Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: Can't get rid of PWS.LDPinchIE

  1. #1
    Junior Member
    Join Date
    May 2009
    Posts
    13

    Default Can't get rid of PWS.LDPinchIE

    Hello,

    I have a winxp sp3 with a virus I can't get rid of. MSAutomatic Updates are enabled, and I am using FireFox's most current version. I Believe it started from a hijacked web site. There were initially several infections. I used AVG, Spybot, RootAlyzer, unhookexec.inf in trying to clean this up, running most in Safe Mode and Standard mode. I believe all is cleaned up with the exception of PWS.LDPinchIE. At least that is all I can see traces of. The machine is now off the net, so is not getting reinfected.

    Cleaned down to the following things constantly recurring on reboot:
    - reported by Spybot:
    Hidden registry key PWS.LDPinchIE

    - reported by rootalyzer:
    (4) Hidden Files with cryptic names in c:\windows\system32
    (three of them cannot be deleted)
    (1) Hidden file with a cryptic name in c:\windows\system32\drivers

    No matter what I try, these files come back after reboot. Here is my HijackThis after a fresh reboot. Please help.

    Thanks,
    Steve
    ===============

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:32:58 AM, on 5/20/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\UAService7.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Spybot\TeaTimer.exe
    C:\Program Files\Executor\executor.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    G:\AWC (Auto Wallpaper Changer)\AWC.exe
    C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: C:\WINDOWS\system32\afnoinkdsfe.dll - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
    O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
    O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
    O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
    O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
    O4 - Startup: Sins of a Solar Empire Launcher.lnk = D:\Games\Sins of a Solar Empire\Stardock Games\Sins of a Solar Empire\SINS_Launcher.exe
    O4 - Startup: Ventrilo Server.lnk = C:\Program Files\Ventrilo\Ventrilo Server\ventrilo_srv.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O20 - Winlogon Notify: tuvuuss - tuvuuss.dll (file missing)
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
    O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

    --
    End of file - 5908 bytes

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi and welcome to the Forums
    You're infected.

    Disable Spybot S&D Teatimer.
    • Run Spybot-S&D in Advanced Mode
    • If it is not already set to do this, go to the Mode menu select "Advanced Mode"
    • On the left hand side, click on Tools
    • Then click on the Resident icon in the list
    • Uncheck "Resident TeaTimer" and OK any prompts.
    • Restart your computer



    We will begin with ComboFix.

    Please download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper


    If you need help, see this link:
    http://www.bleepingcomputer.com/comb...o-use-combofix
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  3. #3
    Junior Member
    Join Date
    May 2009
    Posts
    13

    Default Ran Combo Fix - Here are the logs

    Hi Mr_JAk3

    Thanks for helping with this problem. I have not used combofix before so I don't know if this is normal or not, but near the end, it blue screened to a physical memory dump that took about 20 minutes to complete. I left it alone and it rebooted on its own.

    Here are the logs. Did combofix clean it up, or is there more?
    Steve
    ------------------------

    ComboFix 09-05-21.01 - Steve 05/21/2009 19:01.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1589 [GMT -5:00]
    Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Common Files\fnts~1
    c:\program files\Common Files\ystem3~1
    c:\program files\INSTALL.LOG
    c:\windows\system32\afnoinkdsfe.dll
    c:\windows\system32\b3
    c:\windows\system32\bkmoopob.exe
    c:\windows\system32\CID
    c:\windows\system32\drivers\ovfsthdhberunpppqjtkrdqimylcfyhtpkcbfa.sys
    c:\windows\system32\e9
    c:\windows\system32\Ijl11.dll
    c:\windows\system32\mcrh.tmp
    c:\windows\system32\olizezim.ini
    c:\windows\system32\ovfstheuposgxodxgbmcnmkjawoinysysxtrpg.dat
    c:\windows\system32\ovfsthoexqsdnrniyyxyfkkjygtwtjlfjkdsxc.dll
    c:\windows\system32\ovfsthokvbxvihlxhdejojsrmrqwyvkxxljxwb.dat
    c:\windows\system32\ovfsthqbtipejuamkumlrsdnvkffqtmddqhudu.dll
    c:\windows\system32\ovfsthvhptehqbgkpdtfpphqkwyrvrdrccrukd.dll
    c:\windows\system32\p2
    c:\windows\system32\p2hhr.bat
    c:\windows\system32\pac.txt
    c:\windows\system32\qpqss.ini
    c:\windows\system32\qpqss.ini2
    c:\windows\system32\SvcNm
    c:\windows\system32\t8
    c:\windows\system32\url1
    c:\windows\system32\url2
    c:\windows\system32\url3
    c:\windows\system32\win32hlp.cnf
    c:\windows\system32\winsrc.dll.tmp
    c:\windows\system32\wscmp.dll.tmp
    c:\windows\system32\z0
    c:\windows\system32\z0\vetzcomz22.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk
    -------\Legacy_CMDSERVICE
    -------\Legacy_NETWORK_MONITOR
    -------\Legacy_NTLOAD
    -------\Legacy_OULTRAF
    -------\Service_oUltraf


    ((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
    .

    2009-05-20 05:32 . 2009-05-20 05:32 -------- d-----w c:\program files\Trend Micro
    2009-05-20 04:30 . 2009-05-20 04:31 -------- d-----w c:\program files\RegBackup ERUNT
    2009-05-20 04:25 . 2009-05-20 05:34 -------- d-----w c:\program files\Hijack this
    2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w c:\documents and settings\Steve\Application Data\Malwarebytes
    2009-05-19 02:47 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
    2009-05-19 02:47 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
    2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-05-19 02:46 . 2009-05-19 02:46 -------- d-----w c:\documents and settings\Steve\Application Data\Safer Networking
    2009-05-19 02:24 . 2009-05-19 02:45 -------- d-----w c:\program files\Safer Networking
    2009-05-19 00:42 . 2009-05-19 00:42 -------- d-----w c:\program files\ProcessExplorer
    2009-05-17 21:35 . 2009-05-17 21:35 -------- d--h--w c:\windows\system32\GroupPolicy
    2009-05-17 21:35 . 2009-05-17 21:35 664 ----a-w c:\windows\system32\d3d9caps.dat
    2009-05-16 21:48 . 2009-05-16 21:57 -------- d-----w c:\windows\SxsCaPendDel
    2009-05-15 22:01 . 2008-04-14 05:42 26112 ----a-w c:\windows\system32\USERINIT.EXE
    2009-05-13 22:17 . 2009-05-13 22:17 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
    2009-05-13 21:53 . 2009-05-14 00:55 -------- d-----w c:\documents and settings\Steve\Application Data\ptidle
    2009-05-13 20:41 . 2009-05-13 21:00 -------- d-----w c:\documents and settings\All Users\Application Data\SimCity Societies
    2009-05-13 11:42 . 2009-05-13 11:42 390664 ----a-w c:\documents and settings\Steve\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
    2009-05-12 02:57 . 2009-05-12 02:57 -------- d-----w c:\windows\system32\KB905474
    2009-05-12 02:57 . 2009-03-11 03:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
    2009-05-12 02:57 . 2009-03-11 03:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
    2009-05-11 00:06 . 2009-05-11 00:28 98304 ----a-w c:\documents and settings\Steve\Application Data\Soldat\BattlEye\BEClient.dll
    2009-05-11 00:06 . 2009-05-11 00:06 -------- d-----w c:\documents and settings\Steve\Application Data\Soldat
    2009-05-11 00:06 . 2009-03-29 00:52 94208 ----a-w c:\documents and settings\Steve\Application Data\Soldat\BattlEye\BEServer.dll
    2009-05-04 23:10 . 2009-05-04 23:10 -------- d-----w c:\documents and settings\All Users\Application Data\Ironclad Games
    2009-04-30 21:25 . 2009-05-10 19:58 -------- d-----w c:\documents and settings\Steve\Application Data\Mumble
    2009-04-22 05:20 . 2009-04-22 05:20 14311680 ----a-w c:\windows\system32\xlive.dll
    2009-04-22 05:20 . 2009-04-22 05:20 13642496 ----a-w c:\windows\system32\xlivefnt.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-05-22 00:24 . 2009-03-29 22:46 -------- d-----w c:\program files\Mozilla Sunbird
    2009-05-20 01:46 . 2009-03-08 22:28 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
    2009-05-17 15:23 . 2004-09-22 14:40 90328 ----a-w c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-05-13 13:31 . 2008-12-13 16:32 -------- d-----w c:\program files\Stardock Games
    2009-05-05 20:23 . 2007-03-13 20:38 64 ----a-w c:\windows\popcinfot.dat
    2009-05-03 18:08 . 2009-03-08 22:46 11952 ----a-w c:\windows\system32\avgrsstx.dll
    2009-05-03 18:08 . 2009-03-08 22:46 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
    2009-05-03 18:08 . 2009-03-08 22:46 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
    2009-05-03 18:08 . 2009-03-08 22:46 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
    2009-04-27 03:19 . 2008-02-12 19:09 -------- d-----w c:\documents and settings\Steve\Application Data\WTablet
    2009-04-25 20:20 . 2009-02-17 18:36 -------- d-----w c:\documents and settings\Steve\Application Data\Winamp
    2009-04-23 01:30 . 2008-08-16 13:46 1 ----a-w c:\documents and settings\Steve\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
    2009-04-23 01:30 . 2008-08-07 00:46 -------- d-----w c:\documents and settings\Steve\Application Data\OpenOffice.org2
    2009-04-19 16:07 . 2007-09-15 21:17 189072 ----a-w c:\windows\system32\PnkBstrB.exe
    2009-04-14 23:29 . 2009-04-14 23:29 3638 ----a-r c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\NewShortcut11_12BC79CA813840C5870CC7F821C0C143.exe
    2009-04-14 23:29 . 2009-04-14 23:29 3638 ----a-r c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\NewShortcut1_12BC79CA813840C5870CC7F821C0C143.exe
    2009-04-14 23:29 . 2009-04-14 23:29 10134 ----a-r c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\ARPPRODUCTICON.exe
    2009-03-30 22:54 . 2009-03-17 22:30 43520 ----a-w c:\windows\system32\CmdLineExt03.dll
    2009-03-25 23:10 . 2007-09-15 21:17 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
    2009-03-25 23:10 . 2007-09-15 21:17 75064 ----a-w c:\windows\system32\PnkBstrA.exe
    2009-03-21 21:31 . 2004-07-29 01:10 80058 ----a-w c:\windows\War3Unin.dat
    2009-03-10 17:09 . 2004-07-26 22:15 1725 ----a-w c:\windows\eReg.dat
    2009-03-06 14:22 . 2004-08-04 05:56 284160 ----a-w c:\windows\system32\pdh.dll
    2009-03-03 00:18 . 2004-08-04 05:56 826368 ----a-w c:\windows\system32\wininet.dll
    2008-03-23 19:04 . 2008-03-23 19:04 0 ----a-w c:\program files\temp01
    2005-04-16 16:11 . 2005-04-16 16:11 0 ----a-w c:\program files\error.dat
    2003-12-18 17:33 . 2004-11-01 00:44 20102 ----a-w c:\program files\Readme.txt
    2003-09-03 13:46 . 2004-11-01 00:44 10960 ----a-w c:\program files\EULA.txt
    2003-07-29 06:15 . 2009-02-06 03:54 307200 ----a-w c:\program files\internet explorer\plugins\djvu0407.dll
    2003-07-29 06:15 . 2009-02-06 03:54 303104 ----a-w c:\program files\internet explorer\plugins\djvu0409.dll
    2003-07-29 06:15 . 2009-02-06 03:54 311296 ----a-w c:\program files\internet explorer\plugins\djvu040c.dll
    2003-07-29 06:15 . 2009-02-06 03:54 299008 ----a-w c:\program files\internet explorer\plugins\djvu0411.dll
    2003-07-29 06:15 . 2009-02-06 03:54 299008 ----a-w c:\program files\internet explorer\plugins\djvu0412.dll
    2003-07-29 06:15 . 2009-02-06 03:54 290816 ----a-w c:\program files\internet explorer\plugins\djvu0804.dll
    2003-07-29 06:15 . 2009-02-06 03:54 122880 ----a-w c:\program files\internet explorer\plugins\DjVuCntl.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="d:\games\steam\steam.exe" [2009-03-12 1410296]
    "Executor"="c:\program files\Executor\executor.exe" [2008-05-19 1052672]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-04 185896]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
    "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

    c:\documents and settings\Steve\Start Menu\Programs\Startup\
    AWC.lnk - g:\awc (auto wallpaper changer)\AWC.exe [2009-4-1 1261568]
    ImpulseNow.lnk - c:\program files\Stardock\Impulse\Now\ImpulseNow.exe [2009-5-4 356352]
    Mozilla Sunbird.lnk - c:\program files\Mozilla Sunbird\sunbird.exe [2009-3-29 6354540]
    Shortcut to Ut3 Map TO DOs.lnk - c:\documents and settings\Steve\Desktop\TO DO.txt [2008-8-13 5980]
    Sins of a Solar Empire Launcher.lnk - d:\games\Sins of a Solar Empire\Stardock Games\Sins of a Solar Empire\SINS_Launcher.exe [2008-1-18 587992]
    Ventrilo Server.lnk - c:\program files\Ventrilo\Ventrilo Server\ventrilo_srv.exe [2007-11-19 274432]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-12-14 528384]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-05-03 18:08 11952 ----a-w c:\windows\system32\avgrsstx.dll

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
    "aux"= ctwdm32.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @=""
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPMe7f9c16d
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Diagnostic Manager
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e4caf2f1

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "DGPN"=2 (0x2)
    "TabletServiceWacom"=2 (0x2)
    "PnkBstrB"=2 (0x2)
    "PnkBstrA"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "idsvc"=3 (0x3)
    "IDriverT"=3 (0x3)
    "Brother XP spl Service"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Games\\Steam\\SteamApps\\battlebotv82\\counter-strike source\\hl2.exe"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo Server\\ventrilo_srv.exe"=
    "d:\\Games\\WarHammer 40,000 Dawn of War\\Dark Crusade\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
    "d:\\Games\\Earth 2160\\Earth2160_NO_SSE.exe"=
    "d:\\Games\\Earth 2160\\Earth2160_SSE.exe"=
    "d:\\Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
    "d:\\Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "d:\\Games\\World in Conflict\\wic.exe"=
    "d:\\Games\\World in Conflict\\wic_online.exe"=
    "d:\\Games\\World in Conflict\\wic_ds.exe"=
    "d:\\Games\\Quake Wars - Enemy Territory\\etqwded.exe"=
    "d:\\Games\\Quake Wars - Enemy Territory\\etqw.exe"=
    "d:\\Games\\Unreal Tournament 3\\Binaries\\UT3.exe"=
    "c:\\Games\\Sid Meier's Railroads!\\RailRoads.exe"=
    "d:\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "g:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
    "g:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
    "g:\\Games\\Universe At War Earth Assault\\UAWEA.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\brothers in arms earned in blood\\System\\EiB.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\prey\\prey.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\stalker shadow of chernobyl\\bin\\XR_3DA.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\prince of persia the warrior within\\PrinceOfPersia.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\roboblitz\\Binaries\\RoboLaunch.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\eets\\Eets.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\ghost recon advanced warfighter\\graw.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\ghost recon\\GhostRecon.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\empire total war demo\\Empire.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\ghost recon advanced warfighter 2\\graw2.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\multiwinia\\multiwinia.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\tom clancy's h.a.w.x - demo\\HAWX.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\wallace and gromit demo\\WallaceGromitDemo.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\osmos igf demo\\OsmosDemo.exe"=
    "g:\\Games\\Spellforce 2 - Shadow Wars\\spellforce2.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\company of heroes\\RelicCOH.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\titan quest immortal throne\\Tqit.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\titan quest immortal throne\\help.htm"=
    "d:\\Games\\Steam\\SteamApps\\common\\titan quest\\help.htm"=
    "d:\\Games\\Sins of a Solar Empire\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\flock demo\\Flock.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/8/2009 5:46 PM 325896]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/8/2009 5:46 PM 108552]
    R1 cdawdm;CDAWDM;c:\windows\system32\drivers\cdawdm.sys [11/22/2002 5:58 PM 48111]
    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/8/2009 5:45 PM 908568]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/8/2009 5:45 PM 298776]
    R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [12/14/2006 4:50 PM 2368]
    S0 oconlgyl;oconlgyl;c:\windows\system32\drivers\rjzeagsc.dat --> c:\windows\system32\drivers\rjzeagsc.dat [?]
    S1 usbstorr;usbstorr;c:\windows\system32\drivers\usbstorr.sys --> c:\windows\system32\drivers\usbstorr.sys [?]
    S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2/10/2008 1:49 PM 23040]
    S3 Vsp;Vsp;\??\c:\windows\System32\drivers\Vsp.sys --> c:\windows\System32\drivers\Vsp.sys [?]
    S4 DGPN;Security Service;c:\windows\system32\svcd\svchost.exe --> c:\windows\system32\svcd\svchost.exe [?]
    S4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2/12/2008 2:08 PM 1373480]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    .
    Contents of the 'Scheduled Tasks' folder

    2005-08-07 c:\windows\Tasks\cleanup-test.job
    - d:\data\cleanup.bat [2004-09-07 02:12]

    2009-05-04 c:\windows\Tasks\cleanup.job
    - d:\data\cleanup.bat [2004-09-07 02:12]

    2009-05-12 c:\windows\Tasks\DataOnly.job
    - c:\windows\system32\ntbackup.exe [2004-08-04 00:12]

    2009-05-22 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll
    HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
    HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
    SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
    SharedTaskScheduler-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll
    Notify-tuvuuss - tuvuuss.dll


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.wrinsiders.com/Teens/?RP=SignIn
    FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\
    FF - prefs.js: browser.startup.homepage - file:///d:/Data/HomePage/index.html
    FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
    FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
    FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
    FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
    FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
    FF - plugin: g:\gametap\bin\Release\npgametaptool.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-05-21 19:24
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\oconlgyl]
    "ImagePath"="system32\drivers\rjzeagsc.dat"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-725345543-764733703-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "????????????????????????"=hex:63,a2,df,ea,77,f0,95,25,eb,6c,dc,66,29,e5,12,1d,
    2c,29,70,2c,5c,5c,25,f7,2c,2c,5c,d1,25,c3,2e,2e,00,00,00,00,00,00,00,00,00,\
    "???n"=hex:67,c5,3f,af,2f,06,f4,bd,6a,bc,3c,06,c9,a8,f3,94,cf,fc,28,65,23,1f,
    51,a4,66,c3,ff,fd,10,6b,09,b0,09,00,c0,46,db,0a,6f,85,96,63,1a,e5,64,d4,d7,\
    "?????"=hex:9b,9d,a9,7e,82,9e,bf,2c,e9,55,17,f0,77,5c,30,60
    "???n"=hex:ca,7f,b1,85,35,af,19,95,9b,a8,37,7a,99,ab,d7,56,38,b0,d3,96,72,26,
    af,0f,16,9e,d6,36,d2,33,4f,56,ef,d6,90,a9,11,dc,dd,ab,e0,b9,e6,2f,ab,b3,26,\
    "??"=hex:1b,ee,fb,ee,5e,a8,db,76,e9,8e,a8,56,0f,22,bd,59,a7,f5,31,8b,68,3d,0d,
    66,8f,a9,af,3a,cd,97,dd,26,b6,8f,e0,00,53,f0,17,e0,33,21,7c,c4,ec,bb,45,d6,\
    "??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

    [HKEY_USERS\S-1-5-21-725345543-764733703-1801674531-1003\Software\SecuROM\License information*]
    "datasecu"=hex:60,0d,47,33,43,d6,05,78,97,20,41,75,fe,20,a2,c4,e6,c4,14,cd,72,
    bc,80,4a,7f,c2,b8,b7,b8,67,45,6b,87,24,7d,2b,e6,ac,26,26,0f,b6,9f,85,ba,26,\
    "rkeysecu"=hex:65,d6,a2,52,b5,22,4b,f2,49,55,2b,25,75,bf,64,56
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(800)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(224)
    c:\program files\Logitech\SetPoint\GameHook.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\system32\MSVCP71.dll
    c:\windows\system32\msi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\savedump.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\UAService7.exe
    c:\program files\AVG\AVG8\avgrsx.exe
    c:\progra~1\AVG\AVG8\avgnsx.exe
    c:\program files\AVG\AVG8\avgcsrvx.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    .
    **************************************************************************
    .
    Completion time: 2009-05-22 19:28 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-05-22 00:28

    Pre-Run: 11,541,295,104 bytes free
    Post-Run: 12,496,691,200 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

    Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
    336 --- E O F --- 2009-05-16 21:42

    -----------------------------------------------
    -----------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:37:36 PM, on 5/21/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\UAService7.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Executor\executor.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    G:\AWC (Auto Wallpaper Changer)\AWC.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
    O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
    O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
    O4 - Startup: Sins of a Solar Empire Launcher.lnk = D:\Games\Sins of a Solar Empire\Stardock Games\Sins of a Solar Empire\SINS_Launcher.exe
    O4 - Startup: Ventrilo Server.lnk = C:\Program Files\Ventrilo\Ventrilo Server\ventrilo_srv.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

    --
    End of file - 5189 bytes
    ------------------------------------------------------------

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hello

    Looks better but not clean yet.






    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    DirLook::
    c:\windows\system32\svcd

    File::
    c:\windows\system32\svcd\svchost.exe
    c:\windows\system32\drivers\rjzeagsc.dat
    c:\windows\system32\drivers\usbstorr.sys

    Driver::
    oconlgyl
    usbstorr
    DGPN
    Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe




    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  5. #5
    Junior Member
    Join Date
    May 2009
    Posts
    13

    Default

    Ok, I ran what you said. Here are my logs from combofix and hijackthis. How's it look now?
    Steve

    =============================

    ComboFix 09-05-22.05 - Steve 05/22/2009 18:49.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1508 [GMT -5:00]
    Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    FILE ::
    c:\windows\system32\drivers\rjzeagsc.dat
    c:\windows\system32\drivers\usbstorr.sys
    c:\windows\system32\svcd\svchost.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_DGPN
    -------\Legacy_OCONLGYL
    -------\Legacy_USBSTORR
    -------\Service_DGPN
    -------\Service_oconlgyl
    -------\Service_usbstorr


    ((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
    .

    2009-05-22 17:47 . 2009-05-03 18:08 2051864 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
    2009-05-22 17:47 . 2009-05-03 18:08 3399960 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
    2009-05-22 17:47 . 2009-05-03 18:08 2302232 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
    2009-05-22 17:47 . 2009-05-03 18:08 3288344 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
    2009-05-22 17:47 . 2009-05-03 18:08 424472 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
    2009-05-22 17:47 . 2009-05-03 18:08 312088 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
    2009-05-22 17:47 . 2009-05-03 18:08 177432 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
    2009-05-22 17:47 . 2009-05-03 18:08 486168 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
    2009-05-22 17:45 . 2009-05-03 18:07 1437464 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
    2009-05-22 17:45 . 2009-05-03 18:07 755992 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
    2009-05-22 00:37 . 2009-05-22 00:37 -------- d-----w c:\program files\Hijack This
    2009-05-20 05:32 . 2009-05-20 05:32 -------- d-----w c:\program files\Trend Micro
    2009-05-20 04:30 . 2009-05-20 04:31 -------- d-----w c:\program files\RegBackup ERUNT
    2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w c:\documents and settings\Steve\Application Data\Malwarebytes
    2009-05-19 02:47 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
    2009-05-19 02:47 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
    2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-05-19 02:46 . 2009-05-19 02:46 -------- d-----w c:\documents and settings\Steve\Application Data\Safer Networking
    2009-05-19 02:24 . 2009-05-19 02:45 -------- d-----w c:\program files\Safer Networking
    2009-05-19 00:42 . 2009-05-19 00:42 -------- d-----w c:\program files\ProcessExplorer
    2009-05-17 21:35 . 2009-05-17 21:35 -------- d--h--w c:\windows\system32\GroupPolicy
    2009-05-17 21:35 . 2009-05-17 21:35 664 ----a-w c:\windows\system32\d3d9caps.dat
    2009-05-16 21:48 . 2009-05-16 21:57 -------- d-----w c:\windows\SxsCaPendDel
    2009-05-15 22:01 . 2008-04-14 05:42 26112 ----a-w c:\windows\system32\USERINIT.EXE
    2009-05-13 22:17 . 2009-05-13 22:17 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
    2009-05-13 21:53 . 2009-05-14 00:55 -------- d-----w c:\documents and settings\Steve\Application Data\ptidle
    2009-05-13 20:41 . 2009-05-13 21:00 -------- d-----w c:\documents and settings\All Users\Application Data\SimCity Societies
    2009-05-13 11:42 . 2009-05-13 11:42 390664 ----a-w c:\documents and settings\Steve\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
    2009-05-12 02:57 . 2009-05-12 02:57 -------- d-----w c:\windows\system32\KB905474
    2009-05-12 02:57 . 2009-03-11 03:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
    2009-05-12 02:57 . 2009-03-11 03:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
    2009-05-11 00:06 . 2009-05-11 00:28 98304 ----a-w c:\documents and settings\Steve\Application Data\Soldat\BattlEye\BEClient.dll
    2009-05-11 00:06 . 2009-05-11 00:06 -------- d-----w c:\documents and settings\Steve\Application Data\Soldat
    2009-05-11 00:06 . 2009-03-29 00:52 94208 ----a-w c:\documents and settings\Steve\Application Data\Soldat\BattlEye\BEServer.dll
    2009-05-04 23:10 . 2009-05-04 23:10 -------- d-----w c:\documents and settings\All Users\Application Data\Ironclad Games
    2009-04-30 21:25 . 2009-05-10 19:58 -------- d-----w c:\documents and settings\Steve\Application Data\Mumble

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-05-22 23:53 . 2009-03-29 22:46 -------- d-----w c:\program files\Mozilla Sunbird
    2009-05-22 00:36 . 2009-02-01 02:50 -------- d-----w c:\program files\Spybot
    2009-05-20 01:46 . 2009-03-08 22:28 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
    2009-05-17 15:23 . 2004-09-22 14:40 90328 ----a-w c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-05-13 13:31 . 2008-12-13 16:32 -------- d-----w c:\program files\Stardock Games
    2009-05-05 20:23 . 2007-03-13 20:38 64 ----a-w c:\windows\popcinfot.dat
    2009-05-03 18:08 . 2009-03-08 22:46 11952 ----a-w c:\windows\system32\avgrsstx.dll
    2009-05-03 18:08 . 2009-03-08 22:46 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
    2009-05-03 18:08 . 2009-03-08 22:46 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
    2009-05-03 18:08 . 2009-03-08 22:46 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
    2009-04-27 03:19 . 2008-02-12 19:09 -------- d-----w c:\documents and settings\Steve\Application Data\WTablet
    2009-04-25 20:20 . 2009-02-17 18:36 -------- d-----w c:\documents and settings\Steve\Application Data\Winamp
    2009-04-23 01:30 . 2008-08-16 13:46 1 ----a-w c:\documents and settings\Steve\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
    2009-04-23 01:30 . 2008-08-07 00:46 -------- d-----w c:\documents and settings\Steve\Application Data\OpenOffice.org2
    2009-04-22 05:20 . 2009-04-22 05:20 14311680 ----a-w c:\windows\system32\xlive.dll
    2009-04-22 05:20 . 2009-04-22 05:20 13642496 ----a-w c:\windows\system32\xlivefnt.dll
    2009-04-19 16:07 . 2007-09-15 21:17 189072 ----a-w c:\windows\system32\PnkBstrB.exe
    2009-04-14 23:29 . 2009-04-14 23:29 3638 ----a-r c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\NewShortcut11_12BC79CA813840C5870CC7F821C0C143.exe
    2009-04-14 23:29 . 2009-04-14 23:29 3638 ----a-r c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\NewShortcut1_12BC79CA813840C5870CC7F821C0C143.exe
    2009-04-14 23:29 . 2009-04-14 23:29 10134 ----a-r c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\ARPPRODUCTICON.exe
    2009-03-30 22:54 . 2009-03-17 22:30 43520 ----a-w c:\windows\system32\CmdLineExt03.dll
    2009-03-25 23:10 . 2007-09-15 21:17 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
    2009-03-25 23:10 . 2007-09-15 21:17 75064 ----a-w c:\windows\system32\PnkBstrA.exe
    2009-03-21 21:31 . 2004-07-29 01:10 80058 ----a-w c:\windows\War3Unin.dat
    2009-03-10 17:09 . 2004-07-26 22:15 1725 ----a-w c:\windows\eReg.dat
    2009-03-06 14:22 . 2004-08-04 05:56 284160 ----a-w c:\windows\system32\pdh.dll
    2009-03-03 00:18 . 2004-08-04 05:56 826368 ----a-w c:\windows\system32\wininet.dll
    2008-03-23 19:04 . 2008-03-23 19:04 0 ----a-w c:\program files\temp01
    2005-04-16 16:11 . 2005-04-16 16:11 0 ----a-w c:\program files\error.dat
    2003-12-18 17:33 . 2004-11-01 00:44 20102 ----a-w c:\program files\Readme.txt
    2003-09-03 13:46 . 2004-11-01 00:44 10960 ----a-w c:\program files\EULA.txt
    2003-07-29 06:15 . 2009-02-06 03:54 307200 ----a-w c:\program files\internet explorer\plugins\djvu0407.dll
    2003-07-29 06:15 . 2009-02-06 03:54 303104 ----a-w c:\program files\internet explorer\plugins\djvu0409.dll
    2003-07-29 06:15 . 2009-02-06 03:54 311296 ----a-w c:\program files\internet explorer\plugins\djvu040c.dll
    2003-07-29 06:15 . 2009-02-06 03:54 299008 ----a-w c:\program files\internet explorer\plugins\djvu0411.dll
    2003-07-29 06:15 . 2009-02-06 03:54 299008 ----a-w c:\program files\internet explorer\plugins\djvu0412.dll
    2003-07-29 06:15 . 2009-02-06 03:54 290816 ----a-w c:\program files\internet explorer\plugins\djvu0804.dll
    2003-07-29 06:15 . 2009-02-06 03:54 122880 ----a-w c:\program files\internet explorer\plugins\DjVuCntl.dll
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of c:\windows\system32\svcd ----



    ((((((((((((((((((((((((((((( SnapShot@2009-05-22_00.25.26 )))))))))))))))))))))))))))))))))))))))))
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="d:\games\steam\steam.exe" [2009-05-22 1217784]
    "Executor"="c:\program files\Executor\executor.exe" [2008-05-19 1052672]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-04 185896]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
    "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

    c:\documents and settings\Steve\Start Menu\Programs\Startup\
    AWC.lnk - g:\awc (auto wallpaper changer)\AWC.exe [2009-4-1 1261568]
    ImpulseNow.lnk - c:\program files\Stardock\Impulse\Now\ImpulseNow.exe [2009-5-4 356352]
    Mozilla Sunbird.lnk - c:\program files\Mozilla Sunbird\sunbird.exe [2009-3-29 6354540]
    Shortcut to Ut3 Map TO DOs.lnk - c:\documents and settings\Steve\Desktop\TO DO.txt [2008-8-13 5980]
    Sins of a Solar Empire Launcher.lnk - d:\games\Sins of a Solar Empire\Stardock Games\Sins of a Solar Empire\SINS_Launcher.exe [2008-1-18 587992]
    Ventrilo Server.lnk - c:\program files\Ventrilo\Ventrilo Server\ventrilo_srv.exe [2007-11-19 274432]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-12-14 528384]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-05-03 18:08 11952 ----a-w c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvuuss]
    [BU]

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
    "aux"= ctwdm32.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "DGPN"=2 (0x2)
    "TabletServiceWacom"=2 (0x2)
    "PnkBstrB"=2 (0x2)
    "PnkBstrA"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "idsvc"=3 (0x3)
    "IDriverT"=3 (0x3)
    "Brother XP spl Service"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Games\\Steam\\SteamApps\\battlebotv82\\counter-strike source\\hl2.exe"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo Server\\ventrilo_srv.exe"=
    "d:\\Games\\WarHammer 40,000 Dawn of War\\Dark Crusade\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
    "d:\\Games\\Earth 2160\\Earth2160_NO_SSE.exe"=
    "d:\\Games\\Earth 2160\\Earth2160_SSE.exe"=
    "d:\\Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
    "d:\\Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "d:\\Games\\World in Conflict\\wic.exe"=
    "d:\\Games\\World in Conflict\\wic_online.exe"=
    "d:\\Games\\World in Conflict\\wic_ds.exe"=
    "d:\\Games\\Quake Wars - Enemy Territory\\etqwded.exe"=
    "d:\\Games\\Quake Wars - Enemy Territory\\etqw.exe"=
    "d:\\Games\\Unreal Tournament 3\\Binaries\\UT3.exe"=
    "c:\\Games\\Sid Meier's Railroads!\\RailRoads.exe"=
    "d:\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "g:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
    "g:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
    "g:\\Games\\Universe At War Earth Assault\\UAWEA.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\brothers in arms earned in blood\\System\\EiB.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\prey\\prey.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\stalker shadow of chernobyl\\bin\\XR_3DA.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\prince of persia the warrior within\\PrinceOfPersia.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\roboblitz\\Binaries\\RoboLaunch.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\eets\\Eets.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\ghost recon advanced warfighter\\graw.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\ghost recon\\GhostRecon.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\empire total war demo\\Empire.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\ghost recon advanced warfighter 2\\graw2.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\multiwinia\\multiwinia.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\tom clancy's h.a.w.x - demo\\HAWX.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\wallace and gromit demo\\WallaceGromitDemo.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\osmos igf demo\\OsmosDemo.exe"=
    "g:\\Games\\Spellforce 2 - Shadow Wars\\spellforce2.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\company of heroes\\RelicCOH.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\titan quest immortal throne\\Tqit.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\titan quest immortal throne\\help.htm"=
    "d:\\Games\\Steam\\SteamApps\\common\\titan quest\\help.htm"=
    "d:\\Games\\Sins of a Solar Empire\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\flock demo\\Flock.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
    "d:\\Games\\Steam\\SteamApps\\common\\necrovision - demo\\Bin\\NecroVisioN.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/8/2009 5:46 PM 325896]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/8/2009 5:46 PM 108552]
    R1 cdawdm;CDAWDM;c:\windows\system32\drivers\cdawdm.sys [11/22/2002 5:58 PM 48111]
    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/8/2009 5:45 PM 908568]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/8/2009 5:45 PM 298776]
    R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [12/14/2006 4:50 PM 2368]
    S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2/10/2008 1:49 PM 23040]
    S3 Vsp;Vsp;\??\c:\windows\System32\drivers\Vsp.sys --> c:\windows\System32\drivers\Vsp.sys [?]
    S4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2/12/2008 2:08 PM 1373480]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    .
    Contents of the 'Scheduled Tasks' folder

    2005-08-07 c:\windows\Tasks\cleanup-test.job
    - d:\data\cleanup.bat [2004-09-07 02:12]

    2009-05-04 c:\windows\Tasks\cleanup.job
    - d:\data\cleanup.bat [2004-09-07 02:12]

    2009-05-12 c:\windows\Tasks\DataOnly.job
    - c:\windows\system32\ntbackup.exe [2004-08-04 00:12]

    2009-05-22 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]
    .
    - - - - ORPHANS REMOVED - - - -

    SafeBoot-procexp90.Sys


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.wrinsiders.com/Teens/?RP=SignIn
    FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\
    FF - prefs.js: browser.startup.homepage - file:///d:/Data/HomePage/index.html
    FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
    FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
    FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
    FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
    FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
    FF - plugin: g:\gametap\bin\Release\npgametaptool.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-05-22 18:53
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-725345543-764733703-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "????????????????????????"=hex:63,a2,df,ea,77,f0,95,25,eb,6c,dc,66,29,e5,12,1d,
    2c,29,70,2c,5c,5c,25,f7,2c,2c,5c,d1,25,c3,2e,2e,00,00,00,00,00,00,00,00,00,\
    "???n"=hex:67,c5,3f,af,2f,06,f4,bd,6a,bc,3c,06,c9,a8,f3,94,cf,fc,28,65,23,1f,
    51,a4,66,c3,ff,fd,10,6b,09,b0,09,00,c0,46,db,0a,6f,85,96,63,1a,e5,64,d4,d7,\
    "?????"=hex:9b,9d,a9,7e,82,9e,bf,2c,e9,55,17,f0,77,5c,30,60
    "???n"=hex:ca,7f,b1,85,35,af,19,95,9b,a8,37,7a,99,ab,d7,56,38,b0,d3,96,72,26,
    af,0f,16,9e,d6,36,d2,33,4f,56,ef,d6,90,a9,11,dc,dd,ab,e0,b9,e6,2f,ab,b3,26,\
    "??"=hex:1b,ee,fb,ee,5e,a8,db,76,e9,8e,a8,56,0f,22,bd,59,a7,f5,31,8b,68,3d,0d,
    66,8f,a9,af,3a,cd,97,dd,26,b6,8f,e0,00,53,f0,17,e0,33,21,7c,c4,ec,bb,45,d6,\
    "??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

    [HKEY_USERS\S-1-5-21-725345543-764733703-1801674531-1003\Software\SecuROM\License information*]
    "datasecu"=hex:60,0d,47,33,43,d6,05,78,97,20,41,75,fe,20,a2,c4,e6,c4,14,cd,72,
    bc,80,4a,7f,c2,b8,b7,b8,67,45,6b,87,24,7d,2b,e6,ac,26,26,0f,b6,9f,85,ba,26,\
    "rkeysecu"=hex:65,d6,a2,52,b5,22,4b,f2,49,55,2b,25,75,bf,64,56
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(792)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(3424)
    c:\program files\Logitech\SetPoint\GameHook.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\system32\MSVCP71.dll
    c:\windows\system32\msi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    c:\windows\system32\nvsvc32.exe
    c:\program files\AVG\AVG8\avgrsx.exe
    c:\progra~1\AVG\AVG8\avgnsx.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\UAService7.exe
    c:\program files\AVG\AVG8\avgcsrvx.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2009-05-22 18:57 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-05-22 23:57
    ComboFix2.txt 2009-05-22 00:28

    Pre-Run: 12,269,916,160 bytes free
    Post-Run: 12,240,506,880 bytes free

    Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
    309 --- E O F --- 2009-05-16 21:42

    ===============================================
    ===============================================

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:10:30 PM, on 5/22/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\games\steam\steam.exe
    C:\Program Files\Executor\executor.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    G:\AWC (Auto Wallpaper Changer)\AWC.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\UAService7.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
    O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
    O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
    O4 - Startup: Sins of a Solar Empire Launcher.lnk = D:\Games\Sins of a Solar Empire\Stardock Games\Sins of a Solar Empire\SINS_Launcher.exe
    O4 - Startup: Ventrilo Server.lnk = C:\Program Files\Ventrilo\Ventrilo Server\ventrilo_srv.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O20 - Winlogon Notify: tuvuuss - C:\WINDOWS\
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

    --
    End of file - 5090 bytes

    ==============================================

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi again, looking much better

    You should print these instructions or save these to a text file. Follow these instructions carefully.

    Download ATF Cleaner by Atribune to your desktop.
    Do NOT run yet.

    ==================


    Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

    O20 - Winlogon Notify: tuvuuss - C:\WINDOWS\

    Run ATF Cleaner
    • Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    Run Kaspersky Online AV Scanner

    Right click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it.

    Go to Kaspersky website and perform an online antivirus scan.

    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan and then put the kettle on!
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

    Restart the computer.
    ================

    When you're ready, please post the following logs to here:
    - Kaspersky's report
    - a fresh HijackThis log
    - let me know how the pc is running
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  7. #7
    Junior Member
    Join Date
    May 2009
    Posts
    13

    Default

    Hi Mr_Jak3

    I followed your instructions, and here are the scan and hijackthis logs. How's it looking now?

    Steve

    =============================

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0 REPORT
    Sunday, May 24, 2009
    Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Program database last update: Sunday, May 24, 2009 16:28:49
    Records in database: 2234316
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\
    J:\

    Scan statistics:
    Files scanned: 565085
    Threat name: 13
    Infected objects: 34
    Suspicious objects: 0
    Duration of the scan: 06:13:23


    File name / Threat name / Threats count
    C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-4a03e20f Infected: Exploit.Java.Gimsh.b 1
    C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-7a73e55c Infected: Exploit.Java.Gimsh.b 1
    C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-148d63e7 Infected: Exploit.Java.Gimsh.b 1
    C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\6.0\52\7c5dd1b4-72dc4052 Infected: Trojan.Java.ClassLoader.ao 1
    C:\Documents and Settings\Steve\Desktop\AV Tools\regtools.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1
    C:\Documents and Settings\Steve\Desktop\To Sort Later\Anti-Spyware\backups\backup-20080113-173930-245-source.html Infected: Trojan-Clicker.HTML.IFrame.dn 1
    C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\BattleBotv8.2 - Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.b 1
    C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.b 1
    C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.q 1
    C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.q 1
    C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Infected: Email-Worm.Win32.Bagle.ai 2
    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthdhberunpppqjtkrdqimylcfyhtpkcbfa.sys.vir Infected: Trojan.Win32.Tdss.aalf 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthoexqsdnrniyyxyfkkjygtwtjlfjkdsxc.dll.vir Infected: Trojan.Win32.Tdss.aalc 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthqbtipejuamkumlrsdnvkffqtmddqhudu.dll.vir Infected: Trojan.Win32.Tdss.aalg 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthvhptehqbgkpdtfpphqkwyrvrdrccrukd.dll.vir Infected: Trojan.Win32.Tdss.aald 1
    C:\System Volume Information\_restore{2D1BCA4F-B413-410A-8075-A3EFB933AE76}\RP205\A0064885.dll Infected: Trojan.Win32.Tdss.aalc 1
    C:\System Volume Information\_restore{2D1BCA4F-B413-410A-8075-A3EFB933AE76}\RP205\A0064886.dll Infected: Trojan.Win32.Tdss.aalg 1
    C:\System Volume Information\_restore{2D1BCA4F-B413-410A-8075-A3EFB933AE76}\RP205\A0064887.dll Infected: Trojan.Win32.Tdss.aald 1
    C:\System Volume Information\_restore{81DEB3A1-32F6-47DA-814F-CC9817B6BB5D}\RP266\A0210613.sys Infected: Trojan.Win32.Tdss.aalf 1
    C:\System Volume Information\_restore{81DEB3A1-32F6-47DA-814F-CC9817B6BB5D}\RP266\A0210614.dll Infected: Trojan.Win32.Tdss.aalc 1
    C:\System Volume Information\_restore{81DEB3A1-32F6-47DA-814F-CC9817B6BB5D}\RP266\A0210615.dll Infected: Trojan.Win32.Tdss.aalg 1
    C:\System Volume Information\_restore{81DEB3A1-32F6-47DA-814F-CC9817B6BB5D}\RP266\A0210616.dll Infected: Trojan.Win32.Tdss.aald 1
    C:\WINDOWS\system32\pofegohu(junk).dllllll Infected: Packed.Win32.Krap.q 1
    E:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-11267197.zip Infected: Exploit.Java.Gimsh.b 1
    E:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-400827c9.zip Infected: Exploit.Java.Gimsh.b 1
    E:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\BattleBotv8.2 - Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.b 1
    E:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.b 1
    E:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.q 1
    E:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.q 1
    E:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Infected: Email-Worm.Win32.Bagle.ai 2
    H:\regtools.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1

    The selected area was scanned.

    ================================================

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:26:51 PM, on 5/24/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\games\steam\steam.exe
    C:\Program Files\Executor\executor.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\UAService7.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    G:\AWC (Auto Wallpaper Changer)\AWC.exe
    C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Stardock\Impulse\Impulse.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
    O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
    O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
    O4 - Startup: Sins of a Solar Empire Launcher.lnk = D:\Games\Sins of a Solar Empire\Stardock Games\Sins of a Solar Empire\SINS_Launcher.exe
    O4 - Startup: Ventrilo Server.lnk = C:\Program Files\Ventrilo\Ventrilo Server\ventrilo_srv.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

    --
    End of file - 5078 bytes

    ==========================================

  8. #8
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Ok the Kaspersky findings are just leftovers.

    Delete everything inside this folder:
    C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache

    Delete this file if found:
    C:\WINDOWS\system32\pofegohu(junk).dllllll

    Then you should clean up your Outlook Express email folders as you have some infected emails there.

    You don't seem to have a third-party firewall installed. You must install one firewall.
    It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:

    These are good (free) firewalls:

    Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
    First remove the older versions:
    • Click Start
    • Go to Control Panel
    • Go to Add/Remove Programs
    • Find and click Remove for each version of Java that is present
    • Download JavaRa and unzip it to your desktop.
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.

    Now let's download and install the newest version:
    • Download Java SE Runtime Environment (JRE) 6 Update 12 from here: http://java.sun.com/javase/downloads/index.jsp
    • As Platform select your operating system, agree to the License Agreement and click Continue.
    • Now click on the link under Windows Offline Installation and download the installer to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Then from your desktop double-click on the download to install the newest version.
    • Reboot your computer.


    If there are no problems - we'll remove all used tools

    Please download OTCleanIt and save it to desktop.
    • Double-click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes, if not delete it by yourself.


    Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

    Now lets uninstall ComboFix:

    * Click START then RUN
    * Now type Combofix /u in the runbox and click OK

    You may uninstall MBAM via Control Panel

    Clear your system restore
    This will clear the system restore folders from possible malware that was left behind during the cleaning process.

    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
    • Use ATF Cleaner
      Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
    • Use Spybot S&D
      Download and install Spybot S&D. Update it and scan your computer regularly with it.
    • Install SpywareBlaster
      SpywareBlaster will prevent spyware from being installed.
    • Install MVPS Hosts file
      This prevents your computer from connecting to harmful sites.
    • Use Firefox browser
      Firefox is faster, safer and better browser than Internet Explorer.
    • Keep your systen up-to-date
      Visit Windows Update regularly.
    • Keep your antivirus and firewall up-to-date
      Scan your computer regularly with your antivirus.
    • Read this article by TonyKlein
      So how did I get infected in the first place?
    • Stand Up and Be Counted !
      The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


    Stay clean and be safe
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  9. #9
    Junior Member
    Join Date
    May 2009
    Posts
    13

    Thumbs up Thanks!

    All is working well! Thanks, Mr_Jak3. Your help saved a reformat (never any fun). This is the first time I've had to come to this site for help. I really appreciate it.
    Steve

  10. #10
    Junior Member
    Join Date
    May 2009
    Posts
    13

    Default Oops! Spoke too soon!

    I spoke too soon. Today I was using Firefox and went to Google. About 1 in three links took me to the wrong site. Each time it was different. I ran Spybot and it reported Virtumonde.sci and Virtumonde.sdn. It cleaned these up, but there must still be something hiding. What's next?
    Steve

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •