PDA

View Full Version : Virtumonde :-(


Kippen
2008-08-27, 14:30
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:00 PM, on 27/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\WINDOWS\ATKKBService.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\WINDOWS\System32\nvsvc32.exe
H:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\RTHDCPL.EXE
H:\WINDOWS\system32\RUNDLL32.EXE
H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
H:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\Messenger\msmsgs.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
H:\Program Files\BitTorrent\bittorrent.exe
H:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
H:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\NETGEAR\WG111v2\WG111v2.exe
H:\Program Files\NETGEAR\WG311v3\WG311v3.exe
H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
H:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
H:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
H:\WINDOWS\explorer.exe
H:\Documents and Settings\Dave\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - H:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [36X Raid Configurer] H:\WINDOWS\System32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [AppleSyncNotifier] H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000H:\Program Files\PCHealthCenter\2.exe] 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000H:\Program Files\PCHealthCenter\2.exe
O4 - HKLM\..\Run: [] e
O4 - HKLM\..\Run: [  Hexe]            Hexe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [000000af] rundll32.exe "H:\WINDOWS\system32\xgyslggj.dll",b
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "H:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "H:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [PC Suite Tray] "H:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "H:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000H:\Program Files\PCHealthCenter\2.exe] 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000H:\Program Files\PCHealthCenter\2.exe
O4 - HKCU\..\Run: [] e
O4 - HKCU\..\Run: [  Hexe]            Hexe
O4 - HKCU\..\Run: [AdobeUpdater] H:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = H:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = H:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O8 - Extra context menu item: Append to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - H:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183531326546
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs: clzpeo.dll fnsnvv.dll
O23 - Service: Adobe LM Service - Adobe Systems - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - H:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - H:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - H:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - H:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - H:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 13555 bytes
Kippen
2008-08-27, 14:49
I have tried to remove this virus with AVG but it nevAR goes away...so any help would be fantastic.
I hope I have created the HJT log correctly. ^^^
Thanks
steamwiz
2008-09-01, 18:53
Hi

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:

Scan using the following Anti-Virus database:


Extended (if available otherwise Standard)


Scan Options:


Scan Archives Scan Mail Bases

Click OK
Now under select a target to scan:

Select My Computer

The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Once finished, save the log to your Desktop as filename KAV.txt


THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
Kippen
2008-09-02, 13:48
Thanks heaps for the directions.,, here is the log from malwarebytes.




Malwarebytes' Anti-Malware 1.26
Database version: 1103
Windows 5.1.2600 Service Pack 2

2/09/2008 9:36:02 PM
mbam-log-2008-09-02 (21-36-02).txt

Scan type: Quick Scan
Objects scanned: 50758
Time elapsed: 4 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 20
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 3
Files Infected: 52

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
H:\WINDOWS\system32\iifgGXnL.dll (Trojan.Vundo.H) -> Delete on reboot.
H:\WINDOWS\system32\clzpeo.dll (Trojan.Vundo) -> Delete on reboot.
H:\WINDOWS\system32\skkosz.dll (Trojan.Vundo) -> Delete on reboot.
H:\WINDOWS\system32\kixjga.dll (Trojan.Vundo) -> Delete on reboot.
H:\WINDOWS\system32\ybdabo.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{184506b8-7aed-422e-bde9-7b9bad31684e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{184506b8-7aed-422e-bde9-7b9bad31684e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ddbe997-e00b-433f-8fa3-35f69fdc9164} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebrpqjd (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9ddbe997-e00b-433f-8fa3-35f69fdc9164} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{effae085-de33-4e7d-83e5-9e70ff07a604} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{effae085-de33-4e7d-83e5-9e70ff07a604} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a3b8a28c-3a0b-4a04-b76e-4bbc55c8d27f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{23ea36e0-cd28-4add-80c5-0b43b915a3f7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7be6b643-6201-4cf7-b8b1-d79ffae57cba} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{58696980-c6b3-4ad2-ab53-718f1c3c57ca} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a93a1ba9-9ee8-469f-a9fe-fd1c26700bda} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\AleWinSecure.EXE (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\000000af (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: h:\windows\system32\iifggxnl -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: h:\windows\system32\iifggxnl -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: h:\windows\system32\oembios.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\oembios.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (H:\WINDOWS\system32\userinit.exe,H:\WINDOWS\system32\oembios.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
H:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\sysproc64 (Trojan.Agent) -> Delete on reboot.
H:\Program Files\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.

Files Infected:
H:\WINDOWS\system32\ybdabo.dll (Trojan.Vundo.H) -> Delete on reboot.
H:\WINDOWS\system32\geBrpQJD.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\iifgGXnL.dll (Trojan.Vundo.H) -> Delete on reboot.
H:\WINDOWS\system32\LnXGgfii.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\LnXGgfii.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\olvjlmno.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\onmljvlo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\onoscvrm.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\mrvcsono.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\oytnjrxn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\nxrjntyo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\pmbyfxoi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\ioxfybmp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\seqkuduu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\uudukqes.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\clzpeo.dll (Trojan.Vundo) -> Delete on reboot.
H:\WINDOWS\system32\skkosz.dll (Trojan.Vundo) -> Delete on reboot.
H:\WINDOWS\system32\kixjga.dll (Trojan.Vundo) -> Delete on reboot.
H:\WINDOWS\system32\cmzeol.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\afbkqykm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\afuvssod.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\awwqiu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\fbbmfj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\fnsnvv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\fnufhnom.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\hfmyrsmc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\lijtilir.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\mleeaykk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\qfgqtbxk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\thhzkp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\ypooasvx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\lyhskcle.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\2N6IOL1U\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\J0BY3S95\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\2.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\3.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\4.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\5.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\sex1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\Program Files\PCHealthCenter\sex2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\sysproc64\sysproc32.sys (Trojan.Agent) -> Delete on reboot.
H:\WINDOWS\system32\sysproc64\sysproc86.sys (Trojan.Agent) -> Delete on reboot.
H:\Program Files\VAV\vav.ooo (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
H:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\oembios.exe (Trojan.Agent) -> Delete on reboot.
Kippen
2008-09-02, 14:22
Combofix log is below...thanks again.



ComboFix 08-09-01.01 - Dave 2008-09-02 22:00:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1466 [GMT 10:00]
Running from: H:\Documents and Settings\Dave\Desktop\ComboFix.exe
Command switches used :: H:\Documents and Settings\Dave\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\Documents and Settings\LocalService\Application Data\sysproc64
H:\Documents and Settings\LocalService\Application Data\sysproc64\sysproc32.sys
H:\Documents and Settings\NetworkService\Application Data\sysproc64
H:\Documents and Settings\NetworkService\Application Data\sysproc64\sysproc32.sys
H:\WINDOWS\system32\CbayIRqr.ini
H:\WINDOWS\system32\CbayIRqr.ini2
H:\WINDOWS\system32\inithviq.ini
H:\WINDOWS\system32\irgicicw.ini
H:\WINDOWS\system32\jewclhqj.ini
H:\WINDOWS\system32\jgglsygx.ini
H:\WINDOWS\system32\ltonstdq.ini
H:\WINDOWS\system32\nserlfnd.ini
H:\WINDOWS\system32\RBHOYcfe.ini
H:\WINDOWS\system32\RBHOYcfe.ini2
H:\WINDOWS\system32\ukboetfx.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 )))))))))))))))))))))))))))))))
.

2008-09-02 21:19 . 2008-09-02 21:24 <DIR> d-------- H:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 21:19 . 2008-09-02 21:19 <DIR> d-------- H:\Documents and Settings\Dave\Application Data\Malwarebytes
2008-09-02 21:19 . 2008-09-02 21:19 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-02 21:19 . 2008-09-02 00:16 38,528 --a------ H:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 21:19 . 2008-09-02 00:16 17,200 --a------ H:\WINDOWS\system32\drivers\mbam.sys
2008-09-02 18:07 . 2008-09-02 18:07 <DIR> d-------- H:\WINDOWS\Sun
2008-09-02 18:06 . 2008-09-02 18:06 <DIR> d-------- H:\Program Files\Java
2008-09-02 18:06 . 2008-06-10 02:32 73,728 --a------ H:\WINDOWS\system32\javacpl.cpl
2008-09-02 18:03 . 2008-09-02 18:03 <DIR> d-------- H:\Program Files\Common Files\Java
2008-08-26 22:38 . 2008-08-26 22:38 <DIR> d-------- H:\Program Files\Safer Networking
2008-08-26 18:28 . 2008-08-26 18:28 <DIR> d-------- H:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-08-21 21:07 . 2008-08-21 21:09 <DIR> d-------- H:\Brenda Backups
2008-08-14 20:34 . 2008-05-02 00:30 331,776 -----c--- H:\WINDOWS\system32\dllcache\msadce.dll
2008-08-07 23:11 . 2008-08-07 23:25 <DIR> d-------- H:\Ken Parry Limos
2008-08-02 19:05 . 2008-08-14 22:54 <DIR> d-------- H:\Program Files\etax2008

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 07:54 --------- d-----w H:\Documents and Settings\Dave\Application Data\AVG7
2008-08-26 12:52 --------- d-----w H:\Program Files\Spybot - Search & Destroy
2008-08-26 10:14 --------- d-----w H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-25 08:40 --------- d-----w H:\Documents and Settings\Dave\Application Data\BitTorrent
2008-08-19 12:55 --------- d-----w H:\Program Files\Apple Software Update
2008-08-19 10:46 --------- d-----w H:\Program Files\iTunes
2008-08-19 10:45 --------- d-----w H:\Program Files\iPod
2008-07-15 23:57 --------- d-----w H:\Program Files\QuickTime
2008-07-15 23:57 --------- d-----w H:\Program Files\Bonjour
2008-07-09 23:35 32,000 ----a-w H:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-08 00:34 21,035 ----a-w H:\WINDOWS\system32\drivers\AegisP.sys
2008-07-08 00:34 --------- d-----w H:\Program Files\NETGEAR
2008-07-07 20:32 253,952 ----a-w H:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w H:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w H:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w H:\WINDOWS\system32\mswsock.dll
2007-09-30 04:44 20 ---h--w H:\Documents and Settings\All Users\Application Data\PKP_DLeh.DAT
2007-08-03 06:05 21,320 ----a-w H:\Documents and Settings\Dave\Application Data\GDIPFONTCACHEV1.DAT
2007-05-24 04:58 249,856 ----a-w H:\WINDOWS\inf\WG311v3\InsDrv2k.exe
2006-12-04 01:38 212,992 ----a-w H:\WINDOWS\inf\WG311v3\CopyWHQLDriver.exe
2005-10-06 05:17 280,576 ----a-w H:\WINDOWS\inf\WG311v3\WG311v3XP.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"  Hexe"="           Hexe" [X]
"@"="e" [X]
"MSMSGS"="H:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24 1694208]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"msnmsgr"="H:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"BitTorrent"="H:\Program Files\BitTorrent\bittorrent.exe" [2007-09-08 09:01 43008]
"PC Suite Tray"="H:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-03-28 11:20 1079296]
"Nokia.PCSync"="H:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 18:41 1232896]
"AdobeUpdater"="H:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]
"SpybotSD TeaTimer"="H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"  Hexe"="           Hexe" [X]
"NvMediaCenter"="H:\WINDOWS\System32\NvMcTray.dll" [2007-04-13 01:44 81920]
"NvCplDaemon"="H:\WINDOWS\System32\NvCpl.dll" [2007-04-13 01:44 8429568]
"AVG7_CC"="H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-15 18:26 579584]
"Adobe Photo Downloader"="H:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 13:21 61440]
"36X Raid Configurer"="H:\WINDOWS\System32\JMRaidSetup.exe" [2007-02-06 22:08 1953792]
"AppleSyncNotifier"="H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="H:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="H:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 19:33 16132608 H:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="H:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"AVG7_Run"="H:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 10:18 219136]
"Nokia.PCSync"="H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - H:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
NETGEAR WG111v2 Smart Wizard.lnk - H:\Program Files\NETGEAR\WG111v2\WG111v2.exe [2006-05-17 16:05:52 2297856]
NETGEAR WG311v3 Smart Wizard.lnk - H:\Program Files\NETGEAR\WG311v3\WG311v3.exe [2007-09-17 16:01:44 1507328]

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=H:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=H:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logo Calibration Loader.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logo Calibration Loader.lnk
backup=H:\WINDOWS\pss\Logo Calibration Loader.lnkCommon Startup

[HKLM\~\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^ProfileReminder.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\ProfileReminder.lnk
backup=H:\WINDOWS\pss\ProfileReminder.lnkCommon Startup

[HKLM\~\startupfolder\H:^Documents and Settings^Dave^Start Menu^Programs^Startup^MagicDisc.lnk]
path=H:\Documents and Settings\Dave\Start Menu\Programs\Startup\MagicDisc.lnk
backup=H:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 22:46 624248 H:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
--a------ 2005-04-04 18:58 856064 H:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 16:40 1884160 H:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-12-23 18:05 143360 H:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 H:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GamerOSD]
--a------ 2007-02-14 09:42 380928 H:\Program Files\ASUS\GamerOSD\GamerOSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 H:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
-r------- 2006-10-30 22:44 36864 H:\WINDOWS\JM\JMInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 H:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 20:43 69632 H:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-13 01:44 1626112 H:\WINDOWS\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"H:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"H:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"H:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"H:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"H:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"H:\\Program Files\\BitTorrent\\bittorrent.exe"=
"H:\\NEED4SPEEDUNDERGROUND\\Speed.exe"=
"H:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"H:\\Program Files\\Soldat\\Soldat.exe"=
"H:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"H:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"H:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"H:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"H:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"H:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R2 PDIHWCTL;PDIHWCTL;H:\WINDOWS\system32\drivers\pdihwctl.sys [2004-07-16 18:12]
R3 L6DP;L6DP;H:\WINDOWS\system32\Drivers\l6dp.sys [2007-09-18 05:31]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;H:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 17:53]
R3 Video3D;ASUS Video3D Service;H:\WINDOWS\system32\Drivers\Video3D32.sys [2006-09-29 10:06]
S1 asusgsb;ASUS Virtual Video Capture Device Driver;H:\WINDOWS\system32\drivers\asusgsb32.sys [2005-10-20 16:25]
S3 eyeonedp;eye-one display;H:\WINDOWS\system32\DRIVERS\eyeonedp.sys [2003-11-27 07:49]
S3 L6TPortB;Service - Line 6 TonePort UX2;H:\WINDOWS\system32\Drivers\L6TPortB.sys [2007-09-18 05:25]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{0902444F-14DB-461C-B556-48EF6844CA36} - (no file)
BHO-{3D5F439A-FE59-42C9-9837-83B12D482861} - H:\WINDOWS\system32\rqRIyabC.dll
BHO-{46ED40DE-EC4C-4E98-BE51-DEF4AD8E0434} - (no file)
BHO-{60A9D301-4AE4-4C9F-B03C-8DC732453B9F} - (no file)
BHO-{7305DDB5-BAF5-44E1-BB27-3463421B2F3A} - H:\WINDOWS\system32\efcYOHBR.dll
BHO-{B944A5BD-0DC4-4BEC-BBA1-EED0193DF081} - (no file)
BHO-{EFFAE085-DE33-4E7D-83E5-9E70FF07A604} - (no file)
BHO-{F422DE04-F10E-44CC-B1DA-98206AE2B711} - (no file)
HKCU-Run-000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000H:\Program Files\PCHealthCenter\2.exe - 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000H:\Program Files\PCHealthCenter\2.exe
HKLM-Run-000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000H:\Program Files\PCHealthCenter\2.exe - 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000H:\Program Files\PCHealthCenter\2.exe
ShellExecuteHooks-{9DDBE997-E00B-433F-8FA3-35F69FDC9164} - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Append to existing PDF - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: E&xport to Microsoft Excel - H:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 -: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - H:\Program Files\PokerStars\PokerStarsUpdate.exe
O15 -: Trusted Zone: *.line6.net

O16 -: DirectAnimation Java Classes - file://H:\WINDOWS\Java\classes\dajava.cab
H:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://H:\WINDOWS\Java\classes\xmldso.cab
H:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 22:07:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: H:\WINDOWS\system32\winlogon.exe
-> H:\WINDOWS\system32\RtlGina2.dll
.
------------------------ Other Running Processes ------------------------
.
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\WINDOWS\ATKKBService.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
H:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
H:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
H:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\update\update.exe
.
**************************************************************************
.
Completion time: 2008-09-02 22:16:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-02 12:15:44

Pre-Run: 105,020,276,736 bytes free
Post-Run: 105,214,607,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
H:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

255 --- E O F --- 2008-08-19 08:24:23
steamwiz
2008-09-02, 20:02
HI

Please post the Kaspersky Online Scan log ...

& a new hijackthis log :)

steam
Kippen
2008-09-03, 00:01
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, September 2, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, September 02, 2008 00:32:50
Records in database: 1176704
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
D:\
E:\
F:\
G:\
H:\
I:\
L:\

Scan statistics:
Files scanned: 200654
Threat name: 11
Infected objects: 57
Suspicious objects: 0
Duration of the scan: 02:22:06


File name / Threat name / Threats count
H:\WINDOWS\system32\clzpeo.dll/H:\WINDOWS\system32\clzpeo.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cry 34
H:\WINDOWS\System32\clzpeo.dll/H:\WINDOWS\System32\clzpeo.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cry 6
H:\Documents and Settings\Dave\Local Settings\Temp\9c29e5chp9e5ca.exe Infected: Trojan-Spy.Win32.Zbot.ekb 1
H:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\ZY1G3Y5G\test[1].exe Infected: Trojan-Spy.Win32.Zbot.ekb 1
H:\Program Files\PCHealthCenter\0.exe Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.az 1
H:\Program Files\PCHealthCenter\2.exe Infected: not-a-virus:FraudTool.Win32.Agent.bb 1
H:\Program Files\PCHealthCenter\3.exe Infected: Trojan.Win32.Agent.zdv 1
H:\Program Files\PCHealthCenter\4.exe Infected: Trojan.Win32.Agent.yre 1
H:\WINDOWS\system32\awwqiu.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cps 1
H:\WINDOWS\system32\clzpeo.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cry 1
H:\WINDOWS\system32\cmzeol.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cth 1
H:\WINDOWS\system32\lijtilir.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cry 1
H:\WINDOWS\system32\lyhskcle.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cps 1
H:\WINDOWS\system32\mleeaykk.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cps 1
H:\WINDOWS\system32\olvjlmno.dll Infected: Trojan.Win32.Monder.fxf 1
H:\WINDOWS\system32\pmbyfxoi.dll Infected: Trojan.Win32.Monder.jck 1
H:\WINDOWS\system32\seqkuduu.dll Infected: Trojan.Win32.Monder.ida 1
H:\WINDOWS\system32\thhzkp.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cps 1
H:\WINDOWS\system32\ypooasvx.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cth 1

The selected area was scanned.
Kippen
2008-09-03, 00:02
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:58 AM, on 3/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\WINDOWS\ATKKBService.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\WINDOWS\System32\nvsvc32.exe
H:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\RTHDCPL.EXE
H:\WINDOWS\system32\RUNDLL32.EXE
H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
H:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Messenger\msmsgs.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
H:\Program Files\BitTorrent\bittorrent.exe
H:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
H:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
H:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
H:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
H:\Program Files\NETGEAR\WG111v2\WG111v2.exe
H:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\NETGEAR\WG311v3\WG311v3.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\internet explorer\iexplore.exe
H:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
H:\Documents and Settings\Dave\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0902444F-14DB-461C-B556-48EF6844CA36} - (no file)
O2 - BHO: (no name) - {3D5F439A-FE59-42C9-9837-83B12D482861} - (no file)
O2 - BHO: (no name) - {46ED40DE-EC4C-4E98-BE51-DEF4AD8E0434} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {60A9D301-4AE4-4C9F-B03C-8DC732453B9F} - (no file)
O2 - BHO: (no name) - {7305DDB5-BAF5-44E1-BB27-3463421B2F3A} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B944A5BD-0DC4-4BEC-BBA1-EED0193DF081} - (no file)
O2 - BHO: (no name) - {EFFAE085-DE33-4E7D-83E5-9E70FF07A604} - (no file)
O2 - BHO: (no name) - {F422DE04-F10E-44CC-B1DA-98206AE2B711} - (no file)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - H:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [36X Raid Configurer] H:\WINDOWS\System32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [AppleSyncNotifier] H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [  Hexe]            Hexe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "H:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "H:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [PC Suite Tray] "H:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "H:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [  Hexe]            Hexe
O4 - HKCU\..\Run: [AdobeUpdater] H:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = H:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = H:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O8 - Extra context menu item: Append to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - H:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183531326546
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Adobe LM Service - Adobe Systems - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - H:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - H:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - H:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - H:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - H:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 13224 bytes
steamwiz
2008-09-03, 20:41
HI

Thanks for posting the KASPERSKY ONLINE SCANNER 7 REPORT

AS that scan was run before you ran Malwarebytes' Anti-Malware or Combofix, & these programs appear to have removed most, if not all that KASPERSKY found, please run a new KASPERSKY ONLINE SCAN & post the new KASPERSKY ONLINE SCANNER 7 REPORT.

THEN ...

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

O2 - BHO: (no name) - {0902444F-14DB-461C-B556-48EF6844CA36} - (no file)
O2 - BHO: (no name) - {3D5F439A-FE59-42C9-9837-83B12D482861} - (no file)
O2 - BHO: (no name) - {46ED40DE-EC4C-4E98-BE51-DEF4AD8E0434} - (no file)

O2 - BHO: (no name) - {60A9D301-4AE4-4C9F-B03C-8DC732453B9F} - (no file)
O2 - BHO: (no name) - {7305DDB5-BAF5-44E1-BB27-3463421B2F3A} - (no file)

O2 - BHO: (no name) - {B944A5BD-0DC4-4BEC-BBA1-EED0193DF081} - (no file)
O2 - BHO: (no name) - {EFFAE085-DE33-4E7D-83E5-9E70FF07A604} - (no file)
O2 - BHO: (no name) - {F422DE04-F10E-44CC-B1DA-98206AE2B711} - (no file)

O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)

O4 - HKLM\..\Run: [  Hexe]            Hexe


O4 - HKCU\..\Run: [  Hexe]            Hexe


Reboot & post a new hijackthis log

steam
Kippen
2008-09-04, 23:47
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, September 5, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, September 04, 2008 11:18:44
Records in database: 1191187
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
D:\
E:\
F:\
G:\
H:\
I:\
L:\

Scan statistics:
Files scanned: 205789
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:17:32

No malware has been detected. The scan area is clean.

The selected area was scanned.
Kippen
2008-09-05, 00:05
Fingers crossed



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:32 AM, on 5/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\WINDOWS\ATKKBService.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\WINDOWS\System32\nvsvc32.exe
H:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\RTHDCPL.EXE
H:\WINDOWS\system32\RUNDLL32.EXE
H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Messenger\msmsgs.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
H:\Program Files\BitTorrent\bittorrent.exe
H:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
H:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\NETGEAR\WG111v2\WG111v2.exe
H:\Program Files\NETGEAR\WG311v3\WG311v3.exe
H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\system32\wuauclt.exe
H:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
H:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
H:\Documents and Settings\Dave\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0902444F-14DB-461C-B556-48EF6844CA36} - (no file)
O2 - BHO: (no name) - {3D5F439A-FE59-42C9-9837-83B12D482861} - (no file)
O2 - BHO: (no name) - {46ED40DE-EC4C-4E98-BE51-DEF4AD8E0434} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {60A9D301-4AE4-4C9F-B03C-8DC732453B9F} - (no file)
O2 - BHO: (no name) - {7305DDB5-BAF5-44E1-BB27-3463421B2F3A} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B944A5BD-0DC4-4BEC-BBA1-EED0193DF081} - (no file)
O2 - BHO: (no name) - {EFFAE085-DE33-4E7D-83E5-9E70FF07A604} - (no file)
O2 - BHO: (no name) - {F422DE04-F10E-44CC-B1DA-98206AE2B711} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - H:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [36X Raid Configurer] H:\WINDOWS\System32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [AppleSyncNotifier] H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "H:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "H:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [PC Suite Tray] "H:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "H:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [AdobeUpdater] H:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] H:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = H:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = H:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O8 - Extra context menu item: Append to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - H:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183531326546
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Adobe LM Service - Adobe Systems - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - H:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - H:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - H:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - H:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - H:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 12100 bytes
steamwiz
2008-09-05, 19:59
Hi

Looking good :)

I believe teatimer may be interfering with the removal of some orphan (empty) registry keys... it would do do harm to leave them, but let's try & remove them ...

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

THEN ...

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

O2 - BHO: (no name) - {0902444F-14DB-461C-B556-48EF6844CA36} - (no file)
O2 - BHO: (no name) - {3D5F439A-FE59-42C9-9837-83B12D482861} - (no file)
O2 - BHO: (no name) - {46ED40DE-EC4C-4E98-BE51-DEF4AD8E0434} - (no file)

O2 - BHO: (no name) - {60A9D301-4AE4-4C9F-B03C-8DC732453B9F} - (no file)
O2 - BHO: (no name) - {7305DDB5-BAF5-44E1-BB27-3463421B2F3A} - (no file)

O2 - BHO: (no name) - {B944A5BD-0DC4-4BEC-BBA1-EED0193DF081} - (no file)
O2 - BHO: (no name) - {EFFAE085-DE33-4E7D-83E5-9E70FF07A604} - (no file)
O2 - BHO: (no name) - {F422DE04-F10E-44CC-B1DA-98206AE2B711} - (no file)


Restart your computer.

Run hijackthis again & see if those entries are still there ?

Re-enable "real-time protection" with teatimer

steam
Kippen
2008-09-06, 13:12
Thankyou... the O2 - BHO entries listed above are gone.
Is there anything else I need to do now? Do you need another HJT log?



Thanks sooo much steam :) your easy to follow instructions and quick replies have been great.

Cheers

Kippen
steamwiz
2008-09-06, 18:17
Hi

No need to see another hijackthis log :)

If you have no further problems ...

Before you leave the site ...

Please Have a look here at ways to keep your computer safe :-

So how did I get infected in the first place? By TonyKlein > http://forums.spybot.info/showthread.php?t=279

Happy surfing

steam
Kippen
2008-09-07, 13:48
Thanks heaps....no more problems. :bigthumb: Yeww!

I will be kepping my PC safe from now on

Cheers
Kippen
steamwiz
2008-09-07, 19:41
Hi

You're very welcome :)

As this thread is resolved, :) it is now locked.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam