Command Service problems

F

fenrif

New member
Hi, any help with this would be greatly appreciated. ive fun spybot search and destroy, and ad aware SE several times, but i keep getting reinfected, spybot cant get rid of command service, and seems to keep getting surf sidekick and tsupdater (i think its called that).

Also, ive tried running some of those online virus scans and they dont seem to load up, the panda one takes me to a page saying to click yes for the active X controll thing, but it never loads. Anyway, heres my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:44:14 AM, on 7/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\dfndrad_5.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Opera\Opera.exe
c:\ac3_0010.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Monitor\netmon.exe
C:\applicationas\security\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 213.105.224.12
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.105.224.12:8080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrad_5.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdad_5.exe
O4 - HKLM\..\Run: [esubf39b] RUNDLL32.EXE w04b9c81.dll,n 001bf39a0000000a04b9c81
O4 - HKLM\..\Run: [newname] c:\\nwnmad_5.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/pages/scanner/ErrorSafeFreeInstall.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\nltui2.dll
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\Program Files\Promise\FastTrak\FtrakSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

again, any help would be greatly appreciated.
 
Welcome aboard.. :)

First you'll definately need an Anti-virus.

---

Please get the free version of AVG.

Download & install it, configure it how you wish, update it. Next, run a scan with it (set it to scan everything it can). Remove/quarantine everything found. Reboot.

---

Download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply. :bigthumb:

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
 
OK downloaded and ran that virus program, heres the combofix log (part 1) :)

Start Time= Mon 07/17/2006 14:38:09.25
Running from: C:\Documents and Settings\fenrif\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-17 13:29:42 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\AVG7"
2006-07-17 13:28:24 ( .D... ) "C:\Program Files\Grisoft"
2006-07-17 12:26:22 235488 ( ..S.R ) "C:\WINDOWS\system32\e4020edoeh0c0.dll"
2006-07-17 04:35:38 235284 ( A.... ) "C:\WINDOWS\system32\l4p20e7oeh.dll"
2006-07-17 03:43:40 578560 ( A.... ) "C:\Installer2.exe"
2006-07-17 03:43:40 1063 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-07-17 03:43:40 1063 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-07-16 19:36:18 578560 ( A.... ) "C:\warebundlenewer.exe"
2006-07-15 16:03:58 61440 ( A.... ) "C:\WINDOWS\system32\aaa00000.dll"
2006-07-15 15:09:20 40960 ( A.... ) "C:\WINDOWS\system32\aqcebdip.dll"
2006-07-15 01:12:44 1063 ( A.... ) "C:\WINDOWS\system32\esubf39b.sys"
2006-07-15 01:12:44 1063 ( A.... ) "C:\WINDOWS\system32\esubf39b.sys"
2006-07-15 01:06:08 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Lavasoft"
2006-07-15 00:46:20 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-15 00:13:38 ( .D... ) "C:\Program Files\Common Files\irof"
2006-07-14 23:50:16 ( .D... ) "C:\Program Files\Spyware Doctor"
2006-07-14 23:48:22 ( .D... ) "C:\Program Files\Registry Mechanic"
2006-07-14 11:57:46 ( .D... ) "C:\Program Files\a-squared"
2006-07-14 05:31:32 393914 ( A.... ) "C:\warebundlenew.exe"
2006-07-14 05:31:32 61440 ( A.... ) "C:\WINDOWS\system32\esubf39b.dll"
2006-07-14 05:31:32 34754 ( A.... ) "C:\warebundle2.exe"
2006-07-14 05:30:50 81920 ( A.... ) "C:\dfndrad_5.exe"
2006-07-14 04:51:06 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\PC Tools"
2006-07-13 23:57:28 17331 ( A.... ) "C:\WINDOWS\Pplugin10xa.exe"
2006-07-13 00:42:06 126976 ( A.... ) "C:\WINDOWS\War3Unin.exe"
2006-07-13 00:38:54 ( .D... ) "C:\Program Files\Warcraft III"
2006-07-11 19:04:40 502272 ( A.... ) "C:\WINDOWS\system32\winlogon.exe"
2006-07-11 03:45:12 930 ( A.... ) "C:\Documents and Settings\fenrif\Application Data\enigmarc.lua2"
2006-07-11 03:40:46 ( .D... ) "C:\Program Files\Enigma"
2006-07-08 15:48:56 15973576 ( A.... ) "C:\vtmb_1_2.exe"
2006-07-08 15:30:56 ( .D... ) "C:\Program Files\Activision"
2006-07-06 13:18:38 ( .D... ) "C:\Program Files\palmOne"
2006-07-03 02:28:48 ( .D... ) "C:\Program Files\Turbine"
2006-07-02 03:16:22 ( .D... ) "C:\Program Files\Atari"
2006-06-30 03:36:54 5806971 ( A.... ) "C:\ET_Patch_2_60.exe"
2006-06-29 21:46:22 ( .D... ) "C:\Program Files\Wolfenstein - Enemy Territory"
2006-06-29 21:02:04 270305943 ( A.... ) "C:\WolfET.exe"
2006-06-24 15:46:16 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\dvdcss"
2006-06-22 17:27:56 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Ahead"
2006-06-22 17:09:38 ( .D... ) "C:\Program Files\UltraISO"
2006-06-22 17:09:38 ( .D... ) "C:\Program Files\Common Files\EZB Systems"
2006-06-21 20:00:12 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Azureus"
2006-06-20 15:56:02 ( .D... ) "C:\Program Files\D-Fend"
2006-06-20 15:55:46 ( .D... ) "C:\Program Files\DOSBox-0.65"
2006-06-20 15:12:00 ( .D... ) "C:\Program Files\IA"
2006-06-17 03:55:16 31248128 ( A.... ) "C:\back_up.reg"
2006-06-16 02:19:30 ( .D... ) "C:\Program Files\BIOS Utility"
2006-06-16 02:17:40 ( .D... ) "C:\Program Files\Promise"
2006-06-16 01:52:14 ( .D.H. ) "C:\Program Files\Uninstall Information"
2006-06-15 17:34:06 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Symantec"
2006-06-15 15:24:34 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\AdobeUM"
2006-06-15 15:23:36 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Adobe"
2006-06-14 17:18:32 ( .D... ) "C:\Program Files\CDex_170b1"
2006-06-14 03:29:24 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Motive"
2006-06-14 02:52:06 ( .D... ) "C:\Program Files\Common Files\Motive"
2006-06-14 02:51:18 ( .D... ) "C:\Program Files\ntl"
2006-06-12 17:32:12 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Ableton"
2006-06-12 15:42:10 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Help"
2006-06-12 12:57:18 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Macromedia"
2006-06-12 12:40:50 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Opera"
2006-06-12 12:30:52 ( .D... ) "C:\Program Files\Common Files\Nero"
2006-06-12 05:50:54 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\vlc"
2006-06-12 05:48:18 62 ( A.SH. ) "C:\Documents and Settings\fenrif\Application Data\desktop.ini"
2006-06-12 05:28:20 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Identities"
2006-06-12 05:28:06 ( .DS.. ) "C:\Documents and Settings\fenrif\Application Data\Microsoft"
2006-06-08 17:38:30 ( .D... ) "C:\Program Files\Ableton"
2006-06-01 19:09:24 208896 ( A.... ) "C:\WINDOWS\system32\NVUNINST.EXE"
2006-06-01 17:22:00 5246976 ( A.... ) "C:\WINDOWS\system32\nvdispsr.dll"
2006-06-01 17:22:00 2977792 ( A.... ) "C:\WINDOWS\system32\nvvitvsr.dll"
2006-06-01 17:22:00 2916352 ( A.... ) "C:\WINDOWS\system32\nvgamesr.dll"
2006-06-01 17:22:00 2859008 ( A.... ) "C:\WINDOWS\system32\nvmoblsr.dll"
2006-06-01 17:22:00 1740800 ( A.... ) "C:\WINDOWS\system32\nvwssr.dll"
2006-06-01 17:22:00 1257472 ( A.... ) "C:\WINDOWS\system32\nvwss.dll"
2006-06-01 17:22:00 462848 ( A.... ) "C:\WINDOWS\system32\nvmccssr.dll"
2006-06-01 17:22:00 208896 ( A.... ) "C:\WINDOWS\system32\nvudisp.exe"
2006-05-28 20:04:56 ( .D... ) "C:\Program Files\igowin"
2006-05-28 19:47:38 ( .D... ) "C:\Program Files\glGo"
2006-05-18 18:27:32 ( .D... ) "C:\Program Files\Darwinia"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-17 12:26 235,488 C:\WINDOWS\system32\e4020edoeh0c0.dll
2006-07-17 04:35 235,284 C:\WINDOWS\system32\l4p20e7oeh.dll
2006-07-17 03:43 578,560 C:\Installer2.exe
2006-07-17 03:18 670,617,600 C:\hiberfil.sys
2006-07-16 19:36 578,560 C:\warebundlenewer.exe
2006-07-15 16:03 61,440 C:\WINDOWS\system32\aaa00000.dll
2006-07-15 16:03 1,063 C:\WINDOWS\system32\aaa00000.sys
2006-07-15 15:09 40,960 C:\WINDOWS\system32\aqcebdip.dll
2006-07-14 23:48 24,576 C:\WINDOWS\system32\STKIT432.DLL
2006-07-14 05:31 61,440 C:\WINDOWS\system32\esubf39b.dll
2006-07-14 05:31 393,914 C:\warebundlenew.exe
2006-07-14 05:31 34,754 C:\warebundle2.exe
2006-07-14 05:31 1,063 C:\WINDOWS\system32\esubf39b.sys
2006-07-14 05:30 81,920 C:\dfndrad_5.exe
2006-07-13 23:57 17,331 C:\WINDOWS\Pplugin10xa.exe
2006-07-13 00:42 126,976 C:\WINDOWS\War3Unin.exe
2006-07-08 15:46 15,973,576 C:\vtmb_1_2.exe
2006-07-03 02:46 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-07-03 02:46 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-07-03 02:46 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-07-03 02:46 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-07-03 02:46 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-07-03 02:46 2,222,800 C:\WINDOWS\system32\d3dx9_24.dll
2006-06-30 04:00 208,896 C:\WINDOWS\system32\NVUNINST.EXE
2006-06-30 04:00 208,896 C:\WINDOWS\system32\nvudisp.exe
2006-06-30 03:36 5,806,971 C:\ET_Patch_2_60.exe
2006-06-29 17:44 270,305,943 C:\WolfET.exe
2006-06-22 15:41 45,056 C:\WINDOWS\system32\WNASPI32.DLL
2006-06-21 19:58 53,346 C:\WINDOWS\system32\javaw.exe
2006-06-21 19:58 49,248 C:\WINDOWS\system32\java.exe
2006-06-21 19:58 127,078 C:\WINDOWS\system32\javaws.exe
2006-06-21 15:59 569,344 C:\WINDOWS\system32\imagr5.dll
2006-06-21 15:59 544,768 C:\WINDOWS\system32\imagx5.dll
2006-06-21 15:59 38,912 C:\WINDOWS\system32\picn20.dll
2006-06-21 15:59 283,920 C:\WINDOWS\system32\ImagXpr5.dll
2006-06-21 15:59 155,648 C:\WINDOWS\system32\NeroCheck.exe
2006-06-18 16:35 151,552 C:\WINDOWS\system32\pxwma.dll
2006-06-18 16:35 109,568 C:\WINDOWS\system32\pxinsi64.exe
2006-06-18 16:35 108,544 C:\WINDOWS\system32\pxcpyi64.exe
2006-06-15 02:13 929,792 C:\WINDOWS\system32\PRISME5.dll
2006-06-14 02:51 46,352 C:\WINDOWS\setdebug.exe
2006-06-14 02:51 313,856 C:\WINDOWS\system32\dx3j.dll
2006-06-14 02:51 170,768 C:\WINDOWS\system32\jit.dll
2006-06-14 02:51 139,536 C:\WINDOWS\system32\javaee.dll
2006-06-14 02:50 933,648 C:\WINDOWS\system32\msjava.dll
2006-06-14 02:50 49,424 C:\WINDOWS\system32\clspack.exe
2006-06-14 02:50 401,168 C:\WINDOWS\system32\javart.dll
2006-06-14 02:50 34,576 C:\WINDOWS\system32\javaprxy.dll
2006-06-14 02:50 277,776 C:\WINDOWS\system32\vmhelper.dll
2006-06-14 02:50 21,264 C:\WINDOWS\system32\msjdbc10.dll
2006-06-14 02:50 192,784 C:\WINDOWS\system32\javacypt.dll
2006-06-14 02:50 169,232 C:\WINDOWS\system32\jview.exe
2006-06-14 02:50 162,576 C:\WINDOWS\system32\wjview.exe
2006-06-14 02:50 154,384 C:\WINDOWS\system32\msawt.dll
2006-06-14 02:50 15,120 C:\WINDOWS\system32\jdbgmgr.exe
2006-06-14 02:50 113 C:\WINDOWS\system32\zonedon.reg
2006-06-14 02:50 113 C:\WINDOWS\system32\zonedoff.reg
2006-06-12 17:32 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-06-12 17:32 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-06-12 17:32 225,280 C:\WINDOWS\system32\ReWire.dll
2006-06-12 17:32 1,060,864 C:\WINDOWS\system32\MFC71.dll
2006-06-12 16:16 304,128 C:\WINDOWS\IsUninst.exe
2006-06-12 13:11 1,056,768 C:\WINDOWS\system32\RoboEx32.dll
2006-06-12 12:29 24,064 C:\WINDOWS\system32\msxml3a.dll
2006-06-12 06:01 4,096 C:\WINDOWS\system32\ksuser.dll
2006-06-12 05:53 3,921,024 C:\WINDOWS\system32\nv4_disp.dll
2006-06-12 05:52 74,240 C:\WINDOWS\system32\usbui.dll
2006-06-12 05:48 85,020 C:\WINDOWS\system32\dgsetup.dll
2006-06-12 05:48 8,704 C:\WINDOWS\system32\batt.dll
2006-06-12 05:48 8,192 C:\WINDOWS\system32\kbdhept.dll
2006-06-12 05:48 74,752 C:\WINDOWS\system32\storprop.dll
2006-06-12 05:48 7,168 C:\WINDOWS\system32\kbdcz.dll
2006-06-12 05:48 69,120 C:\WINDOWS\NOTEPAD.EXE
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdycl.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdsl1.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdsl.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdpl.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdhu.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdhela3.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdcz2.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdcz1.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdcr.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\KBDAL.DLL
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdtuq.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdtuf.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdlv1.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdlv.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdhela2.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdgkl.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdest.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdycc.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbduzb.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdur.dll
 
part 2 of the combofix log

2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdtat.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdru1.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdru.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdro.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdpl1.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdmon.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdlt1.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdlt.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdkyr.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdkaz.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdhu1.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdhe319.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdhe220.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdhe.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdbu.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdblr.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdazel.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdaze.dll
2006-06-12 05:48 24,661 C:\WINDOWS\system32\spxcoins.dll
2006-06-12 05:48 176,157 C:\WINDOWS\system32\dgrpsetu.dll
2006-06-12 05:48 15,360 C:\WINDOWS\TASKMAN.EXE
2006-06-12 05:48 13,312 C:\WINDOWS\system32\irclass.dll
2006-06-12 05:48 103,424 C:\WINDOWS\system32\EqnClass.Dll
2006-06-12 05:38 1,006,632,960 C:\pagefile.sys
2006-06-12 05:08 112,128 C:\WINDOWS\system32\mapi32.dll
2006-06-12 05:05 8,192 C:\WINDOWS\system32\bitsprx2.dll
2006-06-12 05:05 7,168 C:\WINDOWS\system32\bitsprx3.dll
2006-06-12 05:05 67,584 C:\WINDOWS\system32\srclient.dll
2006-06-12 05:05 64,512 C:\WINDOWS\system32\acctres.dll
2006-06-12 05:05 6,656 C:\WINDOWS\system32\wuauserv.dll
2006-06-12 05:05 45,568 C:\WINDOWS\system32\safrslv.dll
2006-06-12 05:05 430,592 C:\WINDOWS\system32\wuapi.dll
2006-06-12 05:05 43,520 C:\WINDOWS\system32\safrcdlg.dll
2006-06-12 05:05 43,520 C:\WINDOWS\system32\racpldlg.dll
2006-06-12 05:05 382,464 C:\WINDOWS\system32\qmgr.dll
2006-06-12 05:05 36,864 C:\WINDOWS\system32\wups.dll
2006-06-12 05:05 29,696 C:\WINDOWS\system32\safrdm.dll
2006-06-12 05:05 239,104 C:\WINDOWS\system32\srrstr.dll
2006-06-12 05:05 22,528 C:\WINDOWS\system32\fltMc.exe
2006-06-12 05:05 183,296 C:\WINDOWS\system32\wuaueng1.dll
2006-06-12 05:05 18,944 C:\WINDOWS\system32\qmgrprxy.dll
2006-06-12 05:05 170,496 C:\WINDOWS\system32\srsvc.dll
2006-06-12 05:05 165,888 C:\WINDOWS\system32\wuauclt1.exe
2006-06-12 05:05 16,896 C:\WINDOWS\system32\fltlib.dll
2006-06-12 05:05 16,384 C:\WINDOWS\system32\icfgnt5.dll
2006-06-12 05:05 120,320 C:\WINDOWS\system32\wuweb.dll
2006-06-12 05:05 12,288 C:\WINDOWS\system32\nmevtmsg.dll
2006-06-12 05:05 112,640 C:\WINDOWS\system32\wucltui.dll
2006-06-12 05:05 111,104 C:\WINDOWS\system32\wuauclt.exe
2006-06-12 05:05 11,264 C:\WINDOWS\system32\atrace.dll
2006-06-12 05:05 1,134,592 C:\WINDOWS\system32\wuaueng.dll
2006-06-12 05:04 81,920 C:\WINDOWS\system32\isign32.dll
2006-06-12 05:04 81,920 C:\WINDOWS\system32\ils.dll
2006-06-12 05:04 73,728 C:\WINDOWS\system32\icwdial.dll
2006-06-12 05:04 69,632 C:\WINDOWS\system32\msconf.dll
2006-06-12 05:04 678,400 C:\WINDOWS\system32\inetcomm.dll
2006-06-12 05:04 65,536 C:\WINDOWS\system32\icwphbk.dll
2006-06-12 05:04 48,128 C:\WINDOWS\system32\inetres.dll
2006-06-12 05:04 34,560 C:\WINDOWS\system32\mnmdd.dll
2006-06-12 05:04 32,768 C:\WINDOWS\system32\mnmsrvc.exe
2006-06-12 05:04 32,768 C:\WINDOWS\system32\isrdbg32.dll
2006-06-12 05:04 28,672 C:\WINDOWS\system32\nmmkcert.dll
2006-06-12 05:04 274,944 C:\WINDOWS\system32\mstask.dll
2006-06-12 05:04 274,432 C:\WINDOWS\system32\inetcfg.dll
2006-06-12 05:04 252,928 C:\WINDOWS\system32\msoeacct.dll
2006-06-12 05:04 190,976 C:\WINDOWS\system32\schedsvc.dll
2006-06-12 05:04 12,288 C:\WINDOWS\system32\mstinit.exe
2006-06-12 05:04 105,984 C:\WINDOWS\system32\msoert2.dll
2006-06-12 05:03 5,632 C:\WINDOWS\system32\write.exe
2006-06-12 05:02 949,248 C:\WINDOWS\system32\msdtctm.dll
2006-06-12 05:02 93,696 C:\WINDOWS\system32\tscfgwmi.dll
2006-06-12 05:02 90,112 C:\WINDOWS\system32\mtxoci.dll
2006-06-12 05:02 9,728 C:\WINDOWS\system32\reset.exe
2006-06-12 05:02 87,176 C:\WINDOWS\system32\rdpwsx.dll
2006-06-12 05:02 85,504 C:\WINDOWS\system32\catsrvps.dll
2006-06-12 05:02 82,432 C:\WINDOWS\system32\comrepl.dll
2006-06-12 05:02 80,384 C:\WINDOWS\system32\charmap.exe
2006-06-12 05:02 73,216 C:\WINDOWS\system32\avwav.dll
2006-06-12 05:02 67,072 C:\WINDOWS\system32\rdshost.exe
2006-06-12 05:02 655,360 C:\WINDOWS\system32\mstscax.dll
2006-06-12 05:02 628,224 C:\WINDOWS\system32\catsrvut.dll
2006-06-12 05:02 62,464 C:\WINDOWS\system32\rdpclip.exe
2006-06-12 05:02 62,464 C:\WINDOWS\system32\colbact.dll
2006-06-12 05:02 605,696 C:\WINDOWS\system32\getuname.dll
2006-06-12 05:02 60,416 C:\WINDOWS\system32\remotepg.dll
2006-06-12 05:02 6,144 C:\WINDOWS\system32\msdtc.exe
2006-06-12 05:02 58,880 C:\WINDOWS\system32\msdtclog.dll
2006-06-12 05:02 58,880 C:\WINDOWS\system32\licwmi.dll
2006-06-12 05:02 56,832 C:\WINDOWS\system32\sol.exe
2006-06-12 05:02 56,320 C:\WINDOWS\system32\servdeps.dll
2006-06-12 05:02 55,296 C:\WINDOWS\system32\freecell.exe
2006-06-12 05:02 540,160 C:\WINDOWS\system32\comuid.dll
2006-06-12 05:02 54,272 C:\WINDOWS\system32\stclient.dll
2006-06-12 05:02 538,624 C:\WINDOWS\system32\spider.exe
2006-06-12 05:02 501,248 C:\WINDOWS\system32\clbcatq.dll
2006-06-12 05:02 5,120 C:\WINDOWS\system32\dcomcnfg.exe
2006-06-12 05:02 44,544 C:\WINDOWS\system32\tscupgrd.exe
2006-06-12 05:02 44,544 C:\WINDOWS\system32\hticons.dll
2006-06-12 05:02 425,472 C:\WINDOWS\system32\msdtcprx.dll
2006-06-12 05:02 407,552 C:\WINDOWS\system32\mstsc.exe
2006-06-12 05:02 4,096 C:\WINDOWS\system32\rdpcfgex.dll
2006-06-12 05:02 4,096 C:\WINDOWS\system32\mtxex.dll
2006-06-12 05:02 38,912 C:\WINDOWS\system32\cfgbkend.dll
2006-06-12 05:02 35,328 C:\WINDOWS\system32\winchat.exe
2006-06-12 05:02 345,088 C:\WINDOWS\system32\hypertrm.dll
2006-06-12 05:02 343,040 C:\WINDOWS\system32\mspaint.exe
2006-06-12 05:02 33,792 C:\WINDOWS\system32\regini.exe
2006-06-12 05:02 295,424 C:\WINDOWS\system32\termsrv.dll
2006-06-12 05:02 25,600 C:\WINDOWS\system32\comaddin.dll
2006-06-12 05:02 25,088 C:\WINDOWS\system32\mtxlegih.dll
2006-06-12 05:02 229,888 C:\WINDOWS\system32\catsrv.dll
2006-06-12 05:02 227,840 C:\WINDOWS\system32\avtapi.dll
2006-06-12 05:02 22,016 C:\WINDOWS\system32\qwinsta.exe
2006-06-12 05:02 20,992 C:\WINDOWS\system32\msg.exe
2006-06-12 05:02 20,480 C:\WINDOWS\system32\qprocess.exe
2006-06-12 05:02 20,480 C:\WINDOWS\system32\mtxdm.dll
2006-06-12 05:02 19,968 C:\WINDOWS\system32\rdpsnd.dll
2006-06-12 05:02 185,344 C:\WINDOWS\system32\cmprops.dll
2006-06-12 05:02 183,808 C:\WINDOWS\system32\accwiz.exe
2006-06-12 05:02 17,408 C:\WINDOWS\system32\mmfutil.dll
2006-06-12 05:02 161,280 C:\WINDOWS\system32\msdtcuiu.dll
2006-06-12 05:02 16,896 C:\WINDOWS\system32\tsshutdn.exe
2006-06-12 05:02 16,896 C:\WINDOWS\system32\qappsrv.exe
2006-06-12 05:02 16,384 C:\WINDOWS\system32\tskill.exe
2006-06-12 05:02 16,384 C:\WINDOWS\system32\avmeter.dll
2006-06-12 05:02 15,872 C:\WINDOWS\system32\rwinsta.exe
2006-06-12 05:02 15,872 C:\WINDOWS\system32\cdmodem.dll
2006-06-12 05:02 15,360 C:\WINDOWS\system32\logoff.exe
2006-06-12 05:02 147,968 C:\WINDOWS\system32\rdchost.dll
2006-06-12 05:02 147,456 C:\WINDOWS\system32\comsnap.dll
2006-06-12 05:02 140,800 C:\WINDOWS\system32\sessmgr.exe
2006-06-12 05:02 14,848 C:\WINDOWS\system32\tsdiscon.exe
2006-06-12 05:02 14,848 C:\WINDOWS\system32\tscon.exe
2006-06-12 05:02 14,848 C:\WINDOWS\system32\shadow.exe
2006-06-12 05:02 138,752 C:\WINDOWS\system32\sndvol32.exe
2006-06-12 05:02 131,584 C:\WINDOWS\system32\sndrec32.exe
2006-06-12 05:02 13,824 C:\WINDOWS\system32\rdsaddin.exe
2006-06-12 05:02 126,976 C:\WINDOWS\system32\mshearts.exe
2006-06-12 05:02 123,392 C:\WINDOWS\system32\mplay32.exe
2006-06-12 05:02 119,808 C:\WINDOWS\system32\winmine.exe
2006-06-12 05:02 114,688 C:\WINDOWS\system32\calc.exe
2006-06-12 05:02 110,080 C:\WINDOWS\system32\clbcatex.dll
2006-06-12 05:02 11,776 C:\WINDOWS\system32\xolehlp.dll
2006-06-12 05:02 11,264 C:\WINDOWS\system32\icaapi.dll
2006-06-12 05:02 102,912 C:\WINDOWS\system32\clipbrd.exe
2006-06-12 05:02 1,251,840 C:\WINDOWS\system32\comsvcs.dll
2006-06-12 05:02 1,161 C:\WINDOWS\system32\usrlogon.cmd
2006-06-04 22:40 31,248,128 C:\back_up.reg


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PRISMSVR.EXE"="\"C:\\WINDOWS\\system32\\PRISMSVR.EXE\" /APPLY"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"defender"="C:\\\\dfndrad_5.exe"
"esubf39b"="RUNDLL32.EXE w04b9c81.dll,n 001bf39a0000000a04b9c81"
"RegistryMechanic"=""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"AAW"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\kyzetety.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\MSN\\howy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



Contents of the 'Scheduled Tasks' folder

Completion time: Mon 07/17/2006 14:38:33.06
ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt
 
Weird... Go ahead and delete Combofix.

Please download Look2Me-Destroyer to your desktop.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log. :)
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
 
ok, heres the look2me destroyer log:
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 7/17/2006 3:42:27 PM

Infected! C:\System Volume Information\_restore{6B30774D-5F6E-4FBA-B33C-15A96DD121D0}\RP3\A0001413.dll
Infected! C:\System Volume Information\_restore{6B30774D-5F6E-4FBA-B33C-15A96DD121D0}\RP3\A0001425.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{6B30774D-5F6E-4FBA-B33C-15A96DD121D0}\RP3\A0001413.dll
C:\System Volume Information\_restore{6B30774D-5F6E-4FBA-B33C-15A96DD121D0}\RP3\A0001413.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{6B30774D-5F6E-4FBA-B33C-15A96DD121D0}\RP3\A0001425.dll
C:\System Volume Information\_restore{6B30774D-5F6E-4FBA-B33C-15A96DD121D0}\RP3\A0001425.dll Deleted successfully!

Making registry repairs.


Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4602756C-B150-4C00-ADDC-9EADAD2A85A2}"
HKCR\Clsid\{4602756C-B150-4C00-ADDC-9EADAD2A85A2}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{02C8407C-C4C8-4AD0-A7A8-BE064C347394}"
HKCR\Clsid\{02C8407C-C4C8-4AD0-A7A8-BE064C347394}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CFC68A1C-644A-4769-81B6-5EAC6741A233}"
HKCR\Clsid\{CFC68A1C-644A-4769-81B6-5EAC6741A233}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{353C76F2-A64A-4FFF-A958-49707FC77DED}"
HKCR\Clsid\{353C76F2-A64A-4FFF-A958-49707FC77DED}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

and heres a fresh hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 3:55:30 PM, on 7/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Winamp\winampa.exe
C:\dfndrad_5.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\applicationas\security\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 213.105.224.12
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.105.224.12:8080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrad_5.exe
O4 - HKLM\..\Run: [esubf39b] RUNDLL32.EXE w04b9c81.dll,n 001bf39a0000000a04b9c81
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/pages/scanner/ErrorSafeFreeInstall.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\Program Files\Promise\FastTrak\FtrakSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
 
Okay, go ahead and delete Look2Me-Destroyer :)

Lets continue....

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  1. Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the setup program.
  2. Once the setup is complete you will need run Ewido and update the definition files.
  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • If you aren't able to finish the update within Ewido for a reason or another, you can install the manual updates here.
  4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  6. Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-select "Only if threats were found"
Close Ewido Anti-spyware, DO NOT run a scan just yet, we will shortly.

==

2. Please download Brute Force Uninstaller to your desktop.
  • Right-click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk ( C: ) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

==

4. IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning process:
  • Lauch Ewido Anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido.

==

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by double-clicking BFU.exe
  • Behind the scriptline to execute field click the folder icon
    foldericon.png
    and select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the Complete script execution box to pop up and hit OK.
  • Press Exit to terminate the BFU program.
Reboot into normal Windows and post the contents of Ewido log that you saved along with a fresh HiJackThis log. :bigthumb:
 
ok, heres the ewido log:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:14:18 PM 7/17/2006

+ Scan result:



C:\WINDOWS\ZmVucmlm\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\ZmVucmlm\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Local Settings\Temporary Internet Files\Content.IE5\6RMZH8TN\ac3[1].txt -> Adware.IEHelper : Cleaned with backup (quarantined).
C:\WINDOWS\system32\aaa00000.dll -> Adware.IEHelper : Cleaned with backup (quarantined).
C:\WINDOWS\system32\esubf39b.dll -> Adware.IEHelper : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Local Settings\Temporary Internet Files\Content.IE5\0JDVVDPA\Installer[2].exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Installer2.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\e4020edoeh0c0.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\l4p20e7oeh.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\warebundlenewer.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun\HKCURun -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun\HKCURun\RunOnce -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun\HKCURun\RunOnceEx -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun\HKLMRun -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun\HKLMRun\RunOnce -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun\HKLMRun\RunOnceEx -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun\StartMenuAllUsers -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\Autorun\StartMenuCurrentUser -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Application Data\PSGuard.com\P.S.Guard\BrowserObjects -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Start Menu\Programs\WhenU -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Start Menu\Programs\WhenU\Learn More About WhenU Save.url -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Start Menu\Programs\WhenU\Learn More About WhenU SaveNow.url -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Start Menu\Programs\WhenU\Uninstall.lnk -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Start Menu\Programs\WhenU\WhenU.com Website.url -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\WINDOWS\Pplugin10xa.exe -> Backdoor.Dumaru.E : Cleaned with backup (quarantined).
C:\games\World.Of.Warcraft.CDKEY.AND.60DAY.CARD.GEN.WORKiNG.Reloaded.rar/World.Of.Warcraft.CDKEY.AND.60DAY.CARD.GEN.WORKiNG.Reloaded.exe -> Backdoor.Prorat.19.i : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Local Settings\Temporary Internet Files\Content.IE5\GL28H58T\nwnmad_5[1].exe -> Downloader.Adload.ca : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Local Settings\Temporary Internet Files\Content.IE5\0JDVVDPA\ac3_0010[1].exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Local Settings\Temporary Internet Files\Content.IE5\GL28H58T\al3[1].txt -> Downloader.Small : Cleaned with backup (quarantined).
C:\dfndrad_5.exe -> Hijacker.VB.nh : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Cookies\fenrif@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Cookies\matthew@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Cookies\fenrif@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Cookies\fenrif@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Cookies\matthew@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Cookies\fenrif@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Cookies\fenrif@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup (quarantined).
C:\Documents and Settings\Matthew\Cookies\matthew@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Cookies\fenrif@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\fenrif\Cookies\fenrif@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\games\Palm Stuff\FullScreen1.04[wh].zip/FullScreen1.04/Setup.exe -> Worm.Bagle.fk : Cleaned with backup (quarantined).
C:\games\Palm Stuff\FullScreen1.04[wh].zip/FullScreen1.04[wh]/Setup.exe -> Worm.Bagle.fk : Cleaned with backup (quarantined).


::Report end

and heres a fresh hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 12:07:13 AM, on 7/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\applicationas\security\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 213.105.224.12
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.105.224.12:8080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [esubf39b] RUNDLL32.EXE w04b9c81.dll,n 001bf39a0000000a04b9c81
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/pages/scanner/ErrorSafeFreeInstall.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\Program Files\Promise\FastTrak\FtrakSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

alot of the popups seem to have stopped now :bigthumb:
 
Please run a scan with HijackThis and check the following objects for removal:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [esubf39b] RUNDLL32.EXE w04b9c81.dll,n 001bf39a0000000a04b9c81
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...reeInstall.cab

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

---

Please rescan with Combofix and post back with it's report along with a fresh HijackThis log. It will show some useful info :)
 
ok heres the first part of the combofix log:

Start Time= Tue 07/18/2006 12:15:15.63
Running from: C:\Documents and Settings\fenrif\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-17 17:36:48 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-17 13:29:42 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\AVG7"
2006-07-17 13:28:24 ( .D... ) "C:\Program Files\Grisoft"
2006-07-17 03:43:40 1063 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-07-17 03:43:40 1063 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-07-15 15:09:20 40960 ( A.... ) "C:\WINDOWS\system32\aqcebdip.dll"
2006-07-15 01:12:44 1063 ( A.... ) "C:\WINDOWS\system32\esubf39b.sys"
2006-07-15 01:12:44 1063 ( A.... ) "C:\WINDOWS\system32\esubf39b.sys"
2006-07-15 01:06:08 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Lavasoft"
2006-07-15 00:46:20 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-15 00:13:38 ( .D... ) "C:\Program Files\Common Files\irof"
2006-07-14 23:50:16 ( .D... ) "C:\Program Files\Spyware Doctor"
2006-07-14 23:48:22 ( .D... ) "C:\Program Files\Registry Mechanic"
2006-07-14 11:57:46 ( .D... ) "C:\Program Files\a-squared"
2006-07-14 05:31:32 393914 ( A.... ) "C:\warebundlenew.exe"
2006-07-14 05:31:32 34754 ( A.... ) "C:\warebundle2.exe"
2006-07-14 04:51:06 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\PC Tools"
2006-07-13 00:42:06 126976 ( A.... ) "C:\WINDOWS\War3Unin.exe"
2006-07-13 00:38:54 ( .D... ) "C:\Program Files\Warcraft III"
2006-07-11 19:04:40 502272 ( A.... ) "C:\WINDOWS\system32\winlogon.exe"
2006-07-11 03:45:12 930 ( A.... ) "C:\Documents and Settings\fenrif\Application Data\enigmarc.lua2"
2006-07-11 03:40:46 ( .D... ) "C:\Program Files\Enigma"
2006-07-08 15:48:56 15973576 ( A.... ) "C:\vtmb_1_2.exe"
2006-07-08 15:30:56 ( .D... ) "C:\Program Files\Activision"
2006-07-06 13:18:38 ( .D... ) "C:\Program Files\palmOne"
2006-07-03 02:28:48 ( .D... ) "C:\Program Files\Turbine"
2006-07-02 03:16:22 ( .D... ) "C:\Program Files\Atari"
2006-06-30 03:36:54 5806971 ( A.... ) "C:\ET_Patch_2_60.exe"
2006-06-29 21:46:22 ( .D... ) "C:\Program Files\Wolfenstein - Enemy Territory"
2006-06-29 21:02:04 270305943 ( A.... ) "C:\WolfET.exe"
2006-06-24 15:46:16 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\dvdcss"
2006-06-22 17:27:56 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Ahead"
2006-06-22 17:09:38 ( .D... ) "C:\Program Files\UltraISO"
2006-06-22 17:09:38 ( .D... ) "C:\Program Files\Common Files\EZB Systems"
2006-06-21 20:00:12 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Azureus"
2006-06-20 15:56:02 ( .D... ) "C:\Program Files\D-Fend"
2006-06-20 15:55:46 ( .D... ) "C:\Program Files\DOSBox-0.65"
2006-06-20 15:12:00 ( .D... ) "C:\Program Files\IA"
2006-06-17 03:55:16 31248128 ( A.... ) "C:\back_up.reg"
2006-06-16 02:19:30 ( .D... ) "C:\Program Files\BIOS Utility"
2006-06-16 02:17:40 ( .D... ) "C:\Program Files\Promise"
2006-06-16 01:52:14 ( .D.H. ) "C:\Program Files\Uninstall Information"
2006-06-15 17:34:06 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Symantec"
2006-06-15 15:24:34 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\AdobeUM"
2006-06-15 15:23:36 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Adobe"
2006-06-14 17:18:32 ( .D... ) "C:\Program Files\CDex_170b1"
2006-06-14 03:29:24 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Motive"
2006-06-14 02:52:06 ( .D... ) "C:\Program Files\Common Files\Motive"
2006-06-14 02:51:18 ( .D... ) "C:\Program Files\ntl"
2006-06-12 17:32:12 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Ableton"
2006-06-12 15:42:10 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Help"
2006-06-12 12:57:18 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Macromedia"
2006-06-12 12:40:50 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Opera"
2006-06-12 12:30:52 ( .D... ) "C:\Program Files\Common Files\Nero"
2006-06-12 05:50:54 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\vlc"
2006-06-12 05:48:18 62 ( A.SH. ) "C:\Documents and Settings\fenrif\Application Data\desktop.ini"
2006-06-12 05:28:20 ( .D... ) "C:\Documents and Settings\fenrif\Application Data\Identities"
2006-06-12 05:28:06 ( .DS.. ) "C:\Documents and Settings\fenrif\Application Data\Microsoft"
2006-06-08 17:38:30 ( .D... ) "C:\Program Files\Ableton"
2006-06-01 19:09:24 208896 ( A.... ) "C:\WINDOWS\system32\NVUNINST.EXE"
2006-06-01 17:22:00 5246976 ( A.... ) "C:\WINDOWS\system32\nvdispsr.dll"
2006-06-01 17:22:00 2977792 ( A.... ) "C:\WINDOWS\system32\nvvitvsr.dll"
2006-06-01 17:22:00 2916352 ( A.... ) "C:\WINDOWS\system32\nvgamesr.dll"
2006-06-01 17:22:00 2859008 ( A.... ) "C:\WINDOWS\system32\nvmoblsr.dll"
2006-06-01 17:22:00 1740800 ( A.... ) "C:\WINDOWS\system32\nvwssr.dll"
2006-06-01 17:22:00 1257472 ( A.... ) "C:\WINDOWS\system32\nvwss.dll"
2006-06-01 17:22:00 462848 ( A.... ) "C:\WINDOWS\system32\nvmccssr.dll"
2006-06-01 17:22:00 208896 ( A.... ) "C:\WINDOWS\system32\nvudisp.exe"
2006-05-28 20:04:56 ( .D... ) "C:\Program Files\igowin"
2006-05-28 19:47:38 ( .D... ) "C:\Program Files\glGo"
2006-05-18 18:27:32 ( .D... ) "C:\Program Files\Darwinia"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-17 23:55 670,617,600 C:\hiberfil.sys
2006-07-15 16:03 1,063 C:\WINDOWS\system32\aaa00000.sys
2006-07-15 15:09 40,960 C:\WINDOWS\system32\aqcebdip.dll
2006-07-14 23:48 24,576 C:\WINDOWS\system32\STKIT432.DLL
2006-07-14 05:31 393,914 C:\warebundlenew.exe
2006-07-14 05:31 34,754 C:\warebundle2.exe
2006-07-14 05:31 1,063 C:\WINDOWS\system32\esubf39b.sys
2006-07-13 00:42 126,976 C:\WINDOWS\War3Unin.exe
2006-07-08 15:46 15,973,576 C:\vtmb_1_2.exe
2006-07-03 02:46 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-07-03 02:46 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-07-03 02:46 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-07-03 02:46 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-07-03 02:46 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-07-03 02:46 2,222,800 C:\WINDOWS\system32\d3dx9_24.dll
2006-06-30 04:00 208,896 C:\WINDOWS\system32\NVUNINST.EXE
2006-06-30 04:00 208,896 C:\WINDOWS\system32\nvudisp.exe
2006-06-30 03:36 5,806,971 C:\ET_Patch_2_60.exe
2006-06-29 17:44 270,305,943 C:\WolfET.exe
2006-06-22 15:41 45,056 C:\WINDOWS\system32\WNASPI32.DLL
2006-06-21 19:58 53,346 C:\WINDOWS\system32\javaw.exe
2006-06-21 19:58 49,248 C:\WINDOWS\system32\java.exe
2006-06-21 19:58 127,078 C:\WINDOWS\system32\javaws.exe
2006-06-21 15:59 569,344 C:\WINDOWS\system32\imagr5.dll
2006-06-21 15:59 544,768 C:\WINDOWS\system32\imagx5.dll
2006-06-21 15:59 38,912 C:\WINDOWS\system32\picn20.dll
2006-06-21 15:59 283,920 C:\WINDOWS\system32\ImagXpr5.dll
2006-06-21 15:59 155,648 C:\WINDOWS\system32\NeroCheck.exe
2006-06-18 16:35 151,552 C:\WINDOWS\system32\pxwma.dll
2006-06-18 16:35 109,568 C:\WINDOWS\system32\pxinsi64.exe
2006-06-18 16:35 108,544 C:\WINDOWS\system32\pxcpyi64.exe
2006-06-15 02:13 929,792 C:\WINDOWS\system32\PRISME5.dll
2006-06-14 02:51 46,352 C:\WINDOWS\setdebug.exe
2006-06-14 02:51 313,856 C:\WINDOWS\system32\dx3j.dll
2006-06-14 02:51 170,768 C:\WINDOWS\system32\jit.dll
2006-06-14 02:51 139,536 C:\WINDOWS\system32\javaee.dll
2006-06-14 02:50 933,648 C:\WINDOWS\system32\msjava.dll
2006-06-14 02:50 49,424 C:\WINDOWS\system32\clspack.exe
2006-06-14 02:50 401,168 C:\WINDOWS\system32\javart.dll
2006-06-14 02:50 34,576 C:\WINDOWS\system32\javaprxy.dll
2006-06-14 02:50 277,776 C:\WINDOWS\system32\vmhelper.dll
2006-06-14 02:50 21,264 C:\WINDOWS\system32\msjdbc10.dll
2006-06-14 02:50 192,784 C:\WINDOWS\system32\javacypt.dll
2006-06-14 02:50 169,232 C:\WINDOWS\system32\jview.exe
2006-06-14 02:50 162,576 C:\WINDOWS\system32\wjview.exe
2006-06-14 02:50 154,384 C:\WINDOWS\system32\msawt.dll
2006-06-14 02:50 15,120 C:\WINDOWS\system32\jdbgmgr.exe
2006-06-14 02:50 113 C:\WINDOWS\system32\zonedon.reg
2006-06-14 02:50 113 C:\WINDOWS\system32\zonedoff.reg
2006-06-12 17:32 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-06-12 17:32 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-06-12 17:32 225,280 C:\WINDOWS\system32\ReWire.dll
2006-06-12 17:32 1,060,864 C:\WINDOWS\system32\MFC71.dll
2006-06-12 16:16 304,128 C:\WINDOWS\IsUninst.exe
2006-06-12 13:11 1,056,768 C:\WINDOWS\system32\RoboEx32.dll
2006-06-12 12:29 24,064 C:\WINDOWS\system32\msxml3a.dll
2006-06-12 06:01 4,096 C:\WINDOWS\system32\ksuser.dll
2006-06-12 05:53 3,921,024 C:\WINDOWS\system32\nv4_disp.dll
2006-06-12 05:52 74,240 C:\WINDOWS\system32\usbui.dll
2006-06-12 05:48 85,020 C:\WINDOWS\system32\dgsetup.dll
2006-06-12 05:48 8,704 C:\WINDOWS\system32\batt.dll
2006-06-12 05:48 8,192 C:\WINDOWS\system32\kbdhept.dll
2006-06-12 05:48 74,752 C:\WINDOWS\system32\storprop.dll
2006-06-12 05:48 7,168 C:\WINDOWS\system32\kbdcz.dll
2006-06-12 05:48 69,120 C:\WINDOWS\NOTEPAD.EXE
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdycl.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdsl1.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdsl.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdpl.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdhu.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdhela3.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdcz2.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdcz1.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\kbdcr.dll
2006-06-12 05:48 6,656 C:\WINDOWS\system32\KBDAL.DLL
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdtuq.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdtuf.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdlv1.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdlv.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdhela2.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdgkl.dll
2006-06-12 05:48 6,144 C:\WINDOWS\system32\kbdest.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdycc.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbduzb.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdur.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdtat.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdru1.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdru.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdro.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdpl1.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdmon.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdlt1.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdlt.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdkyr.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdkaz.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdhu1.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdhe319.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdhe220.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdhe.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdbu.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdblr.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdazel.dll
2006-06-12 05:48 5,632 C:\WINDOWS\system32\kbdaze.dll
2006-06-12 05:48 24,661 C:\WINDOWS\system32\spxcoins.dll
2006-06-12 05:48 176,157 C:\WINDOWS\system32\dgrpsetu.dll
2006-06-12 05:48 15,360 C:\WINDOWS\TASKMAN.EXE
2006-06-12 05:48 13,312 C:\WINDOWS\system32\irclass.dll
2006-06-12 05:48 103,424 C:\WINDOWS\system32\EqnClass.Dll
2006-06-12 05:38 1,006,632,960 C:\pagefile.sys
2006-06-12 05:08 112,128 C:\WINDOWS\system32\mapi32.dll
2006-06-12 05:05 8,192 C:\WINDOWS\system32\bitsprx2.dll
2006-06-12 05:05 7,168 C:\WINDOWS\system32\bitsprx3.dll
2006-06-12 05:05 67,584 C:\WINDOWS\system32\srclient.dll
2006-06-12 05:05 64,512 C:\WINDOWS\system32\acctres.dll
2006-06-12 05:05 6,656 C:\WINDOWS\system32\wuauserv.dll
2006-06-12 05:05 45,568 C:\WINDOWS\system32\safrslv.dll
2006-06-12 05:05 430,592 C:\WINDOWS\system32\wuapi.dll
2006-06-12 05:05 43,520 C:\WINDOWS\system32\safrcdlg.dll
2006-06-12 05:05 43,520 C:\WINDOWS\system32\racpldlg.dll
2006-06-12 05:05 382,464 C:\WINDOWS\system32\qmgr.dll
2006-06-12 05:05 36,864 C:\WINDOWS\system32\wups.dll
2006-06-12 05:05 29,696 C:\WINDOWS\system32\safrdm.dll
2006-06-12 05:05 239,104 C:\WINDOWS\system32\srrstr.dll
2006-06-12 05:05 22,528 C:\WINDOWS\system32\fltMc.exe
2006-06-12 05:05 183,296 C:\WINDOWS\system32\wuaueng1.dll
2006-06-12 05:05 18,944 C:\WINDOWS\system32\qmgrprxy.dll
2006-06-12 05:05 170,496 C:\WINDOWS\system32\srsvc.dll
2006-06-12 05:05 165,888 C:\WINDOWS\system32\wuauclt1.exe
2006-06-12 05:05 16,896 C:\WINDOWS\system32\fltlib.dll
2006-06-12 05:05 16,384 C:\WINDOWS\system32\icfgnt5.dll
2006-06-12 05:05 120,320 C:\WINDOWS\system32\wuweb.dll
2006-06-12 05:05 12,288 C:\WINDOWS\system32\nmevtmsg.dll
2006-06-12 05:05 112,640 C:\WINDOWS\system32\wucltui.dll
2006-06-12 05:05 111,104 C:\WINDOWS\system32\wuauclt.exe
2006-06-12 05:05 11,264 C:\WINDOWS\system32\atrace.dll
2006-06-12 05:05 1,134,592 C:\WINDOWS\system32\wuaueng.dll
2006-06-12 05:04 81,920 C:\WINDOWS\system32\isign32.dll
2006-06-12 05:04 81,920 C:\WINDOWS\system32\ils.dll
2006-06-12 05:04 73,728 C:\WINDOWS\system32\icwdial.dll
2006-06-12 05:04 69,632 C:\WINDOWS\system32\msconf.dll
2006-06-12 05:04 678,400 C:\WINDOWS\system32\inetcomm.dll
2006-06-12 05:04 65,536 C:\WINDOWS\system32\icwphbk.dll
2006-06-12 05:04 48,128 C:\WINDOWS\system32\inetres.dll
2006-06-12 05:04 34,560 C:\WINDOWS\system32\mnmdd.dll
2006-06-12 05:04 32,768 C:\WINDOWS\system32\mnmsrvc.exe
2006-06-12 05:04 32,768 C:\WINDOWS\system32\isrdbg32.dll
2006-06-12 05:04 28,672 C:\WINDOWS\system32\nmmkcert.dll
2006-06-12 05:04 274,944 C:\WINDOWS\system32\mstask.dll
2006-06-12 05:04 274,432 C:\WINDOWS\system32\inetcfg.dll
2006-06-12 05:04 252,928 C:\WINDOWS\system32\msoeacct.dll
2006-06-12 05:04 190,976 C:\WINDOWS\system32\schedsvc.dll
2006-06-12 05:04 12,288 C:\WINDOWS\system32\mstinit.exe
2006-06-12 05:04 105,984 C:\WINDOWS\system32\msoert2.dll
2006-06-12 05:03 5,632 C:\WINDOWS\system32\write.exe
2006-06-12 05:02 949,248 C:\WINDOWS\system32\msdtctm.dll
2006-06-12 05:02 93,696 C:\WINDOWS\system32\tscfgwmi.dll
2006-06-12 05:02 90,112 C:\WINDOWS\system32\mtxoci.dll
2006-06-12 05:02 9,728 C:\WINDOWS\system32\reset.exe
2006-06-12 05:02 87,176 C:\WINDOWS\system32\rdpwsx.dll
2006-06-12 05:02 85,504 C:\WINDOWS\system32\catsrvps.dll
2006-06-12 05:02 82,432 C:\WINDOWS\system32\comrepl.dll
2006-06-12 05:02 80,384 C:\WINDOWS\system32\charmap.exe
2006-06-12 05:02 73,216 C:\WINDOWS\system32\avwav.dll
2006-06-12 05:02 67,072 C:\WINDOWS\system32\rdshost.exe
2006-06-12 05:02 655,360 C:\WINDOWS\system32\mstscax.dll
2006-06-12 05:02 628,224 C:\WINDOWS\system32\catsrvut.dll
2006-06-12 05:02 62,464 C:\WINDOWS\system32\rdpclip.exe
2006-06-12 05:02 62,464 C:\WINDOWS\system32\colbact.dll
2006-06-12 05:02 605,696 C:\WINDOWS\system32\getuname.dll
2006-06-12 05:02 60,416 C:\WINDOWS\system32\remotepg.dll
2006-06-12 05:02 6,144 C:\WINDOWS\system32\msdtc.exe
2006-06-12 05:02 58,880 C:\WINDOWS\system32\msdtclog.dll
2006-06-12 05:02 58,880 C:\WINDOWS\system32\licwmi.dll
2006-06-12 05:02 56,832 C:\WINDOWS\system32\sol.exe
2006-06-12 05:02 56,320 C:\WINDOWS\system32\servdeps.dll
2006-06-12 05:02 55,296 C:\WINDOWS\system32\freecell.exe
2006-06-12 05:02 540,160 C:\WINDOWS\system32\comuid.dll
2006-06-12 05:02 54,272 C:\WINDOWS\system32\stclient.dll
2006-06-12 05:02 538,624 C:\WINDOWS\system32\spider.exe
2006-06-12 05:02 501,248 C:\WINDOWS\system32\clbcatq.dll
2006-06-12 05:02 5,120 C:\WINDOWS\system32\dcomcnfg.exe
2006-06-12 05:02 44,544 C:\WINDOWS\system32\tscupgrd.exe
2006-06-12 05:02 44,544 C:\WINDOWS\system32\hticons.dll
2006-06-12 05:02 425,472 C:\WINDOWS\system32\msdtcprx.dll
2006-06-12 05:02 407,552 C:\WINDOWS\system32\mstsc.exe
2006-06-12 05:02 4,096 C:\WINDOWS\system32\rdpcfgex.dll
2006-06-12 05:02 4,096 C:\WINDOWS\system32\mtxex.dll
2006-06-12 05:02 38,912 C:\WINDOWS\system32\cfgbkend.dll
2006-06-12 05:02 35,328 C:\WINDOWS\system32\winchat.exe
2006-06-12 05:02 345,088 C:\WINDOWS\system32\hypertrm.dll
2006-06-12 05:02 343,040 C:\WINDOWS\system32\mspaint.exe
2006-06-12 05:02 33,792 C:\WINDOWS\system32\regini.exe
2006-06-12 05:02 295,424 C:\WINDOWS\system32\termsrv.dll
2006-06-12 05:02 25,600 C:\WINDOWS\system32\comaddin.dll
2006-06-12 05:02 25,088 C:\WINDOWS\system32\mtxlegih.dll
2006-06-12 05:02 229,888 C:\WINDOWS\system32\catsrv.dll
2006-06-12 05:02 227,840 C:\WINDOWS\system32\avtapi.dll
2006-06-12 05:02 22,016 C:\WINDOWS\system32\qwinsta.exe
2006-06-12 05:02 20,992 C:\WINDOWS\system32\msg.exe
2006-06-12 05:02 20,480 C:\WINDOWS\system32\qprocess.exe
2006-06-12 05:02 20,480 C:\WINDOWS\system32\mtxdm.dll
2006-06-12 05:02 19,968 C:\WINDOWS\system32\rdpsnd.dll
2006-06-12 05:02 185,344 C:\WINDOWS\system32\cmprops.dll
2006-06-12 05:02 183,808 C:\WINDOWS\system32\accwiz.exe
2006-06-12 05:02 17,408 C:\WINDOWS\system32\mmfutil.dll
2006-06-12 05:02 161,280 C:\WINDOWS\system32\msdtcuiu.dll
2006-06-12 05:02 16,896 C:\WINDOWS\system32\tsshutdn.exe
2006-06-12 05:02 16,896 C:\WINDOWS\system32\qappsrv.exe
2006-06-12 05:02 16,384 C:\WINDOWS\system32\tskill.exe
2006-06-12 05:02 16,384 C:\WINDOWS\system32\avmeter.dll
2006-06-12 05:02 15,872 C:\WINDOWS\system32\rwinsta.exe
2006-06-12 05:02 15,872 C:\WINDOWS\system32\cdmodem.dll
2006-06-12 05:02 15,360 C:\WINDOWS\system32\logoff.exe
2006-06-12 05:02 147,968 C:\WINDOWS\system32\rdchost.dll
2006-06-12 05:02 147,456 C:\WINDOWS\system32\comsnap.dll
 
heres part 2:

2006-06-12 05:02 140,800 C:\WINDOWS\system32\sessmgr.exe
2006-06-12 05:02 14,848 C:\WINDOWS\system32\tsdiscon.exe
2006-06-12 05:02 14,848 C:\WINDOWS\system32\tscon.exe
2006-06-12 05:02 14,848 C:\WINDOWS\system32\shadow.exe
2006-06-12 05:02 138,752 C:\WINDOWS\system32\sndvol32.exe
2006-06-12 05:02 131,584 C:\WINDOWS\system32\sndrec32.exe
2006-06-12 05:02 13,824 C:\WINDOWS\system32\rdsaddin.exe
2006-06-12 05:02 126,976 C:\WINDOWS\system32\mshearts.exe
2006-06-12 05:02 123,392 C:\WINDOWS\system32\mplay32.exe
2006-06-12 05:02 119,808 C:\WINDOWS\system32\winmine.exe
2006-06-12 05:02 114,688 C:\WINDOWS\system32\calc.exe
2006-06-12 05:02 110,080 C:\WINDOWS\system32\clbcatex.dll
2006-06-12 05:02 11,776 C:\WINDOWS\system32\xolehlp.dll
2006-06-12 05:02 11,264 C:\WINDOWS\system32\icaapi.dll
2006-06-12 05:02 102,912 C:\WINDOWS\system32\clipbrd.exe
2006-06-12 05:02 1,251,840 C:\WINDOWS\system32\comsvcs.dll
2006-06-12 05:02 1,161 C:\WINDOWS\system32\usrlogon.cmd
2006-06-04 22:40 31,248,128 C:\back_up.reg


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PRISMSVR.EXE"="\"C:\\WINDOWS\\system32\\PRISMSVR.EXE\" /APPLY"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"RegistryMechanic"=""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\kyzetety.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\MSN\\howy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job

Completion time: Tue 07/18/2006 12:15:37.64
ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-18.121515.txt
 
and heres a fresh hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 12:19:04 PM, on 7/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Opera\Opera.exe
C:\applicationas\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 213.105.224.12
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.105.224.12:8080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\Program Files\Promise\FastTrak\FtrakSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
 
Alrighty then.. :)

---

Please run the F-Secure Online Scanner

Note: This scanner is for internet explorer only!
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically.
  • The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy & paste the entire report in your next reply.

---

Download GMER:
  • Unzip it and double-click GMER.exe
  • Click the rootkit-tab and click scan.
  • Once done, click Copy.
  • This will copy the results to clipboard.
  • Paste the results in your next reply along with the F-Secure report.
 
Hey just a quick question, that F-secure online scanner, ive run it twice now, and each time when i get back to the computer the scan has apparently finished but the window isnt open anymore, and theres no logfile or completion notification. Is that right or is something going wrong there?
 
Oh and heres the GMER log, ill post the f-secure log after i get back from work if its finished normally. Thanks again for all this help, its very much appreciated! :D

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-18 20:19:23
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F914C85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F914C85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F914C85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F914C85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F914C85A] avgtdi.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE B61FD400

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{6B30774D-5F6E-4FBA-B33C-15A96DD121D0}

---- EOF - GMER 1.0.10 ----
 
Ok heres the f-secure scan log:

Scanning Report
Tuesday, July 18, 2006 20:25:24 - 03:47:35

Computer name: MATT
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 1 malware found
W32/Backdoor (virus)
C:\APPLICATIONAS\COMIC_BOOK_MANAGER_V1.07.EXE
Statistics
Scanned:
Files: 20865
System: 4307
Not scanned: 4
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 1
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\FENRIF\LOCAL SETTINGS\TEMP\HSPERFDATA_FENRIF\4024
Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-07-18
F-Secure Libra: 2.4.1, 2006-07-12
F-Secure Orion: 1.2.37, 2006-07-18
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-06-05
F-Secure Draco: 1.0.35, 2006-07-10
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics
 
Alright.. :)

---

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\APPLICATIONAS\COMIC_BOOK_MANAGER_V1.07.EXE
    C:\WINDOWS\system32\shadow.exe
    C:\warebundlenew.exe
    C:\warebundle2.exe
    C:\WINDOWS\system32\aaa00000.sys
    C:\WINDOWS\system32\aqcebdip.dll
    C:\WINDOWS\system32\esubf39b.sys

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

---

Please download SmitfraudFix by S!Ri
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
 
OK heres the smartfixfraud logfile, also i did not recieve the PendingFileRenameOperations promp when running killbox :

SmitFraudFix v2.74

Scan done at 12:55:31.80, Wed 07/19/2006
Run from C:\Documents and Settings\fenrif\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\fenrif\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\fenrif\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\kyzetety.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\MSN\\howy.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
 
Delete the following files:

C:\Program Files\MSN Gaming Zone\kyzetety.html
C:\Program Files\MSN\howy.html

Empty recycle bin.

---

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. :)
 
activescan log

Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\applicationas\smitRem.exe[smitRem/Process.exe]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\fenrif\Cookies\fenrif@atdmt[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\fenrif\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\fenrif\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Matthew\Cookies\matthew@888[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Matthew\Cookies\matthew@cassava[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Matthew\Cookies\matthew@winfixer[2].txt
 
You must log in or register to reply here.
Back
Top