PDA

View Full Version : My Log file by P1rate please check ! Thanks!



p1rate2008
2008-07-25, 22:32
I ran Spybot S+D and was told I had this :Virtumonde trojan!:oops:

Can you please let me know how to get rid of this ? Thanks!
Here is my Log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:27:51, on 25/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\hzrController.exe
C:\WINDOWS\system32\hzrService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ebookssahres.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/ie
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.utorrent.com/testport.php?port=59111
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4dfb-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: BHO5 - {9873E994-669E-4044-BA64-E5D9AD534A55} - C:\WINDOWS\system32\domie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [EntaTool] "C:\Documents and Settings\Administrator\Desktop\security\EntaTool_06e\EntaTool.exe" /hide
O4 - HKLM\..\Run: [PCPitstop Registration Reminder] C:\Program Files\PCPitstop\Exterminate\Reminder.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\RunOnce: [RegDefrag] C:\Program Files\Advanced Registry Doctor\RegDefrag.exe /clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_06] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{39160F96-756D-44B4-9C8F-39B2939ED0C4}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{39160F96-756D-44B4-9C8F-39B2939ED0C4}: NameServer = 192.168.0.1
O17 - HKLM\System\CS4\Services\Tcpip\..\{39160F96-756D-44B4-9C8F-39B2939ED0C4}: NameServer = 192.168.0.1
O17 - HKLM\System\CS5\Services\Tcpip\..\{39160F96-756D-44B4-9C8F-39B2939ED0C4}: NameServer = 192.168.0.1
O17 - HKLM\System\CS6\Services\Tcpip\..\{39160F96-756D-44B4-9C8F-39B2939ED0C4}: NameServer = 192.168.0.1
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HazardShield - Unknown owner - C:\WINDOWS\system32\hzrController.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nakido - Unknown owner - C:\Program Files\Nakido\nakido.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: SPAMfighter Update Service - Unknown owner - C:\Program Files\SPAMfighter\sfus.exe (file missing)

--
End of file - 13003 bytes

ken545
2008-07-30, 03:12
Hello p1rate2008

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


Do this first...Important


Disable the TeaTimer, leave it disabled until we're done,

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect




Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.


O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O2 - BHO: BHO5 - {9873E994-669E-4044-BA64-E5D9AD534A55} - C:\WINDOWS\system32\domie.dll

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_06] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')O4 - HKUS\S-O4 O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')




Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.

p1rate2008
2008-07-30, 12:17
Hi
I done everything you asked and here are both of the results:

HijackThis Log File:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:34, on 30/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\hzrController.exe
C:\WINDOWS\system32\hzrService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.utorrent.com/testport.php?port=59111
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4dfb-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [EntaTool] "C:\Documents and Settings\Administrator\Desktop\security\EntaTool_06e\EntaTool.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_02] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_06] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} -
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{39160F96-756D-44B4-9C8F-39B2939ED0C4}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{39160F96-756D-44B4-9C8F-39B2939ED0C4}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HazardShield - Unknown owner - C:\WINDOWS\system32\hzrController.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nakido - Unknown owner - C:\Program Files\Nakido\nakido.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SPAMfighter Update Service - Unknown owner - C:\Program Files\SPAMfighter\sfus.exe (file missing)

--
End of file - 11578 bytes
--------------------------------------------------------------------------
MBAM Log File:

Malwarebytes' Anti-Malware 1.23
Database version: 1008
Windows 5.1.2600 Service Pack 2

10:07:53 30/07/2008
mbam-log-7-30-2008 (10-07-53).txt

Scan type: Quick Scan
Objects scanned: 38069
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Please let me know the results when youve read this! Thankyou for your help!!

ken545
2008-07-30, 14:04
Good Morning,


Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://java.sun.com/javase/downloads/index.jsp) and install the update
Java Runtime Environment (JRE) 6 Update 7 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future




Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up





Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

p1rate2008
2008-07-31, 18:54
Hi Here are the two log files you wanted taken after I completed your instructions!

HijackThis Log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:51:42, on 31/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\hzrController.exe
C:\WINDOWS\system32\hzrService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.utorrent.com/testport.php?port=59111
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4dfb-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [EntaTool] "C:\Documents and Settings\Administrator\Desktop\security\EntaTool_06e\EntaTool.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_02] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_06] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} -
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{39160F96-756D-44B4-9C8F-39B2939ED0C4}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{39160F96-756D-44B4-9C8F-39B2939ED0C4}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HazardShield - Unknown owner - C:\WINDOWS\system32\hzrController.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nakido - Unknown owner - C:\Program Files\Nakido\nakido.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SPAMfighter Update Service - Unknown owner - C:\Program Files\SPAMfighter\sfus.exe (file missing)

--
End of file - 11685 bytes
-----------------------------------------------------------------------

ComboFix Log File:

ComboFix 08-07-30.02 - Administrator 2008-07-31 16:39:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.118 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\inst.exe
C:\WINDOWS\system32\pskill.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-07-31 16:31 . 2008-07-31 16:31 <DIR> d-------- C:\Program Files\Sun
2008-07-31 16:31 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-31 16:28 . 2008-07-31 16:28 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-30 09:59 . 2008-07-30 09:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-30 09:59 . 2008-07-30 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 09:59 . 2008-07-30 09:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-30 09:59 . 2008-07-23 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-30 09:59 . 2008-07-23 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-28 22:13 . 2008-07-28 22:13 <DIR> d-------- C:\Program Files\Digital Locker Assistant
2008-07-28 22:00 . 2008-07-28 22:00 <DIR> d-------- C:\Program Files\Skype
2008-07-28 22:00 . 2008-07-28 22:00 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-07-26 11:21 . 2008-07-26 11:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-07-26 11:21 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-26 11:21 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-26 11:21 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-26 11:21 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-07-26 10:50 . 2008-07-26 10:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6
2008-07-26 10:16 . 2008-07-26 10:23 1,752 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-26 10:14 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-26 10:14 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-26 10:14 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-26 10:14 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-26 10:14 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-26 10:14 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-26 10:14 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-26 10:14 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-26 10:14 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-26 10:01 . 2008-07-26 10:02 3,218 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-07-26 02:29 . 2008-07-26 02:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-26 02:28 . 2008-07-26 02:28 <DIR> d-------- C:\Program Files\Security Task Manager
2008-07-26 02:01 . 2008-07-26 11:22 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-26 00:41 . 2008-07-26 00:40 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-26 00:40 . 2008-07-29 11:07 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-07-25 22:14 . 2008-07-25 22:14 <DIR> d-------- C:\Program Files\Stardock
2008-07-25 22:14 . 2008-04-26 16:14 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-07-25 20:27 . 2008-07-25 20:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-25 20:02 . 2008-07-25 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-07-25 19:51 . 2008-07-26 02:23 <DIR> d-------- C:\Program Files\PCPitstop
2008-07-23 19:56 . 2008-07-23 19:56 <DIR> d-------- C:\Program Files\MagicDisc
2008-07-23 19:56 . 2008-07-13 21:10 101,120 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-07-19 18:16 . 2008-07-19 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-07-18 19:31 . 2008-06-02 21:05 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-07-18 19:28 . 2008-07-18 19:28 <DIR> d-------- C:\Program Files\MainConcept
2008-07-17 09:59 . 2008-07-17 11:22 <DIR> d-------- C:\Program Files\Opera
2008-07-16 21:10 . 2008-07-16 21:11 67 --a------ C:\WINDOWS\Easy DVD Creator.INI
2008-07-16 21:09 . 2008-07-23 14:21 <DIR> dr-h----- C:\$VAULT$.AVG
2008-07-16 21:08 . 2008-07-16 21:10 <DIR> d-------- C:\Program Files\Easy DVD Creator
2008-07-14 18:54 . 2008-07-14 18:54 <DIR> d-------- C:\Program Files\NOS
2008-07-14 18:54 . 2008-07-14 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-07-14 15:54 . 2008-07-14 15:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-07-14 15:38 . 2008-07-14 21:42 <DIR> d-------- C:\Program Files\MP3BookHelper
2008-07-13 21:54 . 2008-07-13 21:54 <DIR> d--hs---- C:\Documents and Settings\All Users\Application Data\System Restore
2008-07-13 21:54 . 2008-07-13 21:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\FireShot
2008-07-09 14:30 . 2008-07-09 14:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-07-09 14:30 . 2008-07-09 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-07-09 14:30 . 2008-07-31 04:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-07-09 14:30 . 2008-07-26 01:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-09 13:55 . 2008-07-09 13:57 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg(2)
2008-07-09 13:55 . 2008-07-09 13:55 <DIR> d-------- C:\Program Files\AVG
2008-07-09 13:55 . 2008-07-09 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-09 13:55 . 2008-07-09 13:55 10,520 --a------ C:\WINDOWS\system32\avgrsstx(2).dll
2008-07-09 05:34 . 2008-07-09 05:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\360desktop
2008-07-08 23:27 . 2008-07-08 23:27 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-07-08 23:27 . 2008-07-08 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-08 23:27 . 2008-07-08 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-07-08 23:25 . 2008-07-11 21:17 <DIR> d-------- C:\Program Files\NCH Software
2008-07-08 23:25 . 2008-07-08 23:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\NCH Software
2008-07-08 23:24 . 2008-07-08 23:24 <DIR> d-------- C:\Program Files\Notepad++
2008-07-08 23:24 . 2008-07-08 23:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Notepad++
2008-07-08 23:20 . 2008-07-08 23:20 <DIR> d-------- C:\Program Files\DAEMON Tools Toolbar
2008-07-08 23:19 . 2008-07-08 23:20 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-07-08 23:15 . 2008-07-08 23:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DAEMON Tools
2008-07-08 23:15 . 2008-07-08 23:15 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-08 22:56 . 2008-07-08 22:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\WinPatrol
2008-07-04 14:03 . 2008-07-04 14:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Avant Profiles
2008-07-01 12:15 . 2008-07-04 19:56 <DIR> d-------- C:\Program Files\AntiPhorm
2008-06-20 18:36 . 2008-06-20 18:36 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 11:44 . 2008-06-20 11:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-19 21:10 . 2008-06-19 21:10 <DIR> d-------- C:\Program Files\Recuva
2008-06-11 19:12 . 2008-06-28 10:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\gtk-2.0
2008-06-11 02:55 . 2008-05-08 13:14 203,008 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-11 02:19 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 02:19 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 21:33 . 2008-06-10 21:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HiYo
2008-06-10 21:32 . 2008-06-10 21:32 <DIR> d-------- C:\Program Files\HiYo
2008-06-10 21:32 . 2008-06-10 21:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HiYo
2008-06-10 21:31 . 2008-06-10 21:31 <DIR> d-------- C:\Program Files\Defraggler
2008-06-07 20:17 . 2008-06-07 20:17 <DIR> d-------- C:\Documents and Settings\Administrator\.thumbnails
2008-06-06 23:48 . 2008-07-14 14:55 <DIR> d-------- C:\Program Files\eBay
2008-06-06 23:48 . 2008-07-26 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-06-06 23:48 . 2008-07-14 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eBay
2008-06-06 23:48 . 2008-07-14 15:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\eBay
2008-06-06 11:20 . 2008-06-06 11:20 10 --a------ C:\WINDOWS\system32\810429tv4-test.jun
2008-06-06 02:07 . 2008-06-06 02:07 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-06-06 01:13 . 2006-10-01 13:00 25,088 --a------ C:\WINDOWS\system32\shfolder.dll
2008-06-05 03:09 . 2008-06-05 03:09 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-06-05 03:09 . 2008-06-05 03:09 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-06-04 18:50 . 2008-06-06 02:13 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-04 18:50 . 2008-06-04 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-04 18:50 . 2008-06-06 02:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-03 07:54 . 2008-07-28 21:01 <DIR> d-------- C:\Documents and Settings\Administrator\.gimp-2.4
2008-06-03 04:46 . 2008-06-03 04:46 10,276,864 --a------ C:\WINDOWS\system32\atioglx2.dll
2008-06-03 04:22 . 2008-06-03 04:22 413,696 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2008-06-03 04:04 . 2008-06-03 04:04 245,760 --a------ C:\WINDOWS\system32\atiok3x2.dll
2008-06-03 03:33 . 2008-06-03 03:33 48,128 --a------ C:\WINDOWS\system32\amdpcom32.dll
2008-06-03 03:28 . 2008-06-03 03:28 23,040 --a------ C:\WINDOWS\system32\atiadlxx.dll
2008-06-02 00:24 . 2008-06-02 00:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-06-02 00:21 . 2008-06-02 00:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-06-02 00:18 . 2008-06-02 00:18 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-06-02 00:11 . 2008-06-02 00:25 <DIR> d-------- C:\Program Files\Skype(2)
2008-06-02 00:11 . 2008-07-28 21:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-06-02 00:10 . 2008-06-02 00:25 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-02 00:02 . 2008-06-02 00:02 <DIR> d-------- C:\Program Files\ATI
2008-06-01 23:52 . 2008-06-02 00:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-07-31 15:31 --------- d-----w C:\Program Files\Java
2008-07-31 14:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-31 05:58 --------- d-----w C:\Program Files\FlashGet
2008-07-30 11:41 --------- d---a-w C:\Program Files\(IE7_Standalone)
2008-07-30 11:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-26 09:18 --------- d-----w C:\Program Files\ImageShackToolbar
2008-07-25 19:15 --------- d-----w C:\Program Files\Advanced Registry Doctor
2008-07-23 23:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-19 11:33 360,960 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-07-19 11:33 360,960 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-07-19 11:33 360,960 ----a-w C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-07-18 18:33 --------- d-----w C:\Program Files\ATI Technologies
2008-07-18 18:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-18 18:25 --------- d-----w C:\Program Files\IrfanView
2008-07-16 17:31 --------- d-----w C:\Program Files\uTorrent
2008-07-16 07:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-07-11 20:18 --------- d-----w C:\Program Files\Yahoo!
2008-07-09 04:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-05 12:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-03 18:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2008-06-30 15:51 --------- d-----w C:\Program Files\PC Wizard 2008
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:36 147,968 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-11 02:10 --------- d-----w C:\Program Files\Google
2008-06-03 06:53 --------- d-----w C:\Program Files\GIMP-2.0
2008-06-03 06:20 3,100,160 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-06-03 06:20 3,100,160 ----a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
2008-06-03 03:21 306,688 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-06-03 03:11 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-06-03 03:11 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-06-03 03:11 180,224 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-06-03 03:09 552,960 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-06-03 03:08 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-06-03 03:02 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-06-03 02:59 3,500,352 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-06-03 02:48 2,120,832 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-06-03 02:29 348,160 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-06-03 02:28 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-06-03 02:27 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-06-03 02:22 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-06-03 02:21 557,056 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-06-02 01:13 --------- d-----w C:\Program Files\Lavasoft
2008-06-02 01:13 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-01 23:25 --------- d-----w C:\Program Files\MagicISO
2008-06-01 23:25 --------- d-----w C:\Program Files\DivX
2008-06-01 23:25 --------- d-----w C:\Program Files\BOINC
2008-05-30 02:57 --------- d-----w C:\Program Files\SPAMfighter
2008-05-28 22:12 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SPAMfighter
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 21:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-01 16:49 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2007-11-19 19:52 81,920 ----a-w C:\Documents and Settings\Administrator\Application Data\ezpinst.exe
.

------- Sigcheck -------

2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 12:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 12:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2006-10-01 13:00 360576 c7be59b07c6eb74bea6fd67c1b164015 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-02-11 19:27 360064 ef7834c1d9ddf4c7da697d8c24a03791 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2008-07-19 12:33 360960 c86970f63daffb97d8221a0136df3224 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-07-19 12:33 360960 c86970f63daffb97d8221a0136df3224 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-10-01 13:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-06-06 23:49 171448]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-07-04 16:01 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-07-09 14:30 579584]
"EntaTool"="C:\Documents and Settings\Administrator\Desktop\security\EntaTool_06e\EntaTool.exe" [2008-05-12 18:43 303104]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 10:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 19:30 16855552 C:\WINDOWS\RTHDCPL.exe]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 18:03 36864 C:\WINDOWS\system32\P0620Pin.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-07-09 14:30 219136]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-07-23 19:56:03 565248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"VIDC.mjpg"= mcmjpg32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgw.exe"=
"C:\\Program Files\\MSN\\MSNCoreFiles\\Install\\msnsusii.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Windows Live\\Mail\\wlmail.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Your Uninstaller 2008\\uruninstaller.exe"=
"C:\\Program Files\\FlashGet\\FlashGet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"62520:TCP"= 62520:TCP:utorrent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 m5287;m5287;C:\WINDOWS\system32\DRIVERS\m5287.sys [2006-02-26 16:21]
R2 eziwcpkt;Auto Wireless Protocol;C:\WINDOWS\system32\DRIVERS\ezi_wc_pkt.sys [2004-12-04 13:24]
R2 HazardShield;HazardShield;C:\WINDOWS\system32\hzrController.exe [2008-01-24 00:36]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2006-11-10 16:12]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2007-11-22 01:11]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2007-11-22 01:11]
S2 Nakido;Nakido;C:\Program Files\Nakido\nakido.exe []
S2 SPAMfighter Update Service;SPAMfighter Update Service;C:\Program Files\SPAMfighter\sfus.exe []
S3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-06-26 10:25]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-04-30 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fg0jm4oh.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1686506&SearchSource=3&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://ebooksshares.org./index.php
FF -: plugin - C:\Documents and Settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 16:41:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-31 16:43:27
ComboFix-quarantined-files.txt 2008-07-31 15:43:25

Pre-Run: 13,615,767,552 bytes free
Post-Run: 13,624,094,720 bytes free

309 --- E O F --- 2008-06-20 15:31:30


Thankyou for all yourhelp let me know if you need any more info!

ken545
2008-07-31, 19:57
Hi,

You can remove these with HJT.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.utorrent.com/testport.php?port=59111

O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} -


Some information for you about P2P Programs, I need you to read it and fully understand the dangers of running these types of programs. Our policy has changed and before we offer any help, we require that these programs be uninstalled. You have squeaked under the wire and we are about done, but I want you to know that if you keep these programs and get infected again, this forum ( along with many of the other leading Malware Removal forums) will not offer any help until there uninstalled.

You can remove these via the Add remove Programs.
C:\Program Files\uTorrent
C:\Program Files\Kontiki



P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/...D-theft_1.html

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

We see no purpose in cleaning your machine if you use P2P programs, as it is pretty much certain that if you continue to use them then you will get infected again.

Post a new HJT log and let me know how things are running now??

tashi
2008-08-09, 00:31
Thank you Ken.