\..\RunOnce: [SpybotDeletingA7566] command /c del "C:\WINDOWS\system32\opnlJdcc.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1440] cmd /c del "C:\WINDOWS\system32\opnlJdcc.dll_old"


and also

C:\WINDOWS\system32\edrlmyyg.dll
C:\WINDOWS\system32\ljJaYQKC.dll
C:\WINDOWS\SYSTEM32\WinCtrl32.dll

It wont let me run the Malwarebytes' Anti-Malware scan as it shuts down part way through.

I did actually do a Spybot scan this morning before loggging on here so things may have changed. Sorry for doing that - I have never done anything like this before and wasnt sure anyone would get back to me to help. I'll do another HiJack scan and post the results.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:44, on 07/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1182A6C1-E2F6-4DC4-9E3D-4A9D3EF0194D} - C:\WINDOWS\system32\geBqOhgg.dll (file missing)
O2 - BHO: (no name) - {27BA248E-9AAC-438E-B26A-123400A2FC7D} - C:\WINDOWS\system32\xxywVmNg.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4677EA8A-15A5-468A-87D3-4231AC9D035A} - C:\WINDOWS\system32\opnmKBut.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191271915046
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://203.217.10.160/activex/AxisCamControl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: WIKI.DLL,avgrsstx.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7844 bytes

pskelley
2008-06-07, 15:33
Well, we are not doing to good so far:sad: I would appreciate it if you would follow my directions and run only the tools I request. You can't run Kaspersky and you can't run MBAM which are two of the easiest scans to run on an infected computer.

It wont let me run the Malwarebytes' Anti-Malware scan as it shuts down part way through.
Do you get any error messages when this happens? If so, post those messages word for word.

Please be sure you are reading and following the directions exactly as I post them, I find that usually when these tools fail, almost always it is because the directions were not followed.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

Katyp
2008-06-07, 16:19
Hi

Yes, the Kaspersky and MBAM won't complete. The computer just switches off. No text box. A page of text comes up but it goes too fast to be able to read it. It's the same kind of text when the computer first switches on and you can choose to start in safe mode etc.

Just tried to run the combo fix. It got to say 'stage 3 complete' then it switched off again. Tried it twice. :sad:

pskelley
2008-06-07, 16:28
try combofix in safe mode.
http://spyware-free.us/tutorials/safemode/

You understand that it is not the tools, but your computer. You may be looking at a repair or reinstallion of your Operating System or perhaps even a reformat.

Thanks

Katyp
2008-06-07, 16:41
Tried in safe mode but combofix isn't there when in safe mode.

pskelley
2008-06-07, 16:45
Do you have someone with more computer knowledge you can ask for help running these tools?

Katyp
2008-06-07, 16:51
To be honest I do actually know a bit about computers - I dont think Im being thick! When Im in normal mode, combo fix is on my desktop and I can run it. When i go into safe mode, it's not on my desktop and I cant seem to see it in the list of programmes. Should it be there? Do I need to install it somehow?

Thanks

pskelley
2008-06-07, 17:12
I am not sure where you installed, it. I know it is running from the Desktop, mouse over it to see the Pathway to the locations, for instance...on this computer the DSS scan running from my Desktop is:
C:\Documents and Settings\Philip Skelley\Desktop\dss.exe

In safe mode navigate to that "Desktop" folder and the combofix.exe can be run from there.

Hope that helps.

Post a fresh HJT log, I will also consider what I can do manually with HJT to help you.

Katyp
2008-06-07, 17:41
Ok...managed to run the combofix (in normal mode rather than safe mode 0 did it this time for some reason) . Here are the results...

ComboFix 08-06-06.6 - User 2008-06-07 15:24:19.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1550 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\aHiRBcdd.ini
C:\WINDOWS\system32\aHiRBcdd.ini2
C:\WINDOWS\system32\bqjlaghg.ini
C:\WINDOWS\system32\ccdJlnpo.ini
C:\WINDOWS\system32\ccdJlnpo.ini2
C:\WINDOWS\system32\cKnTCcdd.ini
C:\WINDOWS\system32\cKnTCcdd.ini2
C:\WINDOWS\system32\dKQtvGgh.ini
C:\WINDOWS\system32\dKQtvGgh.ini2
C:\WINDOWS\system32\dqyaporw.ini
C:\WINDOWS\system32\drivers\goE11.sys
C:\WINDOWS\system32\EOpWvyay.ini
C:\WINDOWS\system32\EOpWvyay.ini2
C:\WINDOWS\system32\FgiRCJlm.ini
C:\WINDOWS\system32\FgiRCJlm.ini2
C:\WINDOWS\system32\gefqpjkl.ini
C:\WINDOWS\system32\gghOqBeg.ini
C:\WINDOWS\system32\gghOqBeg.ini2
C:\WINDOWS\system32\ghgaljqb.dll
C:\WINDOWS\system32\gMlonUtv.ini
C:\WINDOWS\system32\gMlonUtv.ini2
C:\WINDOWS\system32\gNmVwyxx.ini
C:\WINDOWS\system32\gNmVwyxx.ini2
C:\WINDOWS\system32\guwdpmro.ini
C:\WINDOWS\system32\gyymlrde.ini
C:\WINDOWS\system32\hhpqfrqe.ini
C:\WINDOWS\system32\khicgsyi.ini
C:\WINDOWS\system32\knWayccf.ini
C:\WINDOWS\system32\knWayccf.ini2
C:\WINDOWS\system32\lkjpqfeg.dll
C:\WINDOWS\system32\mssrv32.exe
C:\WINDOWS\system32\mUuwvyxx.ini
C:\WINDOWS\system32\mUuwvyxx.ini2
C:\WINDOWS\system32\ndsityeo.ini
C:\WINDOWS\system32\nnXayccf.ini
C:\WINDOWS\system32\nnXayccf.ini2
C:\WINDOWS\system32\rbnrrbav.ini
C:\WINDOWS\system32\tadjlees.ini
C:\WINDOWS\system32\tuBKmnpo.ini
C:\WINDOWS\system32\tuBKmnpo.ini2
C:\WINDOWS\system32\ufjvguhb.ini
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\ywksfrcy.ini
.
---- Previous Run -------
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mssrv32.exe
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GOE11
-------\Legacy_MSUPDATE
-------\Service_goE11
-------\Service_msupdate


((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

2008-06-07 12:56 . 2008-06-07 12:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-07 12:56 . 2008-06-07 12:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-07 12:24 . 2008-06-07 12:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-07 12:24 . 2008-06-07 12:24 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-06-07 12:24 . 2008-06-07 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-07 12:24 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-07 12:24 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-07 11:39 . 2008-06-07 11:39 92,544 --a------ C:\WINDOWS\system32\vabrrnbr.dll
2008-06-03 19:24 . 2008-06-03 19:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-03 18:55 . 2008-06-03 18:55 <DIR> d-------- C:\Documents and Settings\Administrator.USER-4C74C5A8C9
2008-06-03 18:48 . 2008-06-03 18:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-02 22:42 . 2008-06-02 22:42 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-02 22:42 . 2008-06-02 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-02 22:41 . 2008-06-02 22:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-02 20:21 . 2008-06-02 20:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-02 20:21 . 2008-06-02 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-01 22:42 . 2008-06-07 12:21 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-01 12:56 . 2008-06-07 11:05 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-01 12:56 . 2008-06-03 19:23 <DIR> d-------- C:\Documents and Settings\User\Application Data\AVGTOOLBAR
2008-06-01 12:56 . 2008-06-01 12:56 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-01 12:56 . 2008-06-01 12:56 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-01 12:55 . 2008-06-01 12:55 <DIR> d-------- C:\Program Files\AVG
2008-06-01 12:55 . 2008-06-01 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-31 17:53 . 2008-06-07 11:30 1,660 --a------ C:\WINDOWS\wininit.ini
2008-05-31 17:36 . 2008-05-31 17:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-31 17:36 . 2008-05-31 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-31 16:49 . 2008-05-31 16:49 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-31 16:13 . 2008-06-01 13:02 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-31 15:52 . 2008-05-31 15:52 62,910 --a------ C:\Program Files\Uninstall.exe
2008-05-31 15:52 . 2008-05-31 15:52 0 --a------ C:\Program Files\uninstall.dat
2008-05-31 15:37 . 2008-05-31 15:37 <DIR> d-------- C:\Documents and Settings\User\Application Data\AXPFixer
2008-05-31 14:53 . 2008-05-31 17:24 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-27 10:17 . 2008-05-27 10:17 <DIR> d-------- C:\Documents and Settings\User\Application Data\AVS4YOU
2008-05-27 10:17 . 2008-05-27 10:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-05-27 10:16 . 2008-05-27 10:17 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-05-27 10:16 . 2008-05-31 14:37 <DIR> d-------- C:\Program Files\AVS4YOU
2008-05-27 10:16 . 2007-02-27 19:36 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2008-05-27 10:16 . 2007-02-27 19:36 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-05-27 10:16 . 2007-02-27 19:36 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-05-27 10:16 . 2007-02-27 19:36 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-14 19:29 . 2008-05-14 19:29 <DIR> d-------- C:\Program Files\NAMCO BANDAI Games
2008-05-14 19:28 . 2008-05-14 19:28 <DIR> d-------- C:\Documents and Settings\User\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-06-03 03:25 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-06-01 20:02 --------- d-----w C:\Program Files\Yophoto Editor
2008-05-31 23:22 90,112 ----a-w C:\WINDOWS\DUMP48ef.tmp
2008-05-28 01:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-26 17:33 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
2008-05-15 02:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-08 18:50 --------- d-----w C:\Program Files\GameSpy Arcade
2008-04-08 18:43 --------- d-----w C:\Program Files\The Creative Assembly
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1182A6C1-E2F6-4DC4-9E3D-4A9D3EF0194D}]
C:\WINDOWS\system32\geBqOhgg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27BA248E-9AAC-438E-B26A-123400A2FC7D}]
C:\WINDOWS\system32\xxywVmNg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4677EA8A-15A5-468A-87D3-4231AC9D035A}]
C:\WINDOWS\system32\opnmKBut.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-06-01 12:55 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-06-01 12:55 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-06-01 12:55 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 12:23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [2006-07-20 06:55 1617920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-01 12:55 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=WIKI.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\naY11.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
--a------ 2007-04-23 12:23 1032640 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\6496c8a6]
C:\WINDOWS\system32\eqrfqphh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
C:\DOCUME~1\User\LOCALS~1\Temp\rbnpsrv.exe/r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-ra------ 2005-05-03 03:43 69632 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-12-23 18:05 143360 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2003-01-27 17:16 376912 C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 05:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
C:\WINDOWS\system32\ctfmona.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-02 19:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2007-04-23 12:23 1032640 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-09-29 21:58 49152 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2006-01-23 19:13 421888 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 21:16 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2006-09-18 11:08 29696 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra------ 2006-09-12 01:58 16264192 C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-ra------ 2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSpywareProtect (ver. 5.1)]
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\NAMCO BANDAI Games\\Warhammer Mark of Chaos\\Warhammer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"C:\\Program Files\\Ubisoft\\THE SETTLERS - Rise of an Empire\\base\\bin\\Settlers6.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-01 12:56]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-01 12:55]
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-18 02:48]
S0 naY11;naY11;C:\WINDOWS\system32\Drivers\naY11.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6adf5389-705d-11dc-be4e-f6ca374ec6ec}]
\Shell\AutoRun\command - notepad readme.txt

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5e51ecf-ae72-11dc-becd-001966361e68}]
\Shell\AutoRun\command - E:\AutoTransfer.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-03 02:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-07 22:34:37 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 15:32:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-06-07 15:42:16 - machine was rebooted [User]
ComboFix-quarantined-files.txt 2008-06-07 22:41:43

Pre-Run: 66,319,286,272 bytes free
Post-Run: 66,692,079,616 bytes free

277 --- E O F --- 2008-05-29 10:00:35



Also results from HJT...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:44:17, on 07/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1182A6C1-E2F6-4DC4-9E3D-4A9D3EF0194D} - C:\WINDOWS\system32\geBqOhgg.dll (file missing)
O2 - BHO: (no name) - {27BA248E-9AAC-438E-B26A-123400A2FC7D} - C:\WINDOWS\system32\xxywVmNg.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4677EA8A-15A5-468A-87D3-4231AC9D035A} - C:\WINDOWS\system32\opnmKBut.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191271915046
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://203.217.10.160/activex/AxisCamControl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: WIKI.DLL,avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7804 bytes

pskelley
2008-06-07, 18:13
Now you are talking, under "Other Deletions" you can see all of the Vundo junk that was causing your problems. Without the tools it is hard to feret out and remove junk you can not see. Continue to read and follow all directions carefully.

I see MBAM and could remove it with CFScript, I suggest you try it again, it may find stuff combofix misses. If it will not run, delete it and try a fresh install.

This information is fyi:
Enigma Software Group, Inc.
C:\Program Files\Enigma Software Group
http://www.spywarewarrior.com/viewtopic.php?t=24810
http://www.castlecops.com/t187654-free_spyware_scwnload_a013_com_unknown_questionable.html


1)Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Windows Defender
Click on "Tools"
Click on "General Settings"
Scroll down to "Real-time protection options"
Uncheck "Turn on Real-time protection (recommended)"
Click "Save"
Make sure to turn your protection back on when you finish.

3) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\vabrrnbr.dll
C:\WINDOWS\system32\blackster.scr

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1182A6C1-E2F6-4DC4-9E3D-4A9D3EF0194D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27BA248E-9AAC-438E-B26A-123400A2FC7D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4677EA8A-15A5-468A-87D3-4231AC9D035A}]

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(may be gone, removed by the script)

O2 - BHO: (no name) - {1182A6C1-E2F6-4DC4-9E3D-4A9D3EF0194D} - C:\WINDOWS\system32\geBqOhgg.dll (file missing)
O2 - BHO: (no name) - {27BA248E-9AAC-438E-B26A-123400A2FC7D} - C:\WINDOWS\system32\xxywVmNg.dll (file missing)
O2 - BHO: (no name) - {4677EA8A-15A5-468A-87D3-4231AC9D035A} - C:\WINDOWS\system32\opnmKBut.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix log, a new HJT log and some feedback, how is the computer running now?

Thanks...Phil

Katyp
2008-06-08, 20:55
Hi Phil

Computer running much better now - no switching off at the moment.

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:58:04, on 08/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191271915046
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://203.217.10.160/activex/AxisCamControl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7387 bytes



Combofix log:

ComboFix 08-06-06.6 - User 2008-06-08 18:35:20.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1468 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\vabrrnbr.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\vabrrnbr.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-07 12:24 . 2008-06-07 12:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-07 12:24 . 2008-06-07 12:24 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-06-07 12:24 . 2008-06-07 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-07 12:24 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-07 12:24 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-03 19:24 . 2008-06-03 19:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-03 18:55 . 2008-06-03 18:55 <DIR> d-------- C:\Documents and Settings\Administrator.USER-4C74C5A8C9
2008-06-03 18:48 . 2008-06-03 18:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-02 22:42 . 2008-06-02 22:42 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-02 22:42 . 2008-06-02 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-02 22:41 . 2008-06-02 22:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-02 20:21 . 2008-06-02 20:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-02 20:21 . 2008-06-02 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-01 22:42 . 2008-06-07 12:21 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-01 12:56 . 2008-06-08 17:34 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-01 12:56 . 2008-06-03 19:23 <DIR> d-------- C:\Documents and Settings\User\Application Data\AVGTOOLBAR
2008-06-01 12:56 . 2008-06-01 12:56 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-01 12:56 . 2008-06-01 12:56 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-01 12:55 . 2008-06-01 12:55 <DIR> d-------- C:\Program Files\AVG
2008-06-01 12:55 . 2008-06-01 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-31 17:53 . 2008-06-07 11:30 1,660 --a------ C:\WINDOWS\wininit.ini
2008-05-31 17:36 . 2008-05-31 17:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-31 17:36 . 2008-05-31 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-31 16:49 . 2008-05-31 16:49 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-31 16:13 . 2008-06-01 13:02 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-31 15:52 . 2008-05-31 15:52 62,910 --a------ C:\Program Files\Uninstall.exe
2008-05-31 15:52 . 2008-05-31 15:52 0 --a------ C:\Program Files\uninstall.dat
2008-05-27 10:17 . 2008-05-27 10:17 <DIR> d-------- C:\Documents and Settings\User\Application Data\AVS4YOU
2008-05-27 10:17 . 2008-05-27 10:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-05-27 10:16 . 2008-05-27 10:17 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-05-27 10:16 . 2008-05-31 14:37 <DIR> d-------- C:\Program Files\AVS4YOU
2008-05-27 10:16 . 2007-02-27 19:36 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2008-05-27 10:16 . 2007-02-27 19:36 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-05-27 10:16 . 2007-02-27 19:36 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-05-27 10:16 . 2007-02-27 19:36 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-14 19:29 . 2008-05-14 19:29 <DIR> d-------- C:\Program Files\NAMCO BANDAI Games
2008-05-14 19:28 . 2008-05-14 19:28 <DIR> d-------- C:\Documents and Settings\User\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-09 01:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-06-03 03:25 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-06-01 20:02 --------- d-----w C:\Program Files\Yophoto Editor
2008-05-31 23:22 90,112 ----a-w C:\WINDOWS\DUMP48ef.tmp
2008-05-28 01:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-26 17:33 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
2008-05-15 02:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-07_15.41.30.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-07 22:31:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 01:39:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 01:39:31 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_734.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4677EA8A-15A5-468A-87D3-4231AC9D035A}]
C:\WINDOWS\system32\opnmKBut.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-06-01 12:55 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-06-01 12:55 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-06-01 12:55 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 12:23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [2006-07-20 06:55 1617920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-01 12:55 1177368]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\naY11.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
--a------ 2007-04-23 12:23 1032640 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\6496c8a6]
C:\WINDOWS\system32\eqrfqphh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
C:\DOCUME~1\User\LOCALS~1\Temp\rbnpsrv.exe/r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-ra------ 2005-05-03 03:43 69632 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-12-23 18:05 143360 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2003-01-27 17:16 376912 C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 05:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
C:\WINDOWS\system32\ctfmona.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-02 19:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2007-04-23 12:23 1032640 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-09-29 21:58 49152 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2006-01-23 19:13 421888 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 21:16 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2006-09-18 11:08 29696 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra------ 2006-09-12 01:58 16264192 C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-ra------ 2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSpywareProtect (ver. 5.1)]
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\NAMCO BANDAI Games\\Warhammer Mark of Chaos\\Warhammer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"C:\\Program Files\\Ubisoft\\THE SETTLERS - Rise of an Empire\\base\\bin\\Settlers6.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-01 12:56]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-01 12:55]
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-18 02:48]
S0 naY11;naY11;C:\WINDOWS\system32\Drivers\naY11.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6adf5389-705d-11dc-be4e-f6ca374ec6ec}]
\Shell\AutoRun\command - notepad readme.txt

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5e51ecf-ae72-11dc-becd-001966361e68}]
\Shell\AutoRun\command - E:\AutoTransfer.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-03 02:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-09 01:42:30 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-08 18:39:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-06-08 18:49:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-09 01:48:42
ComboFix2.txt 2008-06-07 22:42:17

Pre-Run: 66,612,998,144 bytes free
Post-Run: 66,611,490,816 bytes free

220 --- E O F --- 2008-06-09 00:35:42

pskelley
2008-06-08, 21:48
Thanks good to hear:bigthumb: Your HJT log looks to be clean of malware also. Now that you removed all of that junk, I would like to try for a Kaspersky Online Scan, but first, we have this bridge to cross.

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Thanks

Katyp
2008-06-08, 22:17
Hi

Ran the RC. Sorry, not sure what the C:\*CF-RC.txt* was. Is there a way I can get that up again?

Here is the combofix report...shall I run Kaspersky?

ComboFix 08-06-06.6 - User 2008-06-08 20:13:11.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1503 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-07 12:24 . 2008-06-07 12:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-07 12:24 . 2008-06-07 12:24 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-06-07 12:24 . 2008-06-07 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-07 12:24 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-07 12:24 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-03 19:24 . 2008-06-03 19:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-03 18:55 . 2008-06-03 18:55 <DIR> d-------- C:\Documents and Settings\Administrator.USER-4C74C5A8C9
2008-06-03 18:48 . 2008-06-03 18:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-02 22:42 . 2008-06-02 22:42 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-02 22:42 . 2008-06-02 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-02 22:41 . 2008-06-02 22:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-02 20:21 . 2008-06-02 20:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-02 20:21 . 2008-06-02 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-01 22:42 . 2008-06-07 12:21 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-01 12:56 . 2008-06-08 17:34 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-01 12:56 . 2008-06-03 19:23 <DIR> d-------- C:\Documents and Settings\User\Application Data\AVGTOOLBAR
2008-06-01 12:56 . 2008-06-01 12:56 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-01 12:56 . 2008-06-01 12:56 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-01 12:55 . 2008-06-01 12:55 <DIR> d-------- C:\Program Files\AVG
2008-06-01 12:55 . 2008-06-01 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-31 17:53 . 2008-06-07 11:30 1,660 --a------ C:\WINDOWS\wininit.ini
2008-05-31 17:36 . 2008-05-31 17:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-31 17:36 . 2008-05-31 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-31 16:49 . 2008-05-31 16:49 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-31 16:13 . 2008-06-01 13:02 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-31 15:52 . 2008-05-31 15:52 62,910 --a------ C:\Program Files\Uninstall.exe
2008-05-31 15:52 . 2008-05-31 15:52 0 --a------ C:\Program Files\uninstall.dat
2008-05-27 10:17 . 2008-05-27 10:17 <DIR> d-------- C:\Documents and Settings\User\Application Data\AVS4YOU
2008-05-27 10:17 . 2008-05-27 10:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-05-27 10:16 . 2008-05-27 10:17 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-05-27 10:16 . 2008-05-31 14:37 <DIR> d-------- C:\Program Files\AVS4YOU
2008-05-27 10:16 . 2007-02-27 19:36 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2008-05-27 10:16 . 2007-02-27 19:36 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-05-27 10:16 . 2007-02-27 19:36 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-05-27 10:16 . 2007-02-27 19:36 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-14 19:29 . 2008-05-14 19:29 <DIR> d-------- C:\Program Files\NAMCO BANDAI Games
2008-05-14 19:28 . 2008-05-14 19:28 <DIR> d-------- C:\Documents and Settings\User\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-09 03:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-06-03 03:25 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-06-01 20:02 --------- d-----w C:\Program Files\Yophoto Editor
2008-05-31 23:22 90,112 ----a-w C:\WINDOWS\DUMP48ef.tmp
2008-05-28 01:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-26 17:33 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
2008-05-15 02:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-07_15.41.30.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-07 22:31:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 01:39:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 01:39:31 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_734.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-06-01 12:55 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-06-01 12:55 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-06-01 12:55 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 12:23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [2006-07-20 06:55 1617920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-01 12:55 1177368]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\naY11.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
--a------ 2007-04-23 12:23 1032640 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\6496c8a6]
C:\WINDOWS\system32\eqrfqphh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
C:\DOCUME~1\User\LOCALS~1\Temp\rbnpsrv.exe/r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-ra------ 2005-05-03 03:43 69632 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-12-23 18:05 143360 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2003-01-27 17:16 376912 C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 05:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
C:\WINDOWS\system32\ctfmona.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-02 19:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2007-04-23 12:23 1032640 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-09-29 21:58 49152 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2006-01-23 19:13 421888 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 21:16 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2006-09-18 11:08 29696 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra------ 2006-09-12 01:58 16264192 C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-ra------ 2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSpywareProtect (ver. 5.1)]
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\NAMCO BANDAI Games\\Warhammer Mark of Chaos\\Warhammer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"C:\\Program Files\\Ubisoft\\THE SETTLERS - Rise of an Empire\\base\\bin\\Settlers6.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-01 12:56]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-01 12:55]
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-18 02:48]
S0 naY11;naY11;C:\WINDOWS\system32\Drivers\naY11.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6adf5389-705d-11dc-be4e-f6ca374ec6ec}]
\Shell\AutoRun\command - notepad readme.txt

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5e51ecf-ae72-11dc-becd-001966361e68}]
\Shell\AutoRun\command - E:\AutoTransfer.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-03 02:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-09 01:42:30 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-08 20:13:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-08 20:14:59
ComboFix-quarantined-files.txt 2008-06-09 03:14:15
ComboFix2.txt 2008-06-09 03:08:58
ComboFix3.txt 2008-06-09 01:49:12
ComboFix4.txt 2008-06-07 22:42:17

Pre-Run: 66,581,745,664 bytes free
Post-Run: 66,570,883,072 bytes free

196 --- E O F --- 2008-06-09 00:35:42

pskelley
2008-06-08, 23:30
C:\*CF-RC.txt* <<< that's where it is on the C:\ drive. Go ahead and scan with Kaspersky.

Thanks

Katyp
2008-06-09, 00:35
Kaspersky scan results...

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 08, 2008 10:38:04 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/06/2008
Kaspersky Anti-Virus database records: 840174
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 99406
Number of viruses found: 4
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 00:43:31

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsrm.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpriv.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kontiki\error.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-05312008-165001.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012008060820080609\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\~DF5B4C.tmp Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\~DF8579.tmp Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\~DF8584.tmp Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\~DFCC08.tmp Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User\UserData\index.dat Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ctfmona.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.ik skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\goE11.sys.vir Infected: Trojan-Dropper.Win32.Agent.shb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\WinCtrl32.dll.vir Infected: Trojan-Downloader.Win32.Mutant.ado skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\WinCtrl32.dl_.vir Infected: Trojan-Downloader.Win32.Mutant.ado skipped
C:\QooBox\Quarantine\catchme2008-06-07_153003.48.zip/mssrv32.exe Infected: Trojan.Win32.Buzus.fit skipped
C:\QooBox\Quarantine\catchme2008-06-07_153003.48.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP10\A0038409.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ik skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP10\A0038410.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP10\A0040397.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP10\A0040401.sys Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP10\A0041400.sys Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP10\A0041408.dll Infected: Trojan-Downloader.Win32.Mutant.ado skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP10\A0041412.dll Infected: Trojan-Downloader.Win32.Mutant.ado skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP10\A0041416.sys Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP10\A0041417.exe Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP10\A0041486.exe Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP13\change.log Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP4\A0001008.exe Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP4\A0003009.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP5\A0009009.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP5\A0010017.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP5\A0010021.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0011194.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0011195.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0011210.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0011211.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0012210.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0013210.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0014210.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0014220.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0015220.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0015228.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0015238.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0016238.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0016239.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0016249.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0017238.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0018238.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0019238.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0020238.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0021239.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0021249.exe Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP6\A0021252.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP7\A0023239.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP7\A0023277.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP7\A0024277.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP7\A0025277.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP7\A0025291.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP7\A0026300.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP7\A0027300.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP7\A0028300.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP7\A0029300.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP7\A0030300.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP7\A0030318.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP7\A0030340.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP7\A0031339.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP8\A0031359.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP8\A0032359.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP8\A0033359.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP8\A0033370.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP8\A0033398.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP8\A0033407.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP8\A0033465.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP8\A0033466.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP8\A0033467.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP8\A0034397.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP8\A0035397.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP8\A0036397.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP8\A0037397.dll Object is locked skipped
C:\System Volume Information\_restore{2156BE1A-5E28-4DB6-BD66-0407851F52FD}\RP9\A0038397.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_734.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

pskelley
2008-06-09, 00:47
I apologize, I should have had you delete combofix before KOS.

C:\QooBox\Quarantine\ <<< delete that folder

Empty the Recycle Bin and restart the computer.

Clean the infected System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

That will give you a clean KOS...no need to post a clean scan result.

Safe surfing:bigthumb:

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Katyp
2008-06-09, 01:05
Thank you so much. Just doing a KOS now to see.

Do I need to keep any of the things I put on my desktop such as COmbo Fix, HJT, mbam set up etc? (dont want to delete anything then mess it all up!) :oops:

pskelley
2008-06-09, 01:19
Delete combofix, it does not update and must be dowloaded new if needed. MBAM is free and a good program, you can delete it if you wish, HJT I have had for ten years, it does a lot more than just create a log. That is just a shortcut on the Desktop. Have a look:
http://www.bleepingcomputer.com/tutorials/tutorial42.html

What I do as a suggestion is create a folder on the Desktop, I call mine "security" and I drag all the security shortcuts in that folder and they are there when I need them.

Hope that helps....Phil