PDA

View Full Version : my computer is bad infected



kadiri
2008-06-07, 00:55
My computer is really infected please help me, I am trying to go to regedit and it is saying that it been disabled by administrator.
Microsoft windows server pack 2
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:48 PM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\444.470
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\GamingSquared\Gaming2\G2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Athan\Athan.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\h8907435.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (Gaming)2 - {971F630E-AD68-4d6e-B0C3-1C627AAC80F1} - C:\Program Files\GamingSquared\Gaming2\G2IE_v1042.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: targetedbanner browser optimizer - {bbe196ea-2b6f-1adb-412c-0ba8c91551e0} - C:\WINDOWS\system32\{73727b3c-8ad1-e184-2034-8a08783cfb7d}.dll
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: SBBho Class - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - C:\WINDOWS\TinyBHO.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [G2] "C:\Program Files\GamingSquared\Gaming2\G2.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [{db8f036a-7e07-59b1-8e74-23f86cfe427c}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{73727b3c-8ad1-e184-2034-8a08783cfb7d}.dll" DllStart
O4 - HKLM\..\Run: [G4G] C:\WINDOWS\h8907435.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: cbXRIbAP - cbXRIbAP.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TUs\command.exe (file missing)
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 11786 bytes

Shaba
2008-06-08, 12:10
Hi kadiri

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

kadiri
2008-06-08, 20:38
ComboFix 08-06-07.3 - Essa 2008-06-08 13:27:21.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.505 [GMT -7:00]
Running from: C:\Documents and Settings\Essa\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Essa\Application Data\inst.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\index.html
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\muotr.so
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\g39.exe
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\TinyBHO.dll
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32078471815702.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 )))))))))))))))))))))))))))))))
.

2008-06-08 13:31 . 2008-06-08 13:31 <DIR> d-------- C:\WINDOWS\system32\4664
2008-06-06 22:50 . 2008-06-06 22:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-06 22:50 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-06 22:50 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-06 21:49 . 2008-06-08 13:23 <DIR> d-------- C:\WINDOWS\system32\4618
2008-06-06 21:48 . 2008-06-06 21:48 55,808 --a------ C:\WINDOWS\portsv.exe
2008-06-06 17:00 . 2008-06-06 23:37 <DIR> d--hs---- C:\WINDOWS\TUs
2008-06-06 17:00 . 2008-06-06 17:00 <DIR> d-------- C:\WINDOWS\system32\xrem
2008-06-06 17:00 . 2008-06-06 17:00 <DIR> d-------- C:\WINDOWS\system32\vntiho06
2008-06-06 17:00 . 2008-06-06 17:00 <DIR> d-------- C:\WINDOWS\system32\NMP
2008-06-06 17:00 . 2008-06-06 23:42 <DIR> d-------- C:\WINDOWS\system32\inet2
2008-06-06 17:00 . 2008-06-06 17:00 <DIR> d-------- C:\WINDOWS\system32\expo
2008-06-06 17:00 . 2008-06-06 23:42 <DIR> d-------- C:\WINDOWS\system32\btz
2008-06-06 17:00 . 2008-06-06 23:42 <DIR> d-------- C:\WINDOWS\system32\105772
2008-06-06 17:00 . 2008-06-08 13:27 <DIR> d-------- C:\Temp
2008-06-06 17:00 . 2008-06-06 17:00 30,728 --a------ C:\WINDOWS\444.470
2008-06-06 16:59 . 2008-06-06 16:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-06 16:59 . 2008-06-06 16:59 87,511 --a------ C:\WINDOWS\system32\iftuyszv.exe
2008-06-06 16:59 . 2008-06-06 16:59 49,158 --a------ C:\WINDOWS\444.0
2008-05-31 21:12 . 2008-05-31 21:12 3,747 --a------ C:\lma_log.html
2008-05-31 20:54 . 2008-05-31 22:09 9,509,193 --a------ C:\new_log.html
2008-05-31 20:54 . 2005-09-29 14:55 69,632 --a------ C:\WINDOWS\system32\FreezeScreenSaver.exe
2008-05-31 20:54 . 2008-06-08 13:31 5,746 --a------ C:\log.html
2008-05-31 20:37 . 2008-06-01 09:20 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-31 20:37 . 2008-05-31 20:37 <DIR> d-------- C:\Program Files\GamingSquared
2008-05-31 20:37 . 2008-05-31 20:37 <DIR> d-------- C:\Program Files\Free Offers from Freeze.com
2008-05-31 20:37 . 2008-05-31 20:37 <DIR> d-------- C:\Program Files\AWS
2008-05-31 20:37 . 2008-05-31 20:37 <DIR> d-------- C:\Documents and Settings\Essa\Application Data\WeatherBug
2008-05-31 20:37 . 2008-05-31 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GamingSquared
2008-05-31 18:00 . 2008-05-31 18:00 <DIR> d-------- C:\Program Files\VAMT
2008-05-31 17:52 . 2008-05-31 17:52 <DIR> d-------- C:\Program Files\PKVolume
2008-05-28 18:30 . 2008-05-28 18:30 <DIR> d-------- C:\WINDOWS\system32\PPLive
2008-05-27 22:24 . 2008-05-27 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-05-27 22:21 . 2008-06-06 18:00 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-05-27 22:20 . 2008-05-27 22:21 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-27 22:19 . 2008-05-27 22:19 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-27 22:09 . 2008-05-27 22:09 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-05-27 22:09 . 2008-05-27 22:09 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-05-27 22:00 . 2008-05-27 22:00 <DIR> d-------- C:\Program Files\Universal
2008-05-27 21:28 . 2008-05-27 21:28 <DIR> d-------- C:\Program Files\iTunes
2008-05-27 21:28 . 2008-05-27 21:28 <DIR> d-------- C:\Program Files\iPod
2008-05-27 21:28 . 2008-06-01 10:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-27 21:28 . 2008-05-27 21:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-27 21:27 . 2008-05-27 21:27 <DIR> d-------- C:\Program Files\Bonjour
2008-05-27 21:26 . 2008-05-27 21:27 <DIR> d-------- C:\Program Files\QuickTime
2008-05-27 21:26 . 2008-05-27 21:26 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-27 21:26 . 2008-05-27 21:26 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-27 21:26 . 2008-05-27 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-23 16:26 . 2008-05-23 16:26 286,720 --------- C:\WINDOWS\Setup1.exe
2008-05-23 16:26 . 2008-05-23 16:26 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-05-22 20:56 . 2004-02-24 16:25 19,188 --a------ C:\WINDOWS\Q883956Readme.rtf
2008-05-22 20:33 . 2008-05-22 20:33 <DIR> d-------- C:\Inetpub
2008-05-22 19:59 . 2008-05-22 19:59 <DIR> d-------- C:\811c168832f4749530f7
2008-05-21 15:10 . 2008-06-07 03:23 <DIR> d-------- C:\Program Files\PPMate
2008-05-21 15:10 . 2008-05-21 15:10 <DIR> d-------- C:\Program Files\Common Files\Synacast
2008-05-21 15:10 . 2008-05-21 15:10 <DIR> d-------- C:\ppmaterecord
2008-05-21 15:10 . 2008-05-21 17:10 <DIR> d-------- C:\Documents and Settings\Essa\Application Data\SopCast
2008-05-21 15:10 . 2008-05-21 15:10 <DIR> d-------- C:\Documents and Settings\Essa\Application Data\PPMate
2008-05-21 11:02 . 2008-05-21 11:02 <DIR> d-------- C:\Documents and Settings\Essa\Application Data\JLC's Software
2008-05-21 11:01 . 2008-05-21 17:08 <DIR> d-------- C:\Program Files\JLC's Software
2008-05-21 08:28 . 2008-05-21 08:28 <DIR> d-------- C:\Program Files\EPCTV
2008-05-20 22:07 . 2008-05-20 22:07 <DIR> d-------- C:\TVU Networks
2008-05-20 22:07 . 2008-05-20 22:07 <DIR> d-------- C:\LocalLow
2008-05-20 22:07 . 2008-05-20 22:07 69,336 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-05-20 22:03 . 2008-05-20 22:03 <DIR> d-------- C:\Documents and Settings\Essa\LocalLow
2008-05-20 22:03 . 2008-05-21 08:18 <DIR> d-------- C:\Documents and Settings\Essa\Application Data\TVU Networks
2008-05-20 14:05 . 2008-05-20 14:05 32,768 --a------ C:\WINDOWS\system32\vntiho06\vntiho061083.exe
2008-05-14 20:41 . 2008-05-25 05:14 3,739 --a------ C:\WINDOWS\imsins.BAK
2008-05-14 11:13 . 2008-05-14 11:13 77,824 --a------ C:\WINDOWS\h8907435.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 07:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-06-07 02:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-28 05:45 --------- d-----w C:\Program Files\Google
2008-05-28 05:19 --------- d-----w C:\Program Files\Common Files\Real
2008-05-28 05:17 --------- d-----w C:\Program Files\Java
2008-05-28 04:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-27 18:39 --------- d-----w C:\Documents and Settings\Essa\Application Data\Vso
2008-05-23 02:22 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-23 01:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-21 15:34 --------- d-----w C:\Program Files\BitComet
2008-05-19 18:21 --------- d-----w C:\Program Files\Opera
2008-05-09 01:16 --------- d-----w C:\Documents and Settings\Essa\Application Data\ADPHONE
2008-05-09 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-05 23:24 --------- d-----w C:\Documents and Settings\Essa\Application Data\skypePM
2008-05-02 23:43 --------- d-----w C:\Program Files\Alwil Software
2008-05-02 02:10 --------- d-----w C:\Documents and Settings\Essa\Application Data\Symantec
2008-05-01 21:02 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-28 18:50 --------- d-----w C:\Program Files\Microsoft Script Debugger
2008-04-28 18:41 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-04-23 18:33 --------- d-----w C:\Program Files\ProjectX_0.90.4.00
2008-04-22 03:34 --------- d-----w C:\Program Files\DivX
2008-04-21 17:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-21 08:36 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-19 01:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-19 01:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-18 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-04-18 15:51 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-18 15:51 47,360 ----a-w C:\Documents and Settings\Essa\Application Data\pcouffin.sys
2008-04-18 15:51 --------- d-----w C:\Program Files\VSO
2008-04-14 20:16 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-10 23:30 --------- d-----w C:\Documents and Settings\Essa\Application Data\JustVoip
2008-04-09 05:38 --------- d-----w C:\Documents and Settings\Essa\Application Data\Leadertech
2008-03-27 16:04 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-15 17:08 1,127,928 ----a-w C:\wmm_wdm_sdk.EXE
2008-03-15 16:27 1,454,656 ----a-w C:\Silverlight.exe
2008-03-15 14:39 4,608,744 ----a-w C:\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

------- Sigcheck -------

2007-10-30 09:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-05-01 14:02 360064 5ea8ef32e96a15c0c92e38b84b7502da C:\WINDOWS\system32\dllcache\tcpip.sys
2008-05-01 14:02 360064 5ea8ef32e96a15c0c92e38b84b7502da C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971F630E-AD68-4d6e-B0C3-1C627AAC80F1}]
2008-03-03 16:26 635392 --a------ C:\Program Files\GamingSquared\Gaming2\G2IE_v1042.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c9803b12-f0a0-11dc-95ff-0800200c9a66}]
2008-05-13 12:06 1269760 --a------ C:\WINDOWS\TinyBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-05-27 22:25 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"G2"="C:\Program Files\GamingSquared\Gaming2\G2.exe" [2008-03-03 16:26 1215664]
"Athan"="C:\Program Files\Athan\Athan.exe" [2007-09-06 12:25 1003520]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-18 14:12 843776]
"G4G"="C:\WINDOWS\h8907435.exe" [2008-05-14 11:13 77824]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-12 17:30 249856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXRIbAP]
cbXRIbAP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9697:TCP"= 9697:TCP:BitComet 9697 TCP
"9697:UDP"= 9697:UDP:BitComet 9697 UDP
"45862:TCP"= 45862:TCP:BitComet 45862 TCP
"45862:UDP"= 45862:UDP:BitComet 45862 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 16:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 16:16]
R2 FreezeScreenSaver;FreezeScreenSaver;C:\WINDOWS\system32\FreezeScreenSaver.exe [2005-09-29 14:55]
R2 PlugPlayRPC;Plug and Play (RPC);C:\WINDOWS\portsv.exe service []
S1 rndismpp;rndismpp;C:\WINDOWS\system32\drivers\rndismpp.sys []
S3 EraserUtilDrvI3;EraserUtilDrvI3;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI3.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-04 04:31:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-07 01:02:49 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-04-30 01:00:00 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-06-08 04:37:22 C:\WINDOWS\Tasks\User_Feed_Synchronization-{A40088E4-E173-4F8F-8FD8-A71A10E85160}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-08 13:31:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\portsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-06-08 13:34:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-08 20:34:52

Pre-Run: 66,857,181,184 bytes free
Post-Run: 68,140,236,800 bytes free

296 --- E O F --- 2008-05-28 04:20:11

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:37:22 PM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\GamingSquared\Gaming2\G2.exe
C:\Program Files\Athan\Athan.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (Gaming)2 - {971F630E-AD68-4d6e-B0C3-1C627AAC80F1} - C:\Program Files\GamingSquared\Gaming2\G2IE_v1042.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [G2] "C:\Program Files\GamingSquared\Gaming2\G2.exe"
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [G4G] C:\WINDOWS\h8907435.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs:
O20 - Winlogon Notify: cbXRIbAP - cbXRIbAP.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7449 bytes

Shaba
2008-06-08, 20:44
Hi

Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\h8907435.exe
c:\windows\homepage.html

Folder::
C:\WINDOWS\system32\4664
C:\WINDOWS\system32\4618
C:\WINDOWS\TUs
C:\WINDOWS\system32\xrem
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\NMP
C:\WINDOWS\system32\inet2
C:\WINDOWS\system32\expo
C:\WINDOWS\system32\btz
C:\WINDOWS\system32\105772
C:\Temp
C:\WINDOWS\444.470
C:\WINDOWS\444.0

Driver::
PlugPlayRPC

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"G4G"=-

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c9803b12-f0a0-11dc-95ff-0800200c9a66}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXRIbAP]



Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

kadiri
2008-06-09, 01:58
ComboFix 08-06-07.3 - Essa 2008-06-08 18:40:34.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.532 [GMT -7:00]
Running from: C:\Documents and Settings\Essa\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Essa\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\h8907435.exe
c:\windows\homepage.html
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\iftuyszv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp
C:\WINDOWS\444.0\
C:\WINDOWS\444.470\
C:\WINDOWS\h8907435.exe
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\105772
C:\WINDOWS\system32\4618
C:\WINDOWS\system32\4664
C:\WINDOWS\system32\btz
C:\WINDOWS\system32\expo
C:\WINDOWS\system32\expo\mtcon66225.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\inet2
C:\WINDOWS\system32\NMP
C:\WINDOWS\system32\NMP\antilutx.exe
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\vntiho06\vntiho061083.exe
C:\WINDOWS\system32\xrem
C:\WINDOWS\system32\xrem\imapIP95.exe
C:\WINDOWS\TinyBHO.dll
C:\WINDOWS\TUs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PLUGPLAYRPC
-------\Service_PlugPlayRPC


((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-08 13:32 . 2008-06-08 13:32 338,094 --a------ C:\WINDOWS\sys018157028471.exe
2008-06-06 22:50 . 2008-06-06 22:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-06 22:50 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-06 22:50 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-06 17:00 . 2008-06-06 17:00 30,728 --a------ C:\WINDOWS\444.470
2008-06-06 16:59 . 2008-06-06 16:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-06 16:59 . 2008-06-06 16:59 49,158 --a------ C:\WINDOWS\444.0
2008-05-31 21:12 . 2008-05-31 21:12 3,747 --a------ C:\lma_log.html
2008-05-31 20:54 . 2008-05-31 22:09 9,509,193 --a------ C:\new_log.html
2008-05-31 20:54 . 2005-09-29 14:55 69,632 --a------ C:\WINDOWS\system32\FreezeScreenSaver.exe
2008-05-31 20:54 . 2008-06-08 18:43 5,967 --a------ C:\log.html
2008-05-31 20:37 . 2008-06-01 09:20 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-31 20:37 . 2008-05-31 20:37 <DIR> d-------- C:\Program Files\GamingSquared
2008-05-31 20:37 . 2008-05-31 20:37 <DIR> d-------- C:\Program Files\Free Offers from Freeze.com
2008-05-31 20:37 . 2008-05-31 20:37 <DIR> d-------- C:\Program Files\AWS
2008-05-31 20:37 . 2008-05-31 20:37 <DIR> d-------- C:\Documents and Settings\Essa\Application Data\WeatherBug
2008-05-31 20:37 . 2008-05-31 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GamingSquared
2008-05-31 18:00 . 2008-05-31 18:00 <DIR> d-------- C:\Program Files\VAMT
2008-05-31 17:52 . 2008-05-31 17:52 <DIR> d-------- C:\Program Files\PKVolume
2008-05-28 18:30 . 2008-05-28 18:30 <DIR> d-------- C:\WINDOWS\system32\PPLive
2008-05-27 22:24 . 2008-05-27 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-05-27 22:21 . 2008-06-06 18:00 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-05-27 22:20 . 2008-05-27 22:21 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-27 22:19 . 2008-05-27 22:19 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-27 22:09 . 2008-05-27 22:09 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-05-27 22:09 . 2008-05-27 22:09 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-05-27 22:00 . 2008-05-27 22:00 <DIR> d-------- C:\Program Files\Universal
2008-05-27 21:28 . 2008-05-27 21:28 <DIR> d-------- C:\Program Files\iTunes
2008-05-27 21:28 . 2008-05-27 21:28 <DIR> d-------- C:\Program Files\iPod
2008-05-27 21:28 . 2008-06-01 10:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-27 21:28 . 2008-05-27 21:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-27 21:27 . 2008-05-27 21:27 <DIR> d-------- C:\Program Files\Bonjour
2008-05-27 21:26 . 2008-05-27 21:27 <DIR> d-------- C:\Program Files\QuickTime
2008-05-27 21:26 . 2008-05-27 21:26 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-27 21:26 . 2008-05-27 21:26 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-27 21:26 . 2008-05-27 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-23 16:26 . 2008-05-23 16:26 286,720 --------- C:\WINDOWS\Setup1.exe
2008-05-23 16:26 . 2008-05-23 16:26 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-05-22 20:56 . 2004-02-24 16:25 19,188 --a------ C:\WINDOWS\Q883956Readme.rtf
2008-05-22 20:33 . 2008-05-22 20:33 <DIR> d-------- C:\Inetpub
2008-05-22 19:59 . 2008-05-22 19:59 <DIR> d-------- C:\811c168832f4749530f7
2008-05-21 15:10 . 2008-06-07 03:23 <DIR> d-------- C:\Program Files\PPMate
2008-05-21 15:10 . 2008-05-21 15:10 <DIR> d-------- C:\Program Files\Common Files\Synacast
2008-05-21 15:10 . 2008-05-21 15:10 <DIR> d-------- C:\ppmaterecord
2008-05-21 15:10 . 2008-05-21 17:10 <DIR> d-------- C:\Documents and Settings\Essa\Application Data\SopCast
2008-05-21 15:10 . 2008-05-21 15:10 <DIR> d-------- C:\Documents and Settings\Essa\Application Data\PPMate
2008-05-21 11:02 . 2008-05-21 11:02 <DIR> d-------- C:\Documents and Settings\Essa\Application Data\JLC's Software
2008-05-21 11:01 . 2008-05-21 17:08 <DIR> d-------- C:\Program Files\JLC's Software
2008-05-21 08:28 . 2008-05-21 08:28 <DIR> d-------- C:\Program Files\EPCTV
2008-05-20 22:07 . 2008-05-20 22:07 <DIR> d-------- C:\TVU Networks
2008-05-20 22:07 . 2008-05-20 22:07 <DIR> d-------- C:\LocalLow
2008-05-20 22:07 . 2008-05-20 22:07 69,336 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-05-20 22:03 . 2008-05-20 22:03 <DIR> d-------- C:\Documents and Settings\Essa\LocalLow
2008-05-20 22:03 . 2008-05-21 08:18 <DIR> d-------- C:\Documents and Settings\Essa\Application Data\TVU Networks
2008-05-14 20:41 . 2008-05-25 05:14 3,739 --a------ C:\WINDOWS\imsins.BAK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 07:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-06-07 02:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-28 05:45 --------- d-----w C:\Program Files\Google
2008-05-28 05:19 --------- d-----w C:\Program Files\Common Files\Real
2008-05-28 05:17 --------- d-----w C:\Program Files\Java
2008-05-28 04:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-27 18:39 --------- d-----w C:\Documents and Settings\Essa\Application Data\Vso
2008-05-23 02:22 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-23 01:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-21 15:34 --------- d-----w C:\Program Files\BitComet
2008-05-19 18:21 --------- d-----w C:\Program Files\Opera
2008-05-09 01:16 --------- d-----w C:\Documents and Settings\Essa\Application Data\ADPHONE
2008-05-09 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-05 23:24 --------- d-----w C:\Documents and Settings\Essa\Application Data\skypePM
2008-05-02 23:43 --------- d-----w C:\Program Files\Alwil Software
2008-05-02 02:10 --------- d-----w C:\Documents and Settings\Essa\Application Data\Symantec
2008-05-01 21:02 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-28 18:50 --------- d-----w C:\Program Files\Microsoft Script Debugger
2008-04-28 18:41 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-04-23 18:33 --------- d-----w C:\Program Files\ProjectX_0.90.4.00
2008-04-22 03:34 --------- d-----w C:\Program Files\DivX
2008-04-21 17:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-21 08:36 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-19 01:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-19 01:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-18 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-04-18 15:51 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-18 15:51 47,360 ----a-w C:\Documents and Settings\Essa\Application Data\pcouffin.sys
2008-04-18 15:51 --------- d-----w C:\Program Files\VSO
2008-04-14 20:16 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-10 23:30 --------- d-----w C:\Documents and Settings\Essa\Application Data\JustVoip
2008-04-09 05:38 --------- d-----w C:\Documents and Settings\Essa\Application Data\Leadertech
2008-03-27 16:04 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-15 17:08 1,127,928 ----a-w C:\wmm_wdm_sdk.EXE
2008-03-15 16:27 1,454,656 ----a-w C:\Silverlight.exe
2008-03-15 14:39 4,608,744 ----a-w C:\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

------- Sigcheck -------

2007-10-30 09:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-05-01 14:02 360064 5ea8ef32e96a15c0c92e38b84b7502da C:\WINDOWS\system32\dllcache\tcpip.sys
2008-05-01 14:02 360064 5ea8ef32e96a15c0c92e38b84b7502da C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-06-08_13.34.40.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-08 20:31:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 01:43:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 01:43:16 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_660.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971F630E-AD68-4d6e-B0C3-1C627AAC80F1}]
2008-03-03 16:26 635392 --a------ C:\Program Files\GamingSquared\Gaming2\G2IE_v1042.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-05-27 22:25 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"G2"="C:\Program Files\GamingSquared\Gaming2\G2.exe" [2008-03-03 16:26 1215664]
"Athan"="C:\Program Files\Athan\Athan.exe" [2007-09-06 12:25 1003520]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-18 14:12 843776]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-12 17:30 249856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9697:TCP"= 9697:TCP:BitComet 9697 TCP
"9697:UDP"= 9697:UDP:BitComet 9697 UDP
"45862:TCP"= 45862:TCP:BitComet 45862 TCP
"45862:UDP"= 45862:UDP:BitComet 45862 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 16:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 16:16]
R2 FreezeScreenSaver;FreezeScreenSaver;C:\WINDOWS\system32\FreezeScreenSaver.exe [2005-09-29 14:55]
S1 rndismpp;rndismpp;C:\WINDOWS\system32\drivers\rndismpp.sys []
S3 EraserUtilDrvI3;EraserUtilDrvI3;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI3.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-04 04:31:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-07 01:02:49 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-04-30 01:00:00 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-06-08 04:37:22 C:\WINDOWS\Tasks\User_Feed_Synchronization-{A40088E4-E173-4F8F-8FD8-A71A10E85160}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-08 18:44:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-06-08 18:47:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-09 01:47:24
ComboFix2.txt 2008-06-08 20:34:57

Pre-Run: 68,123,611,136 bytes free
Post-Run: 68,111,753,216 bytes free

238 --- E O F --- 2008-05-28 04:20:11


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:53 PM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\GamingSquared\Gaming2\G2.exe
C:\Program Files\Athan\Athan.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (Gaming)2 - {971F630E-AD68-4d6e-B0C3-1C627AAC80F1} - C:\Program Files\GamingSquared\Gaming2\G2IE_v1042.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [G2] "C:\Program Files\GamingSquared\Gaming2\G2.exe"
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs:
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7100 bytes

Shaba
2008-06-09, 17:28
Hi

Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\sys018157028471.exe
C:\WINDOWS\444.470
C:\WINDOWS\444.0


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

kadiri
2008-06-10, 15:57
ComboFix 08-06-07.3 - Essa 2008-06-10 7:52:23.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.518 [GMT -7:00]
Running from: C:\Documents and Settings\Essa\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Essa\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\444.0
C:\WINDOWS\444.470
C:\WINDOWS\sys018157028471.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\444.0
C:\WINDOWS\444.470
C:\WINDOWS\sys018157028471.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-09 09:35 . 2008-06-09 09:35 <DIR> d-------- C:\kav
2008-06-08 23:03 . 2008-06-08 23:03 <DIR> d-------- C:\Program Files\uTorrent
2008-06-08 23:03 . 2008-06-08 23:32 <DIR> d-------- C:\Documents and Settings\Essa\Application Data\uTorrent
2008-06-08 22:40 . 2003-07-06 14:07 372,736 --a------ C:\WINDOWS\system32\IJL_11.DLL
2008-06-08 22:40 . 2004-03-09 00:00 212,240 --a------ C:\WINDOWS\system32\RICHTX32.OCX
2008-06-08 21:53 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-06-08 21:50 . 2008-06-08 21:50 <DIR> d-------- C:\Program Files\MSBuild
2008-06-08 21:50 . 2008-06-08 21:50 <DIR> d-------- C:\Program Files\Microsoft Works
2008-06-08 21:39 . 2008-06-08 21:39 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-06-08 21:37 . 2008-06-09 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-06 16:59 . 2008-06-08 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-31 21:12 . 2008-05-31 21:12 3,747 --a------ C:\lma_log.html
2008-05-31 20:54 . 2008-05-31 22:09 9,509,193 --a------ C:\new_log.html
2008-05-31 20:54 . 2005-09-29 14:55 69,632 --a------ C:\WINDOWS\system32\FreezeScreenSaver.exe
2008-05-31 20:54 . 2008-06-10 04:46 8,619 --a------ C:\log.html
2008-05-31 20:37 . 2008-06-01 09:20 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-31 20:37 . 2008-05-31 20:37 <DIR> d-------- C:\Program Files\GamingSquared
2008-05-31 20:37 . 2008-05-31 20:37 <DIR> d-------- C:\Program Files\Free Offers from Freeze.com
2008-05-31 20:37 . 2008-05-31 20:37 <DIR> d-------- C:\Program Files\AWS
2008-05-31 20:37 . 2008-05-31 20:37 <DIR> d-------- C:\Documents and Settings\Essa\Application Data\WeatherBug
2008-05-31 20:37 . 2008-05-31 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GamingSquared
2008-05-31 18:00 . 2008-05-31 18:00 <DIR> d-------- C:\Program Files\VAMT
2008-05-31 17:52 . 2008-05-31 17:52 <DIR> d-------- C:\Program Files\PKVolume
2008-05-28 18:30 . 2008-05-28 18:30 <DIR> d-------- C:\WINDOWS\system32\PPLive
2008-05-27 22:24 . 2008-05-27 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-05-27 22:21 . 2008-06-06 18:00 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-05-27 22:20 . 2008-05-27 22:21 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-27 22:19 . 2008-05-27 22:19 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-27 22:09 . 2008-05-27 22:09 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-05-27 22:09 . 2008-05-27 22:09 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-05-27 22:00 . 2008-05-27 22:00 <DIR> d-------- C:\Program Files\Universal
2008-05-27 21:28 . 2008-05-27 21:28 <DIR> d-------- C:\Program Files\iTunes
2008-05-27 21:28 . 2008-05-27 21:28 <DIR> d-------- C:\Program Files\iPod
2008-05-27 21:28 . 2008-06-01 10:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-27 21:28 . 2008-05-27 21:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-27 21:27 . 2008-05-27 21:27 <DIR> d-------- C:\Program Files\Bonjour
2008-05-27 21:26 . 2008-05-27 21:27 <DIR> d-------- C:\Program Files\QuickTime
2008-05-27 21:26 . 2008-05-27 21:26 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-27 21:26 . 2008-05-27 21:26 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-27 21:26 . 2008-05-27 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-23 16:26 . 2008-05-23 16:26 286,720 --------- C:\WINDOWS\Setup1.exe
2008-05-23 16:26 . 2008-05-23 16:26 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-05-22 20:56 . 2004-02-24 16:25 19,188 --a------ C:\WINDOWS\Q883956Readme.rtf
2008-05-22 20:33 . 2008-05-22 20:33 <DIR> d-------- C:\Inetpub
2008-05-22 19:59 . 2008-05-22 19:59 <DIR> d-------- C:\811c168832f4749530f7
2008-05-21 15:10 . 2008-06-07 03:23 <DIR> d-------- C:\Program Files\PPMate
2008-05-21 15:10 . 2008-05-21 15:10 <DIR> d-------- C:\Program Files\Common Files\Synacast
2008-05-21 15:10 . 2008-05-21 15:10 <DIR> d-------- C:\ppmaterecord
2008-05-21 15:10 . 2008-05-21 17:10 <DIR> d-------- C:\Documents and Settings\Essa\Application Data\SopCast
2008-05-21 15:10 . 2008-05-21 15:10 <DIR> d-------- C:\Documents and Settings\Essa\Application Data\PPMate
2008-05-21 11:02 . 2008-05-21 11:02 <DIR> d-------- C:\Documents and Settings\Essa\Application Data\JLC's Software
2008-05-21 11:01 . 2008-05-21 17:08 <DIR> d-------- C:\Program Files\JLC's Software
2008-05-21 08:28 . 2008-05-21 08:28 <DIR> d-------- C:\Program Files\EPCTV
2008-05-20 22:07 . 2008-05-20 22:07 <DIR> d-------- C:\TVU Networks
2008-05-20 22:07 . 2008-05-20 22:07 <DIR> d-------- C:\LocalLow
2008-05-20 22:07 . 2008-05-20 22:07 69,336 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-05-20 22:03 . 2008-05-20 22:03 <DIR> d-------- C:\Documents and Settings\Essa\LocalLow
2008-05-20 22:03 . 2008-05-21 08:18 <DIR> d-------- C:\Documents and Settings\Essa\Application Data\TVU Networks
2008-05-14 20:41 . 2008-05-25 05:14 3,739 --a------ C:\WINDOWS\imsins.BAK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 11:45 --------- d-----w C:\Program Files\Alwil Software
2008-06-09 05:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-07 07:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-06-07 02:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-28 05:45 --------- d-----w C:\Program Files\Google
2008-05-28 05:19 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-05-28 05:19 --------- d-----w C:\Program Files\Common Files\Real
2008-05-28 05:17 --------- d-----w C:\Program Files\Java
2008-05-28 04:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-27 18:39 --------- d-----w C:\Documents and Settings\Essa\Application Data\Vso
2008-05-23 02:22 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-23 01:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-21 15:34 --------- d-----w C:\Program Files\BitComet
2008-05-19 18:21 --------- d-----w C:\Program Files\Opera
2008-05-09 01:16 --------- d-----w C:\Documents and Settings\Essa\Application Data\ADPHONE
2008-05-09 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-05 23:24 --------- d-----w C:\Documents and Settings\Essa\Application Data\skypePM
2008-05-02 02:10 --------- d-----w C:\Documents and Settings\Essa\Application Data\Symantec
2008-05-01 21:02 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-28 18:50 --------- d-----w C:\Program Files\Microsoft Script Debugger
2008-04-28 18:41 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-04-27 12:41 2,560 ----a-w C:\WINDOWS\system32\bitcometres.dll
2008-04-23 18:33 --------- d-----w C:\Program Files\ProjectX_0.90.4.00
2008-04-22 03:34 --------- d-----w C:\Program Files\DivX
2008-04-21 08:36 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-19 01:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-19 01:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-18 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-04-18 15:51 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-18 15:51 47,360 ----a-w C:\Documents and Settings\Essa\Application Data\pcouffin.sys
2008-04-18 15:51 --------- d-----w C:\Program Files\VSO
2008-04-14 20:16 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-10 23:30 --------- d-----w C:\Documents and Settings\Essa\Application Data\JustVoip
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-27 16:04 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-15 17:08 1,127,928 ----a-w C:\wmm_wdm_sdk.EXE
2008-03-15 16:27 1,454,656 ----a-w C:\Silverlight.exe
2008-03-15 14:39 4,608,744 ----a-w C:\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-03-14 16:09 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-02-28 01:54 217,088 ----a-w C:\Program Files\TTC.dll
.

------- Sigcheck -------

2007-10-30 09:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-05-01 14:02 360064 5ea8ef32e96a15c0c92e38b84b7502da C:\WINDOWS\system32\dllcache\tcpip.sys
2008-05-01 14:02 360064 5ea8ef32e96a15c0c92e38b84b7502da C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot_2008-06-08_23.38.03.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-09 06:33:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-10 11:46:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2006-10-27 22:16:36 133,936 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\CONTAB32.DLL
+ 2006-10-27 03:55:32 87,344 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\DLGSETP.DLL
+ 2006-10-27 02:48:14 434,528 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\DWTRIG20.EXE
+ 2006-10-27 22:07:36 17,891,112 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\EXCEL.EXE
+ 2006-10-27 03:55:48 340,248 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MIMEDIR.DLL
+ 2006-10-27 22:04:08 497,504 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MORPH9.DLL
+ 2006-10-27 22:26:40 16,870,712 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSO.DLL
+ 2006-10-27 22:04:10 9,581,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MSPUB.EXE
+ 2006-10-27 22:16:46 2,939,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OLMAPI32.DLL
+ 2006-10-27 03:34:12 660,792 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OMSMAIN.DLL
+ 2006-10-27 03:34:10 192,848 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OMSXP32.DLL
+ 2006-09-15 23:25:18 3,611,416 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLFLTR.DAT
+ 2006-10-27 22:16:44 594,256 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLMIME.DLL
+ 2006-10-27 22:16:48 12,813,096 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLOOK.EXE
+ 2006-10-27 22:16:40 176,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLPH.DLL
+ 2006-10-27 03:09:36 136,008 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PRTF9.DLL
+ 2006-10-27 03:55:54 413,472 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PSTPRX32.DLL
+ 2006-10-27 22:04:06 624,456 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PTXT9.DLL
+ 2006-10-27 03:09:44 590,144 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\PUBCONV.DLL
+ 2006-10-27 03:55:44 263,520 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\SCNPST32.DLL
+ 2006-10-27 03:55:44 272,744 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\SCNPST64.DLL
+ 2006-10-27 22:23:04 347,432 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\WINWORD.EXE
+ 2006-10-27 22:23:08 17,483,560 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\WWLIB.DLL
+ 2006-10-27 04:17:08 11,072 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\XLCALL32.DLL
- 2008-06-09 04:29:35 38,240 ----a-r C:\WINDOWS\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2008-06-10 06:08:25 38,240 ----a-r C:\WINDOWS\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2008-06-09 05:22:57 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-06-10 06:13:20 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-06-09 05:22:59 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-06-10 06:13:20 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-06-09 05:22:58 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-06-10 06:13:20 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-06-09 05:22:58 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-06-10 06:13:20 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-06-09 05:22:58 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-06-10 06:13:20 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-06-09 05:22:59 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-06-10 06:13:20 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-06-09 05:22:59 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-06-10 06:13:20 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-06-09 05:22:58 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-06-10 06:13:20 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-06-09 05:22:58 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-06-10 06:13:20 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-06-09 05:22:58 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-06-10 06:13:20 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-06-09 05:22:59 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-06-10 06:13:20 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-06-09 05:22:57 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-06-10 06:13:20 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-06-10 11:46:46 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_6ac.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971F630E-AD68-4d6e-B0C3-1C627AAC80F1}]
2008-03-03 16:26 635392 --a------ C:\Program Files\GamingSquared\Gaming2\G2IE_v1042.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBB12A74-A337-4C09-8D73-89EC1F4EC438}]
\C:\WINDOWS\system32\expo\mtcon66225.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-05-27 22:25 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"G2"="C:\Program Files\GamingSquared\Gaming2\G2.exe" [2008-03-03 16:26 1215664]
"Athan"="C:\Program Files\Athan\Athan.exe" [2007-09-06 12:25 1003520]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-18 14:12 843776]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-12 17:30 249856]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-27 22:19 185896]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"aswAhAScr.dll"="C:\PROGRA~1\ALWILS~1\Avast4\ASWREG~1.exe" [2003-09-16 03:27 22016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01 437160]

C:\Documents and Settings\Essa\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9697:TCP"= 9697:TCP:BitComet 9697 TCP
"9697:UDP"= 9697:UDP:BitComet 9697 UDP
"45862:TCP"= 45862:TCP:BitComet 45862 TCP
"45862:UDP"= 45862:UDP:BitComet 45862 UDP

R2 FreezeScreenSaver;FreezeScreenSaver;C:\WINDOWS\system32\FreezeScreenSaver.exe [2005-09-29 14:55]
S1 rndismpp;rndismpp;C:\WINDOWS\system32\drivers\rndismpp.sys []
S3 EraserUtilDrvI3;EraserUtilDrvI3;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI3.sys []

*Newly Created Service* - ASWUPDSV
*Newly Created Service* - AVAST!_ANTIVIRUS
*Newly Created Service* - AVAST!_MAIL_SCANNER
*Newly Created Service* - AVAST!_WEB_SCANNER
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-04 04:31:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-07 01:02:49 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-04-30 01:00:00 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-06-10 14:52:23 C:\WINDOWS\Tasks\User_Feed_Synchronization-{A40088E4-E173-4F8F-8FD8-A71A10E85160}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 07:54:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PROCEXP90]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PROCEXP90.SYS"
.
Completion time: 2008-06-10 7:55:58
ComboFix-quarantined-files.txt 2008-06-10 14:55:40
ComboFix2.txt 2008-06-09 06:54:52
ComboFix3.txt 2008-06-09 06:38:20
ComboFix4.txt 2008-06-09 01:47:28
ComboFix5.txt 2008-06-08 20:34:57

Pre-Run: 65,748,709,376 bytes free
Post-Run: 65,809,821,696 bytes free

301 --- E O F --- 2008-06-10 06:13:25


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:21 AM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\WINDOWS\explorer.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\PKVolume\PKVOLUME.exe
C:\Program Files\BitComet\tools\CometBrowser.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (Gaming)2 - {971F630E-AD68-4d6e-B0C3-1C627AAC80F1} - C:\Program Files\GamingSquared\Gaming2\G2IE_v1042.dll
O2 - BHO: (no name) - {FBB12A74-A337-4C09-8D73-89EC1F4EC438} - \C:\WINDOWS\system32\expo\mtcon66225.exe.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [G2] "C:\Program Files\GamingSquared\Gaming2\G2.exe"
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [aswAhAScr.dll] C:\PROGRA~1\ALWILS~1\Avast4\ASWREG~1.EXE "C:\Program Files\Alwil Software\Avast4\AhAScr.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8629 bytes

Shaba
2008-06-10, 16:10
Hi

Have you previously uninstalled Norton?

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
Click the Save Report As... button (see red arrow below)
http://img.photobucket.com/albums/v666/sUBs/Kas-SaveReport-1.gif
In the Save as... prompt, select Desktop
In the File name box, name the file KasScan-ddmmyy (or similar)
In the Save as type prompt, select Text file (see below)
http://img.photobucket.com/albums/v666/sUBs/Kas-Savetxt.gif
Now click on the Save as Text button
Savethe file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only! Keep ALL other programs closed during the scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

kadiri
2008-06-12, 00:46
sorry for the delay, well I did uninstalled Norton like couples weeks ago or so..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:08 PM, on 6/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GamingSquared\Gaming2\G2.exe
C:\Program Files\Athan\Athan.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (Gaming)2 - {971F630E-AD68-4d6e-B0C3-1C627AAC80F1} - C:\Program Files\GamingSquared\Gaming2\G2IE_v1042.dll
O2 - BHO: (no name) - {FBB12A74-A337-4C09-8D73-89EC1F4EC438} - \C:\WINDOWS\system32\expo\mtcon66225.exe.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [G2] "C:\Program Files\GamingSquared\Gaming2\G2.exe"
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8704 bytes


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, June 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, June 11, 2008 18:33:17
Records in database: 852643
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 73449
Threat name: 29
Infected objects: 70
Suspicious objects: 0
Duration of the scan: 02:17:36


File name / Threat name / Threats count
C:\Documents and Settings\Essa\My Documents\Kaspersky Internet Security AntiVirus 7.0.1.325 (WITH LIFETIME KEY)\Kaspersky Internet Security AntiVirus 7.0.1.325 (WITH LIFETIME KEY)\Setup\KIS7.0.1.exe Infected: Trojan-Downloader.Win32.Small.wbx 1
C:\Documents and Settings\Essa\My Documents\Kaspersky Internet Security AntiVirus 7.0.1.325 (WITH LIFETIME KEY)\Kaspersky Internet Security AntiVirus 7.0.1.325 (WITH LIFETIME KEY)\Setup\KIS7.0.1.exe Infected: Trojan-Downloader.Win32.Small.wwi 1
C:\Downloads\Kaspersky Internet Security AntiVirus 7.0.1.325 (WITH LIFETIME KEY).zip Infected: Trojan-Downloader.Win32.Small.wbx 1
C:\Downloads\Kaspersky Internet Security AntiVirus 7.0.1.325 (WITH LIFETIME KEY).zip Infected: Trojan-Downloader.Win32.Small.wwi 1
C:\Program Files\TTC.dll Infected: not-a-virus:AdWare.Win32.TTC.e 1
C:\QooBox\Quarantine\C\Documents and Settings\Essa\Application Data\Microsoft\dtsc\32728.exe.vir Infected: Trojan-Downloader.Win32.Agent.shg 1
C:\QooBox\Quarantine\C\WINDOWS\17PHolmes1000106.exe.vir Infected: Trojan-Downloader.Win32.Homles.br 1
C:\QooBox\Quarantine\C\WINDOWS\17PHolmes1921.exe.vir Infected: Trojan-Downloader.Win32.Homles.br 1
C:\QooBox\Quarantine\C\WINDOWS\444.0.vir Infected: Trojan.Win32.DNSChanger.ejb 1
C:\QooBox\Quarantine\C\WINDOWS\444.470.vir Infected: Trojan-Downloader.Win32.Small.wsi 1
C:\QooBox\Quarantine\C\WINDOWS\h8907435.exe.vir Infected: Trojan-Downloader.Win32.VB.euf 1
C:\QooBox\Quarantine\C\WINDOWS\lfn.exe.vir Infected: not-virus:Hoax.Win32.Renos.cvz 1
C:\QooBox\Quarantine\C\WINDOWS\system32\105772\dllsockt.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\btz\L3pars2.exe.vir Infected: Trojan-Downloader.Win32.Small.buy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\expo\mtcon66225.exe.vir Infected: not-a-virus:AdWare.Win32.TTC.e 1
C:\QooBox\Quarantine\C\WINDOWS\system32\g39.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.byy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\iftuyszv.exe.vir Infected: not-virus:Hoax.Win32.Renos.cvz 1
C:\QooBox\Quarantine\C\WINDOWS\system32\inet2\xVXdll.exe.vir Infected: Trojan.Win32.Agent.lom 1
C:\QooBox\Quarantine\C\WINDOWS\system32\NMP\antilutx.exe.vir Infected: Trojan-Downloader.Win32.Small.wfv 1
C:\QooBox\Quarantine\C\WINDOWS\system32\vntiho06\vntiho061083.exe.vir Infected: Trojan-Downloader.Win32.VB.epp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xrem\imapIP95.exe.vir Infected: Trojan.Win32.DNSChanger.ebg 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP151\A0066482.exe Infected: not-a-virus:AdWare.Win32.OneStep.c 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP151\A0066483.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP151\A0066490.exe Infected: Backdoor.Win32.VB.cya 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP173\A0079129.EXE Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP173\A0079129.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.nnm 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP173\A0079129.EXE Infected: Trojan-Downloader.Win32.VB.eau 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP173\A0079142.EXE Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP173\A0079142.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.nnm 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP173\A0079142.EXE Infected: Trojan-Downloader.Win32.VB.eau 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP173\A0079143.EXE Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP173\A0079143.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.nnm 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP173\A0079143.EXE Infected: Trojan-Downloader.Win32.VB.eau 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP174\A0084329.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qqz 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP174\A0084329.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.nnm 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP174\A0084329.exe Infected: Trojan-Downloader.Win32.VB.eau 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP174\A0084527.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qqz 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP174\A0084528.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qqz 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP174\A0084528.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.nnm 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP174\A0084528.exe Infected: Trojan-Downloader.Win32.VB.eau 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP175\A0089757.exe Infected: not-a-virus:PSWTool.Win32.AirCrack.c 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP211\A0096010.dll Infected: not-a-virus:AdWare.Win32.OneStep.l 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP211\A0096092.exe Infected: Trojan.Win32.DNSChanger.dja 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP211\A0096093.exe Infected: Trojan.Win32.DNSChanger.dja 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP211\A0096201.dll Infected: not-a-virus:AdWare.Win32.OneStep.l 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP215\A0097942.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.tso 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP215\A0098950.exe Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP215\A0098950.exe Infected: Trojan-Downloader.Win32.Small.wwi 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP215\A0098951.exe Infected: Trojan-Downloader.Win32.Obfuscated.za 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP215\A0099023.exe Infected: not-a-virus:FraudTool.Win32.SpyAway.q 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP217\A0101352.exe Infected: not-a-virus:AdWare.Win32.Agent.byy 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP218\A0101410.exe Infected: not-a-virus:AdWare.Win32.TTC.e 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP218\A0101411.exe Infected: Trojan-Downloader.Win32.Small.wfv 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP218\A0101412.exe Infected: Trojan-Downloader.Win32.VB.epp 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP218\A0101413.exe Infected: Trojan.Win32.DNSChanger.ebg 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP218\A0101415.exe Infected: Trojan-Downloader.Win32.VB.euf 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP218\A0101417.exe Infected: not-virus:Hoax.Win32.Renos.cvz 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP223\A0106823.exe Infected: not-virus:Hoax.Win32.Renos.cvz 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP223\A0106824.exe Infected: Trojan-Downloader.Win32.Homles.br 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP223\A0106825.exe Infected: Trojan-Downloader.Win32.Homles.br 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP223\A0106826.exe Infected: Trojan-Downloader.Win32.Agent.shg 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP224\A0106943.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP224\A0106944.exe Infected: Trojan-Downloader.Win32.Small.buy 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP224\A0106945.exe Infected: not-a-virus:AdWare.Win32.TTC.e 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP224\A0106946.exe Infected: Trojan.Win32.Agent.lom 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP224\A0106947.exe Infected: Trojan-Downloader.Win32.VB.epp 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP224\A0106948.exe Infected: Trojan.Win32.DNSChanger.ebg 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP224\A0106949.exe Infected: not-virus:Hoax.Win32.Renos.cvz 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP227\A0107322.exe Infected: Trojan-Downloader.Win32.Small.wbx 1
C:\System Volume Information\_restore{16AB1EB2-F061-41BA-8DFB-588BA17FD282}\RP227\A0107322.exe Infected: Trojan-Downloader.Win32.Small.wwi 1

The selected area was scanned.

Shaba
2008-06-12, 16:23
Hi

Delete these:

C:\Documents and Settings\Essa\My Documents\Kaspersky Internet Security AntiVirus 7.0.1.325 (WITH LIFETIME KEY)
C:\Downloads\Kaspersky Internet Security AntiVirus 7.0.1.325 (WITH LIFETIME KEY).zip
C:\Program Files\TTC.dll

Empty this folder:

C:\QooBox\Quarantine

Empty Recycle Bin.

Follow these (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=bar_sch_nam&docid=2004092711224136&nsf=nip.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=&seg=ag)
instructions and post back a fresh HijackThis log, please.

kadiri
2008-06-12, 17:48
C:\Program Files\TTC.dll , I couldn't find it to delete it.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:35 AM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GamingSquared\Gaming2\G2.exe
C:\Program Files\Athan\Athan.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (Gaming)2 - {971F630E-AD68-4d6e-B0C3-1C627AAC80F1} - C:\Program Files\GamingSquared\Gaming2\G2IE_v1042.dll
O2 - BHO: (no name) - {FBB12A74-A337-4C09-8D73-89EC1F4EC438} - \C:\WINDOWS\system32\expo\mtcon66225.exe.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [G2] "C:\Program Files\GamingSquared\Gaming2\G2.exe"
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8484 bytes

kadiri
2008-06-12, 17:50
Hi and thanks so much for your help,
C:\Program Files\TTC.dll , I couldn't find it to delete it.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:35 AM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GamingSquared\Gaming2\G2.exe
C:\Program Files\Athan\Athan.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (Gaming)2 - {971F630E-AD68-4d6e-B0C3-1C627AAC80F1} - C:\Program Files\GamingSquared\Gaming2\G2IE_v1042.dll
O2 - BHO: (no name) - {FBB12A74-A337-4C09-8D73-89EC1F4EC438} - \C:\WINDOWS\system32\expo\mtcon66225.exe.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [G2] "C:\Program Files\GamingSquared\Gaming2\G2.exe"
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8484 bytes

Shaba
2008-06-12, 18:00
Hi

See here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html) and post back if it helped to find it :)

kadiri
2008-06-13, 05:38
I think that worked - thank you for your help, this is the latest scan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:04 PM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\GamingSquared\Gaming2\G2.exe
C:\Program Files\Athan\Athan.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\BitComet\tools\CometBrowser.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (Gaming)2 - {971F630E-AD68-4d6e-B0C3-1C627AAC80F1} - C:\Program Files\GamingSquared\Gaming2\G2IE_v1042.dll
O2 - BHO: (no name) - {FBB12A74-A337-4C09-8D73-89EC1F4EC438} - \C:\WINDOWS\system32\expo\mtcon66225.exe.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [G2] "C:\Program Files\GamingSquared\Gaming2\G2.exe"
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8870 bytes

Shaba
2008-06-13, 15:20
Hi

Open HijackThis, click do a system scan only and checkmark these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {FBB12A74-A337-4C09-8D73-89EC1F4EC438} - \C:\WINDOWS\system32\expo\mtcon66225.exe.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

Close all windows including browser and press fix checked.

Reboot.

Post back a fresh HijackThis log.

kadiri
2008-06-14, 18:28
O2 - BHO: (no name) - {FBB12A74-A337-4C09-8D73-89EC1F4EC438} - \C:\WINDOWS\system32\expo\mtcon66225.exe.dll (file missing)
this one was not there.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:10 AM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GamingSquared\Gaming2\G2.exe
C:\Program Files\Athan\Athan.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [G2] "C:\Program Files\GamingSquared\Gaming2\G2.exe"
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7314 bytes

Shaba
2008-06-14, 18:50
Hi

That looks good :)

Still problems?

kadiri
2008-06-15, 04:12
Thank you so much for your help, I scanned the computer and my virus scan found couple viruses and some of them it said that It can not delete them, do you think that is fine or what should I do. Thank you again for your help...

Shaba
2008-06-15, 12:15
Hi

Please then post virus scan report next :)

kadiri
2008-06-18, 06:40
sorry I tired to post a virus scan log but it would not work with me I do not know why.

Shaba
2008-06-18, 20:02
Hi

Can you tell me further details?

Shaba
2008-06-23, 17:16
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.