2nd try. BHO.DBU

**Shaba** · 2008-02-17, 11:14

Hi

Yes, you did it right

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
E:\WINDOWS\system32\wa56.exe
E:\WINDOWS\SET209.tmp
E:\WINDOWS\SET206.tmp

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wa56"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wa56"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

**niplub** · 2008-02-21, 15:46

Wow.. sorry i didn't realise there was a second page to the thread! dummy. ok here is the log... il follow with the hijackthis.

ComboFix 08-02-16.2 - Rich 2008-02-21 6:39:28.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1044 [GMT -8:00]
Running from: E:\Documents and Settings\Rich\Desktop\ComboFix.exe
Command switches used :: E:\Documents and Settings\Rich\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
E:\WINDOWS\SET206.tmp
E:\WINDOWS\SET209.tmp
E:\WINDOWS\system32\wa56.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\SET206.tmp
E:\WINDOWS\SET209.tmp
E:\WINDOWS\system32\wa56.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-17 03:00 . 2008-02-17 03:00 <DIR> d-------- E:\WINDOWS\LastGood
2008-02-16 07:46 . 2008-02-16 07:46 5,120 --ahs---- E:\WINDOWS\system32\Thumbs.db
2008-02-15 18:02 . 2006-11-07 09:42 97,056 -ra------ E:\WINDOWS\system32\drivers\w200mdm.sys
2008-02-15 18:02 . 2006-11-07 09:42 9,328 -ra------ E:\WINDOWS\system32\drivers\w200mdfl.sys
2008-02-15 18:02 . 2006-11-07 09:42 6,208 -ra------ E:\WINDOWS\system32\drivers\w200cmnt.sys
2008-02-15 18:02 . 2006-11-07 09:42 6,208 -ra------ E:\WINDOWS\system32\drivers\w200cm.sys
2008-02-15 16:33 . 2006-02-28 04:00 1,875,968 --a--c--- E:\WINDOWS\system32\dllcache\msir3jp.lex
2008-02-15 16:32 . 2006-02-28 04:00 13,463,552 --a--c--- E:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-15 16:30 . 2008-02-15 16:30 749 -rah----- E:\WINDOWS\WindowsShell.Manifest
2008-02-15 16:30 . 2008-02-15 16:30 749 -rah----- E:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-15 16:30 . 2008-02-15 16:30 749 -rah----- E:\WINDOWS\system32\sapi.cpl.manifest
2008-02-15 16:30 . 2008-02-15 16:30 749 -rah----- E:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-15 16:30 . 2008-02-15 16:30 488 -rah----- E:\WINDOWS\system32\logonui.exe.manifest
2008-02-11 06:48 . 2008-02-11 06:48 60,416 --a------ E:\WINDOWS\system32\drivers\ComboFix.sys
2008-02-10 23:06 . 2008-02-10 23:06 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\Talkback
2008-02-09 14:38 . 2006-02-28 04:00 388,608 --a------ E:\kmd.exe
2008-02-06 19:06 . 2008-02-06 19:06 1,203 --a------ E:\WINDOWS\mozver.dat
2008-02-01 19:27 . 2008-02-01 19:27 <DIR> d-------- E:\Program Files\Microsoft Silverlight
2008-02-01 19:22 . 2008-02-01 19:22 <DIR> d-------- E:\WINDOWS\system32\XPSViewer
2008-02-01 19:22 . 2008-02-01 19:22 <DIR> d-------- E:\Program Files\Reference Assemblies
2008-02-01 19:21 . 2008-02-01 19:21 <DIR> d-------- E:\Program Files\MSXML 6.0
2008-02-01 19:21 . 2008-02-01 19:21 <DIR> d-------- E:\a8e1482b6bc3a98542
2008-02-01 19:21 . 2006-06-29 13:07 14,048 --a------ E:\WINDOWS\system32\spmsg2.dll
2008-02-01 19:16 . 2006-11-12 22:02 288,768 --a------ E:\WINDOWS\system32\rhttpaa.dll
2008-02-01 19:16 . 2006-11-12 22:02 116,736 --a------ E:\WINDOWS\system32\aaclient.dll
2008-02-01 19:16 . 2006-11-12 22:02 36,352 --a------ E:\WINDOWS\system32\tsgqec.dll
2008-02-01 06:32 . 2008-02-01 06:32 <DIR> d-------- E:\Program Files\Lavasoft
2008-02-01 06:32 . 2008-02-01 06:32 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2008-02-01 06:32 . 2008-02-01 06:33 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 15:03 . 2008-01-31 15:03 0 --a------ E:\t5k
2008-01-29 13:08 . 2008-01-29 13:08 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 14:37 --------- d-----w E:\Documents and Settings\Rich\Application Data\uTorrent
2008-02-20 16:00 --------- d-----w E:\Documents and Settings\Rich\Application Data\AVG7
2008-02-15 23:55 --------- d-----w E:\Documents and Settings\All Users\Application Data\avg7
2008-02-10 19:30 --------- d-----w E:\Program Files\DU Meter
2008-02-09 23:59 --------- d-----w E:\Documents and Settings\Rich\Application Data\Azureus
2008-02-09 14:52 --------- d-----w E:\Program Files\Common Files\Adobe
2008-02-02 21:31 --------- d-----w E:\Documents and Settings\Rich\Application Data\ZoomBrowser EX
2008-02-02 21:18 --------- d-----w E:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-02-01 14:34 --------- d-----w E:\Program Files\Windows Media Connect 2
2008-02-01 14:34 --------- d-----w E:\Program Files\Combined Community Codec Pack
2008-02-01 02:11 --------- d-----w E:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-26 00:34 --------- d-----w E:\Documents and Settings\Rich\Application Data\Vso
2008-01-20 01:08 --------- d-----w E:\Program Files\iTunes
2008-01-20 01:07 --------- d-----w E:\Program Files\iPod
2008-01-20 01:05 --------- d-----w E:\Program Files\QuickTime
2008-01-19 01:34 --------- d-----w E:\Program Files\Oxin's Style!
2008-01-13 20:18 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 19:45 --------- d-----w E:\Program Files\Spybot - Search & Destroy
2008-01-11 01:41 --------- d-----w E:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-10 15:23 246,545 ----a-w E:\WINDOWS\system32\libssl32.dll
2008-01-10 15:23 1,188,375 ----a-w E:\WINDOWS\system32\libeay32.dll
2008-01-10 05:45 --------- d-----w E:\Documents and Settings\Rich\Application Data\Talkback
2008-01-05 23:37 --------- d-----w E:\Program Files\Aimersoft
2008-01-05 03:58 --------- d-----w E:\Documents and Settings\All Users\Application Data\vsosdk
2008-01-05 03:34 47,360 ----a-w E:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-05 03:34 47,360 ----a-w E:\Documents and Settings\Rich\Application Data\pcouffin.sys
2008-01-05 03:34 --------- d-----w E:\Program Files\VSO
2008-01-04 01:55 --------- d-----w E:\Documents and Settings\Rich\Application Data\Media Player Classic
2007-12-28 14:56 --------- d-----w E:\Program Files\Azureus
2007-12-24 05:18 --------- d-----w E:\Documents and Settings\Rich\Application Data\Teleca
2007-12-23 20:48 --------- d-----w E:\Documents and Settings\Rich\Application Data\Sony Ericsson
2007-12-23 20:46 --------- d-----w E:\Program Files\Common Files\Teleca Shared
2007-12-23 20:46 --------- d-----w E:\Documents and Settings\All Users\Application Data\Teleca
2007-12-23 20:46 --------- d-----w E:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-12-23 20:45 --------- d-----w E:\Program Files\Sony Ericsson
2007-12-22 20:58 --------- d-----w E:\Program Files\Super_DVD_Creator_9.5
2007-12-14 19:32 12,632 ----a-w E:\WINDOWS\system32\lsdelete.exe
2007-11-11 06:10 938 ----a-w E:\Program Files\Common Files\Xnews.ini
2007-11-11 06:10 1,386,772 ----a-w E:\Program Files\Common Files\SHAW news.newsrc
2007-11-10 15:24 1,385,080 ----a-w E:\Program Files\Common Files\SHAW news.newsrc.bak
2007-11-10 15:13 94 ----a-w E:\Program Files\Common Files\servers.ini
2007-11-10 15:12 89,626 ----a-w E:\Program Files\Common Files\changes.txt
2007-11-10 15:12 834 ----a-w E:\Program Files\Common Files\sample-score.ini
2007-11-10 15:12 6,414 ----a-w E:\Program Files\Common Files\scoring.txt
2007-11-10 15:12 42,598 ----a-w E:\Program Files\Common Files\pcre.html
2007-11-10 15:12 359 ----a-w E:\Program Files\Common Files\groups.ini
2007-11-10 15:12 12,800 --sha-w E:\Program Files\Common Files\Thumbs.db
2007-11-10 15:12 102,699 ----a-w E:\Program Files\Common Files\manual.html
2007-11-10 15:12 1,427 ----a-w E:\Program Files\Common Files\readme.txt
2007-11-10 15:12 1,255,936 ----a-w E:\Program Files\Common Files\Xnews.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2006-02-28 04:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 18:04 139264]
"MsnMsgr"="E:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Active Desktop Calendar"="E:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2007-01-11 14:13 3330048]
"uTorrent"="E:\Program Files\uTorrent\uTorrent.exe" [2007-12-01 13:48 250672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="E:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-19 08:38 579072]
"RegistryMechanic"="E:\Program Files\Registry Mechanic\RegMech.exe" [2005-12-25 18:27 7634944]
"SoundMAXPnP"="E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 08:11 1388544]
"SoundMAX"="E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 11:41 860160]
"NeroFilterCheck"="E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40 155648]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"DU Meter"="E:\Program Files\DU Meter\DUMeter.exe" [2005-02-01 18:28 1469952]
"GrooveMonitor"="E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"WinampAgent"="E:\Program Files\Winamp\winampa.exe" [2007-05-14 14:22 35328]
"PC Pitstop Optimize Scheduler"="E:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" [2007-10-26 15:53 2577120]
"Sony Ericsson PC Suite"="E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17 159744]
"SpybotSnD"="E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2007-08-31 16:46 4943184]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\System32\CTFMON.EXE" [2006-02-28 04:00 15360]
"AVG7_Run"="E:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 08:50 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="E:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 21:59 44544]

E:\Documents and Settings\Rich\Start Menu\Programs\Startup\
Adobe Gamma.lnk - E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
OneNote 2007 Screen Clipper and Launcher.lnk - E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]

S3 UXDCMN;UXDCMN;F:\UXDCMN.SYS []
S3 w200bus;Sony Ericsson W200 driver (WDM);E:\WINDOWS\system32\DRIVERS\w200bus.sys [2006-11-07 09:42]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;E:\WINDOWS\system32\DRIVERS\w200mdfl.sys [2006-11-07 09:42]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;E:\WINDOWS\system32\DRIVERS\w200mdm.sys [2006-11-07 09:42]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-16 23:53:02 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 06:43:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-21 6:44:03
ComboFix-quarantined-files.txt 2008-02-21 14:44:01
ComboFix2.txt 2008-02-16 01:18:45
.
2008-02-21 11:00:28 --- E O F ---

**niplub** · 2008-02-21, 15:47

Logfile of HijackThis v1.99.1
Scan saved at 6:46:40 AM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\DU Meter\DUMeter.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\system32\svchost.exe
E:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Common Files\Teleca Shared\Generic.exe
E:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
E:\Program Files\Windows Live\Messenger\usnsvc.exe
E:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
E:\WINDOWS\explorer.exe
E:\Documents and Settings\Rich\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.shaw.ca/start/enca/addons/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DU Meter] E:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] E:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SpybotSnD] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofix
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Active Desktop Calendar] E:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [uTorrent] "E:\Program Files\uTorrent\uTorrent.exe"
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = E:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n031p/EN/install/gtdownlr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1176328460015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1176329388623
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,38
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://www.easypix.ca/upload/activex...v2.0.0.10.cab?
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\WINDOW~2\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - E:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\WINDOW~2\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - E:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

**niplub** · 2008-02-21, 15:50

just fyi.. before i did the this latest fix, I have been unable to update windows (yes, it's a legit version). I have 91 available updates but they won't "successfully install." I have to go to work now and then i will be away untill Sunday night. Thanks again for your help.

**Shaba** · 2008-02-21, 15:57

Hi

We will handle that update issue after you're clean.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

**Shaba** · 2008-02-26, 14:23

Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.

Thread: 2nd try. BHO.DBU

Thread Tools

Display

Wow..

Hijackthis

fyi..

Posting Permissions