Help

[ALEXSF415]

Hi

I have borrowed a laptop from a friend, so I won't have to connect to the internet from the infected computer anymore. I have burned Windows sp1a to a disc, but have not installed it on the infected computer. Tell me if you would like me to install it?

Thanks

Alex

 

[steamwiz]

Hi

Yes .. it's a good idea to keep off the net until we can stop you getting re-infected...

As you say you are now infected again since posting these latest logs ... run SUPERAntiSpyware again, it's the one which keeps removing the infection for you ... then install SP1 ...

As soon as you have installed SP1 .. do this :-

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\WINDOWS\mraerea.exe
C:\WINDOWS\system32\sulimo.dat
C:\WINDOWS\system32\stdole32.dat
C:\WINDOWS\system32\4039909485.dat
C:\WINDOWS\system32\actxprxyv.exe
C:\WINDOWS\reppor.exe
C:\WINDOWS\system32\cmcache.dat

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam

 

[ALEXSF415]

Hi

ComboFix 07-09-30.5 - ALEX 2007-10-07 20:07:53.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.81 [GMT -7:00]
Running from: C:\Documents and Settings\ALEX\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ALEX\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\mraerea.exe
C:\WINDOWS\system32\sulimo.dat
C:\WINDOWS\system32\stdole32.dat
C:\WINDOWS\system32\4039909485.dat
C:\WINDOWS\system32\actxprxyv.exe
C:\WINDOWS\reppor.exe
C:\WINDOWS\system32\cmcache.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\mraerea.exe
C:\WINDOWS\reppor.exe
C:\WINDOWS\system32\4039909485.dat
C:\WINDOWS\system32\actxprxyv.exe
C:\WINDOWS\system32\cmcache.dat
C:\WINDOWS\system32\stdole32.dat
C:\WINDOWS\system32\sulimo.dat

.
((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ehome
2007-10-07 18:21 171,008 --a------ C:\WINDOWS\system32\sccsccp.dll
2007-10-07 18:14 76,288 --a------ C:\WINDOWS\system32\avifil32.dll
2007-10-07 18:14 71,680 --a------ C:\WINDOWS\system32\browsewm.dll
2007-10-07 18:14 62,976 --a------ C:\WINDOWS\system32\browselc.dll
2007-10-07 18:14 6,656 --a------ C:\WINDOWS\system32\batt.dll
2007-10-07 18:14 59,904 --a------ C:\WINDOWS\system32\cabinet.dll
2007-10-07 18:14 49,152 --a------ C:\WINDOWS\system32\browser.dll
2007-10-07 18:13 8,192 --a------ C:\WINDOWS\system32\autolfn.exe
2007-10-07 18:13 74,810 --a------ C:\WINDOWS\system32\atl.dll
2007-10-07 18:13 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll
2007-10-07 18:12 32,512 --------- C:\WINDOWS\system32\drivers\amdk7.sys
2007-10-07 18:12 22,528 --a------ C:\WINDOWS\system32\at.exe
2007-10-07 18:12 14,366 --a------ C:\WINDOWS\system32\asfsipc.dll
2007-10-07 18:12 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2007-10-07 18:11 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2007-10-07 18:11 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll
2007-10-07 18:11 41,984 --a------ C:\WINDOWS\system32\alg.exe
2007-10-07 18:11 239,616 --a------ C:\WINDOWS\system32\adsnt.dll
2007-10-07 18:11 162,816 --a------ C:\WINDOWS\system32\adsldp.dll
2007-10-07 18:11 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2007-10-07 18:10 59,392 --a------ C:\WINDOWS\system32\6to4svc.dll
2007-10-07 18:09 42,537 --a------ C:\WINDOWS\system32\keyboard.sys
2007-10-07 18:09 169,984 --a------ C:\WINDOWS\system32\sccbase.dll
2007-10-02 16:06 <DIR> d-------- C:\Deckard
2007-09-30 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\SUPERAntiSpyware.com
2007-09-30 17:54 3,470 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-29 17:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-28 22:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-28 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\NetWorkSwitch.temp
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Drag'n Drop CD
2007-09-27 18:50 68,608 --a--c--- C:\WINDOWS\system32\dllcache\locator.exe
2007-09-27 18:50 68,608 --a------ C:\WINDOWS\system32\locator.exe
2007-09-27 18:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Funk Software
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2007-09-26 15:48 94,208 --a------ C:\WINDOWS\system32\W32N50CT.DLL
2007-09-26 15:48 543,104 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-09-26 15:48 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2007-09-26 15:48 17,142 --a------ C:\WINDOWS\system32\CBTNDIS5.SYS
2007-09-26 15:48 1,706,800 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-09-26 15:48 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2007-09-26 15:48 1,496,064 --a------ C:\WINDOWS\system32\cc3250mt.dll
2007-09-26 15:48 <DIR> d-------- C:\Program Files\Linksys
2007-09-15 21:47 6,144 --a------ C:\WINDOWS\system32\cmcache.dat
2007-09-09 20:34 <DIR> d-------- C:\Program Files\Microsoft Streets and Trips

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-03 14:41 --------- d-------- C:\Program Files\Ivde
2007-09-30 20:55 --------- d-------- C:\Program Files\MBKWBar
2007-09-30 18:26 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-29 23:00 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-29 23:00 --------- d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-29 22:59 --------- d-------- C:\Program Files\Symantec
2007-09-29 22:56 --------- d-------- C:\Documents and Settings\ALEX\Application Data\Lavasoft
2007-09-26 15:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-25 09:28 --------- d-------- C:\Program Files\MySpace
2007-08-23 21:57 --------- d-------- C:\Documents and Settings\ALEX\Application Data\MySpace
2007-08-16 19:12 --------- d-------- C:\Program Files\Opera
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2002-09-08 11:11 56832 --ahsc--- C:\Program Files\Thumbs.db
2001-08-18 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2001-08-18 12:00:00 46,592 -csh--w C:\WINDOWS\twain_32.dll
2001-08-18 12:00:00 995,383 --sh--w C:\WINDOWS\system32\mfc42.dll
2001-08-18 12:00:00 50,688 -csh--w C:\WINDOWS\system32\msvcirt.dll
2002-08-29 10:41:08 401,462 --sha-w C:\WINDOWS\system32\msvcp60.dll
2002-08-29 10:41:08 323,072 --sha-w C:\WINDOWS\system32\msvcrt.dll
2002-08-29 10:41:10 569,344 --sh--w C:\WINDOWS\system32\oleaut32.dll
2001-08-18 12:00:00 106,496 --sh--w C:\WINDOWS\system32\olepro32.dll
2001-08-18 12:00:00 9,728 -csh--w C:\WINDOWS\system32\regsvr32.exe
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-04-15 18:35]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 03:37]
"S3Hotkey"="s3hotkey.exe" [2001-09-12 21:27 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-20 16:38 C:\WINDOWS\system32\S3Tray2.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 18:08 C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 14:40]
"TFncKy"="TFncKy.exe" []
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 07:11]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-04-09 17:51]
"windows auto update"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"kmw_run.exe"="kmw_run.exe" [2003-05-27 14:48 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Linksys Wireless-N Notebook Adapter"="C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe" [2006-04-28 05:55]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-28 23:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 21:31]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [2005-02-01 19:49 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\cmcache.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\System32\DRIVERS\TVALG.SYS
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\System32\DRIVERS\KMW_SYS.sys
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\System32\DRIVERS\tsdhd.sys
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\System32\DRIVERS\KMW_USB.sys
S3 pciSd;pciSd;C:\WINDOWS\System32\DRIVERS\tossdpci.sys
S3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\System32\drivers\yacxgc.sys
S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\System32\DRIVERS\wlluc48.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 01:05:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-08 03:20:12 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-08 03:26:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 20:21:01
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\update.sys
C:\WINDOWS\system32\drivers\usb8023.sys
C:\WINDOWS\system32\drivers\usbcamd.sys
C:\WINDOWS\system32\drivers\usbcamd2.sys
C:\WINDOWS\system32\drivers\usbccgp.sys
C:\WINDOWS\system32\drivers\usbd.sys
C:\WINDOWS\system32\drivers\usbehci.sys
C:\WINDOWS\system32\drivers\usbhub.sys
C:\WINDOWS\system32\drivers\usbintel.sys
C:\WINDOWS\system32\drivers\usbport.sys
C:\WINDOWS\system32\drivers\usbprint.sys
C:\WINDOWS\system32\drivers\usbscan.sys
C:\WINDOWS\system32\drivers\usbstor.sys
C:\WINDOWS\system32\drivers\usbuhci.sys
C:\WINDOWS\system32\drivers\vdmindvd.sys
C:\WINDOWS\system32\drivers\vga.sys
C:\WINDOWS\system32\drivers\videoprt.sys
C:\WINDOWS\system32\drivers\volsnap.sys
C:\WINDOWS\system32\drivers\wacompen.sys
C:\WINDOWS\system32\drivers\wanarp.sys
C:\WINDOWS\system32\drivers\wdmaud.sys
C:\WINDOWS\system32\drivers\wlluc48.sys
C:\WINDOWS\system32\drivers\wmilib.sys
C:\WINDOWS\system32\drivers\ws2ifsl.sys
C:\WINDOWS\system32\drivers\yacxgc.sys
C:\WINDOWS\system32\drivers\Ygny51.sys
C:\WINDOWS\system32\drivers\TVALG.SYS
C:\WINDOWS\system32\drivers\udfs.sys

scan completed successfully
hidden files: 28

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Ygny51]

.
Completion time: 2007-10-07 20:29:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-07 20:28
C:\ComboFix2.txt ... 2007-10-07 17:40
C:\ComboFix3.txt ... 2007-10-05 21:15
.
--- E O F ---

Alex

 

[ALEXSF415]

Hi

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:53 PM, on 10/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sexofactory.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.toshiba.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100911663445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\cmcache.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Smart Card Helper SCardDrvImapiService (SCardDrvImapiService) - Unknown owner - C:\WINDOWS\System32\acctresh.exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvwinmgmt (WmiApSrvwinmgmt) - Unknown owner - C:\WINDOWS\System32\actxprxyv.exe (file missing)

--
End of file - 8882 bytes

Alex

 

[steamwiz]

HI

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sexofactory.com/ie

O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

O20 - AppInit_DLLs: C:\WINDOWS\System32\cmcache.dat

O23 - Service: Smart Card Helper SCardDrvImapiService (SCardDrvImapiService) - Unknown owner - C:\WINDOWS\System32\acctresh.exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvwinmgmt (WmiApSrvwinmgmt) - Unknown owner - C:\WINDOWS\System32\actxprxyv.exe (file missing)


reboot into >>>safe mode Click Here for instructions find and delete :-

C:\WINDOWS\System32\cmcache.dat ... file

still in safemode ... run hijackthis again & if any of the above entries (which you fixed in normal mode) are still there ... fix them again...

Reboot back into NORMAL mode ... run hijackthis again & post the new log in your next reply here ...

steam

 

[ALEXSF415]

Hi

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:52 PM, on 10/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\00THotkey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.toshiba.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100911663445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\cmcache.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Smart Card Helper SCardDrvImapiService (SCardDrvImapiService) - Unknown owner - C:\WINDOWS\System32\acctresh.exe (file missing)
O23 - Service: WMI Performance Adapter WmiApSrvwinmgmt (WmiApSrvwinmgmt) - Unknown owner - C:\WINDOWS\System32\actxprxyv.exe (file missing)

--
End of file - 8634 bytes

Alex

 

[steamwiz]

Hi

I see there were still some you could not delete ...

when you tried to delete this file :-

C:\WINDOWS\System32\cmcache.dat

Did it say the file was in use ? or couldn't you find it ?

I also see you were unable to remove the entry in hijackthis, showing the file running from the AppInit_DLLs:

Let's try something else ...

first

go to Start > Run and type Services.msc > click OK

Scroll down and find the service called Smart Card Helper SCardDrvImapiService

double-click on it

click the Stop button

change the Startup Type to Disabled

click Apply and then OK

then

Scroll down and find the service called WMI Performance Adapter WmiApSrvwinmgmt

double-click on it

click the Stop button

change the Startup Type to Disabled

click Apply and then OK

and close any open windows

-
THEN

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\WINDOWS\System32\cmcache.dat

Registry::
[HKLM\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam

 

[ALEXSF415]

Hi

I did find
C:\WINDOWS\System32\cmcache.dat
and I did delete it, but it came back.

ComboFix 07-09-30.5 - ALEX 2007-10-09 17:58:34.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.91 [GMT -7:00]
Running from: C:\Documents and Settings\ALEX\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ALEX\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\System32\cmcache.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\System32\cmcache.dat

.
((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))
.

2007-10-08 15:52 <DIR> d-------- C:\WINDOWS\pss
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ehome
2007-10-07 18:21 171,008 --a------ C:\WINDOWS\system32\sccsccp.dll
2007-10-07 18:14 76,288 --a------ C:\WINDOWS\system32\avifil32.dll
2007-10-07 18:14 71,680 --a------ C:\WINDOWS\system32\browsewm.dll
2007-10-07 18:14 62,976 --a------ C:\WINDOWS\system32\browselc.dll
2007-10-07 18:14 6,656 --a------ C:\WINDOWS\system32\batt.dll
2007-10-07 18:14 59,904 --a------ C:\WINDOWS\system32\cabinet.dll
2007-10-07 18:14 49,152 --a------ C:\WINDOWS\system32\browser.dll
2007-10-07 18:13 8,192 --a------ C:\WINDOWS\system32\autolfn.exe
2007-10-07 18:13 74,810 --a------ C:\WINDOWS\system32\atl.dll
2007-10-07 18:13 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll
2007-10-07 18:12 32,512 --------- C:\WINDOWS\system32\drivers\amdk7.sys
2007-10-07 18:12 22,528 --a------ C:\WINDOWS\system32\at.exe
2007-10-07 18:12 14,366 --a------ C:\WINDOWS\system32\asfsipc.dll
2007-10-07 18:12 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2007-10-07 18:11 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2007-10-07 18:11 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll
2007-10-07 18:11 41,984 --a------ C:\WINDOWS\system32\alg.exe
2007-10-07 18:11 239,616 --a------ C:\WINDOWS\system32\adsnt.dll
2007-10-07 18:11 162,816 --a------ C:\WINDOWS\system32\adsldp.dll
2007-10-07 18:11 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2007-10-07 18:10 59,392 --a------ C:\WINDOWS\system32\6to4svc.dll
2007-10-07 18:09 42,537 --a------ C:\WINDOWS\system32\keyboard.sys
2007-10-07 18:09 169,984 --a------ C:\WINDOWS\system32\sccbase.dll
2007-10-02 16:06 <DIR> d-------- C:\Deckard
2007-09-30 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\SUPERAntiSpyware.com
2007-09-30 17:54 3,470 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-29 17:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-28 22:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-28 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\NetWorkSwitch.temp
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Drag'n Drop CD
2007-09-27 18:50 68,608 --a--c--- C:\WINDOWS\system32\dllcache\locator.exe
2007-09-27 18:50 68,608 --a------ C:\WINDOWS\system32\locator.exe
2007-09-27 18:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Funk Software
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2007-09-26 15:48 94,208 --a------ C:\WINDOWS\system32\W32N50CT.DLL
2007-09-26 15:48 543,104 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-09-26 15:48 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2007-09-26 15:48 17,142 --a------ C:\WINDOWS\system32\CBTNDIS5.SYS
2007-09-26 15:48 1,706,800 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-09-26 15:48 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2007-09-26 15:48 1,496,064 --a------ C:\WINDOWS\system32\cc3250mt.dll
2007-09-26 15:48 <DIR> d-------- C:\Program Files\Linksys
2007-09-15 21:47 6,144 --a------ C:\WINDOWS\system32\cmcache.dat
2007-09-09 20:34 <DIR> d-------- C:\Program Files\Microsoft Streets and Trips

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 22:09 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-07 22:02 27840 --a------ C:\WINDOWS\java\x.exe
2007-10-07 22:02 --------- d-------- C:\Program Files\VisualRoute
2007-10-03 14:41 --------- d-------- C:\Program Files\Ivde
2007-09-30 20:55 --------- d-------- C:\Program Files\MBKWBar
2007-09-29 23:00 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-29 23:00 --------- d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-29 22:59 --------- d-------- C:\Program Files\Symantec
2007-09-29 22:56 --------- d-------- C:\Documents and Settings\ALEX\Application Data\Lavasoft
2007-09-26 15:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-25 09:28 --------- d-------- C:\Program Files\MySpace
2007-08-23 21:57 --------- d-------- C:\Documents and Settings\ALEX\Application Data\MySpace
2007-08-16 19:12 --------- d-------- C:\Program Files\Opera
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2002-09-08 11:11 56832 --ahsc--- C:\Program Files\Thumbs.db
2001-08-18 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2001-08-18 12:00:00 46,592 -csh--w C:\WINDOWS\twain_32.dll
2001-08-18 12:00:00 995,383 --sh--w C:\WINDOWS\system32\mfc42.dll
2001-08-18 12:00:00 50,688 -csh--w C:\WINDOWS\system32\msvcirt.dll
2002-08-29 10:41:08 401,462 --sha-w C:\WINDOWS\system32\msvcp60.dll
2002-08-29 10:41:08 323,072 --sha-w C:\WINDOWS\system32\msvcrt.dll
2002-08-29 10:41:10 569,344 --sh--w C:\WINDOWS\system32\oleaut32.dll
2001-08-18 12:00:00 106,496 --sh--w C:\WINDOWS\system32\olepro32.dll
2001-08-18 12:00:00 9,728 -csh--w C:\WINDOWS\system32\regsvr32.exe
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-04-15 18:35]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 03:37]
"S3Hotkey"="s3hotkey.exe" [2001-09-12 21:27 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-20 16:38 C:\WINDOWS\system32\S3Tray2.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 18:08 C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 14:40]
"TFncKy"="TFncKy.exe" []
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 07:11]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-04-09 17:51]
"windows auto update"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"kmw_run.exe"="kmw_run.exe" [2003-05-27 14:48 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Linksys Wireless-N Notebook Adapter"="C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe" [2006-04-28 05:55]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-28 23:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 21:31]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [2005-02-01 19:49 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\cmcache.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\System32\DRIVERS\TVALG.SYS
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\System32\DRIVERS\KMW_SYS.sys
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\System32\DRIVERS\tsdhd.sys
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\System32\DRIVERS\KMW_USB.sys
S3 pciSd;pciSd;C:\WINDOWS\System32\DRIVERS\tossdpci.sys
S3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\System32\drivers\yacxgc.sys
S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\System32\DRIVERS\wlluc48.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 01:05:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-10 00:20:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-10 01:16:03 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 18:09:38
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\update.sys
C:\WINDOWS\system32\drivers\usb8023.sys
C:\WINDOWS\system32\drivers\usbcamd.sys
C:\WINDOWS\system32\drivers\usbcamd2.sys
C:\WINDOWS\system32\drivers\usbccgp.sys
C:\WINDOWS\system32\drivers\usbd.sys
C:\WINDOWS\system32\drivers\usbehci.sys
C:\WINDOWS\system32\drivers\usbhub.sys
C:\WINDOWS\system32\drivers\usbintel.sys
C:\WINDOWS\system32\drivers\usbport.sys
C:\WINDOWS\system32\drivers\usbprint.sys
C:\WINDOWS\system32\drivers\usbscan.sys
C:\WINDOWS\system32\drivers\usbstor.sys
C:\WINDOWS\system32\drivers\usbuhci.sys
C:\WINDOWS\system32\drivers\vdmindvd.sys
C:\WINDOWS\system32\drivers\vga.sys
C:\WINDOWS\system32\drivers\videoprt.sys
C:\WINDOWS\system32\drivers\volsnap.sys
C:\WINDOWS\system32\drivers\wacompen.sys
C:\WINDOWS\system32\drivers\wanarp.sys
C:\WINDOWS\system32\drivers\wdmaud.sys
C:\WINDOWS\system32\drivers\wlluc48.sys
C:\WINDOWS\system32\drivers\wmilib.sys
C:\WINDOWS\system32\drivers\ws2ifsl.sys
C:\WINDOWS\system32\drivers\yacxgc.sys
C:\WINDOWS\system32\drivers\Ygny51.sys
C:\WINDOWS\system32\drivers\TVALG.SYS
C:\WINDOWS\system32\drivers\udfs.sys

scan completed successfully
hidden files: 28

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Ygny51]

.
Completion time: 2007-10-09 18:19:36 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-09 18:18
C:\ComboFix2.txt ... 2007-10-07 20:29
C:\ComboFix3.txt ... 2007-10-07 17:40
.
--- E O F ---

 

[ALEXSF415]

Hi

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:39 PM, on 10/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.toshiba.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100911663445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\cmcache.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 8316 bytes

Alex

 

[steamwiz]

Hi

Well we keep deleting the cmcache.dat file but it's still there ...

Let's try another way ....

First ...

run hijackthis and fix this entry :-

O20 - AppInit_DLLs: C:\WINDOWS\System32\cmcache.dat


THEN ...

1. Download and unzip Avenger (by Swandog46) to your desktop. > http://swandog46.geekstogo.com/avenger.zip
2. Double click the Avenger.exe file
3. Click OK
4. Select Input script manually
5. Click the Magnifying Glass icon
6. Highlight the text in the code box below, & copy and paste it into the View/edit script box

Files to delete:
C:\WINDOWS\system32\cmcache.dat

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


7. Click Done
8. Click the Traffic Light icon to start the program.
9. click Yes to execute the script and click Yes when asked to reboot your computer
10. Post the contents of the file C:\Avenger.txt

After the reboot... run hijackthis & post a new log .....

Don't forget to Post the contents of the file C:\Avenger.txt

& also please post a new Combofix log.

---
You have a new file which i don't like the look of ...

C:\WINDOWS\java\x.exe

it came in at the same time as this folder :-

C:\Program Files\VisualRoute

AS you have not been on the net, did you install VisualRoute from a CD ?

2007-10-07 22:02 27840 --a------ C:\WINDOWS\java\x.exe
2007-10-07 22:02 --------- d-------- C:\Program Files\VisualRoute

I would like you to upload the x.exe file to jotti or virustotal & have it scanned ... but I don't want you to go back on the net until we have removed the cmcache.dat file ... so we'll do that later ...

steam

 

[ALEXSF415]

Hi

I didn't install Visualroute, I deleted it from my computer.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\pdiouikw

*******************

Script file located at: \??\C:\WINDOWS\System32\ffheafnr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:46 PM, on 10/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.toshiba.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100911663445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 8299 bytes

 

[ALEXSF415]

Hi

ComboFix 07-10-11.3 - ALEX 2007-10-10 17:37:44.8 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\ALEX\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\YGNY51.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_YGNY51


((((((((((((((((((((((((( Files Created from 2007-09-11 to 2007-10-11 )))))))))))))))))))))))))))))))
.

2007-10-10 16:43 60,416 --a------ C:\WINDOWS\system32\drivers\dicn^hua.sys
2007-10-08 15:52 <DIR> d-------- C:\WINDOWS\pss
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ehome
2007-10-07 18:21 171,008 --a------ C:\WINDOWS\system32\sccsccp.dll
2007-10-07 18:14 76,288 --a------ C:\WINDOWS\system32\avifil32.dll
2007-10-07 18:14 71,680 --a------ C:\WINDOWS\system32\browsewm.dll
2007-10-07 18:14 62,976 --a------ C:\WINDOWS\system32\browselc.dll
2007-10-07 18:14 59,904 --a------ C:\WINDOWS\system32\cabinet.dll
2007-10-07 18:14 49,152 --a------ C:\WINDOWS\system32\browser.dll
2007-10-07 18:14 6,656 --a------ C:\WINDOWS\system32\batt.dll
2007-10-07 18:13 74,810 --a------ C:\WINDOWS\system32\atl.dll
2007-10-07 18:13 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll
2007-10-07 18:13 8,192 --a------ C:\WINDOWS\system32\autolfn.exe
2007-10-07 18:12 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2007-10-07 18:12 32,512 --------- C:\WINDOWS\system32\drivers\amdk7.sys
2007-10-07 18:12 22,528 --a------ C:\WINDOWS\system32\at.exe
2007-10-07 18:12 14,366 --a------ C:\WINDOWS\system32\asfsipc.dll
2007-10-07 18:11 239,616 --a------ C:\WINDOWS\system32\adsnt.dll
2007-10-07 18:11 162,816 --a------ C:\WINDOWS\system32\adsldp.dll
2007-10-07 18:11 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2007-10-07 18:11 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2007-10-07 18:11 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll
2007-10-07 18:11 41,984 --a------ C:\WINDOWS\system32\alg.exe
2007-10-07 18:10 59,392 --a------ C:\WINDOWS\system32\6to4svc.dll
2007-10-07 18:09 169,984 --a------ C:\WINDOWS\system32\sccbase.dll
2007-10-07 18:09 42,537 --a------ C:\WINDOWS\system32\keyboard.sys
2007-09-30 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\SUPERAntiSpyware.com
2007-09-30 17:54 3,470 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-29 17:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-28 23:34 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\AVG7
2007-09-28 23:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-28 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-28 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-09-28 22:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-28 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\NetWorkSwitch.temp
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Drag'n Drop CD
2007-09-27 18:50 68,608 --a------ C:\WINDOWS\system32\locator.exe
2007-09-27 18:50 68,608 --a--c--- C:\WINDOWS\system32\dllcache\locator.exe
2007-09-27 18:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Funk Software
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2007-09-26 15:48 <DIR> d-------- C:\Program Files\Linksys
2007-09-26 15:48 1,706,800 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-09-26 15:48 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2007-09-26 15:48 1,496,064 --a------ C:\WINDOWS\system32\cc3250mt.dll
2007-09-26 15:48 543,104 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-09-26 15:48 94,208 --a------ C:\WINDOWS\system32\W32N50CT.DLL
2007-09-26 15:48 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2007-09-26 15:48 17,142 --a------ C:\WINDOWS\system32\CBTNDIS5.SYS
2007-09-15 21:47 6,144 --a------ C:\WINDOWS\system32\cmcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 05:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-08 05:02 --------- d-----w C:\Program Files\VisualRoute
2007-10-03 21:41 --------- d-----w C:\Program Files\Ivde
2007-10-01 03:55 --------- d-----w C:\Program Files\MBKWBar
2007-09-30 06:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-09-30 06:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-30 05:59 --------- d-----w C:\Program Files\Symantec
2007-09-30 05:56 --------- d-----w C:\Documents and Settings\ALEX\Application Data\Lavasoft
2007-09-26 22:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-10 03:41 --------- d-----w C:\Program Files\Microsoft Streets and Trips
2007-08-25 16:28 --------- d-----w C:\Program Files\MySpace
2007-08-24 04:57 --------- d-----w C:\Documents and Settings\ALEX\Application Data\MySpace
2007-08-17 02:12 --------- d-----w C:\Program Files\Opera
2004-11-04 19:02 41,648 -c--a-w C:\Documents and Settings\ALEX\Application Data\GDIPFONTCACHEV1.DAT
2002-09-08 18:11 56,832 -csha-w C:\Program Files\Thumbs.db
2001-08-18 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2001-08-18 12:00:00 46,592 -csh--w C:\WINDOWS\twain_32.dll
2001-08-18 12:00:00 995,383 --sh--w C:\WINDOWS\system32\mfc42.dll
2001-08-18 12:00:00 50,688 -csh--w C:\WINDOWS\system32\msvcirt.dll
2002-08-29 10:41:08 401,462 --sha-w C:\WINDOWS\system32\msvcp60.dll
2002-08-29 10:41:08 323,072 --sha-w C:\WINDOWS\system32\msvcrt.dll
2002-08-29 10:41:10 569,344 --sh--w C:\WINDOWS\system32\oleaut32.dll
2001-08-18 12:00:00 106,496 --sh--w C:\WINDOWS\system32\olepro32.dll
2001-08-18 12:00:00 9,728 -csh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-04-15 18:35]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 03:37]
"S3Hotkey"="s3hotkey.exe" [2001-09-12 21:27 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-20 16:38 C:\WINDOWS\system32\S3Tray2.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 18:08 C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 14:40]
"TFncKy"="TFncKy.exe" []
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 07:11]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-04-09 17:51]
"windows auto update"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"kmw_run.exe"="kmw_run.exe" [2003-05-27 14:48 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Linksys Wireless-N Notebook Adapter"="C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe" [2006-04-28 05:55]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-28 23:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 21:31]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [2005-02-01 19:49 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\System32\DRIVERS\TVALG.SYS
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\System32\DRIVERS\KMW_SYS.sys
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\System32\DRIVERS\tsdhd.sys
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\System32\DRIVERS\KMW_USB.sys
S3 pciSd;pciSd;C:\WINDOWS\System32\DRIVERS\tossdpci.sys
S3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\System32\drivers\yacxgc.sys
S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\System32\DRIVERS\wlluc48.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 01:05:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-11 00:20:25 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-11 00:56:30 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-10 17:55:19
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-10 18:00:50 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-09 18:18
C:\ComboFix2.txt ... 2007-10-09 18:19
C:\ComboFix3.txt ... 2007-10-07 20:29
.
--- E O F ---

Alex

 

[steamwiz]

Hi

When you copied the script into Avenger, did you include the ...

Files to delete:
C:\WINDOWS\system32\cmcache.dat


Because the Avenger log doesn't even mention it, but it should say whether it found it & whether it deleted it ...

Avenger did execute the second part of the script :-


Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs


It no longer shows in hijackthis or Combofix, so we have stopped it's method of running ...

We'll try & delete the file again ... (still shown in Combofix)

you still have the VisualRoute folder, so we'll delete that as well...

also this new file :-

2007-10-10 16:43 60,416 --a------ C:\WINDOWS\system32\drivers\dicn^hua.sys

& this run key which doesn't show in hijackthis ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"windows auto update"="" []

---
So ... the above was just to let you know what's happening ... this is what I want you to do :-

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\WINDOWS\System32\cmcache.dat
C:\WINDOWS\system32\drivers\dicn^hua.sys

Folder::
C:\Program Files\VisualRoute

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"windows auto update"=-

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Then please run this :-

1. Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

3. Reboot into Safe Mode`:-

Reboot into >>>safe mode

4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum


steam

 

[ALEXSF415]

Hi

When I copied the text into avenger I'm pretty sure I included

Files to delete:
C:\WINDOWS\system32\cmcache.dat

ComboFix 07-10-11.3 - ALEX 2007-10-11 16:54:29.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.62 [GMT -7:00]
Running from: C:\Documents and Settings\ALEX\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ALEX\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\System32\cmcache.dat
C:\WINDOWS\system32\drivers\dicn^hua.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\VisualRoute
C:\Program Files\VisualRoute\keyv8-FFFFFFFFB4CF4577-A.bin
C:\Program Files\VisualRoute\startup.ini
C:\Program Files\VisualRoute\trv80.bin
C:\Program Files\VisualRoute\vr\console.txt
C:\Program Files\VisualRoute\vr\dns\216.130.164.198.txt
C:\Program Files\VisualRoute\vr\hops\216.130.164.198.txt
C:\Program Files\VisualRoute\vr\mru.txt
C:\Program Files\VisualRoute\vr\rdns\198.32.160.100.txt
C:\Program Files\VisualRoute\vr\rdns\63.93.97.197.txt
C:\Program Files\VisualRoute\vr\rdns\63.93.97.42.txt
C:\Program Files\VisualRoute\vr\rdns\66.162.144.29.txt
C:\Program Files\VisualRoute\vr\rdns\66.192.255.2.txt
C:\Program Files\VisualRoute\vr\rdns\66.52.181.187.txt
C:\Program Files\VisualRoute\vr\whois\arin-198.32.160.0.txt
C:\Program Files\VisualRoute\vr\whois\arin-216.130.164.0.txt
C:\Program Files\VisualRoute\vr\whois\arin-63.93.97.0.txt
C:\Program Files\VisualRoute\vr\whois\arin-66.162.144.0.txt
C:\Program Files\VisualRoute\vr\whois\arin-66.192.240.0.txt
C:\Program Files\VisualRoute\vr\whois\arin-66.192.250.0.txt
C:\Program Files\VisualRoute\vr\whois\arin-66.192.255.0.txt
C:\Program Files\VisualRoute\vr\whois\arin-66.52.181.0.txt
C:\Program Files\VisualRoute\vr\whois\whois.arin.net-HANDLE-NET-198-32-0-0-1.txt
C:\Program Files\VisualRoute\vr\whois\whois.arin.net-HANDLE-NET-216-130-160-0-1.txt
C:\Program Files\VisualRoute\vr\whois\whois.arin.net-HANDLE-NET-63-93-96-0-1.txt
C:\Program Files\VisualRoute\vr\whois\whois.arin.net-HANDLE-NET-66-192-0-0-1.txt
C:\Program Files\VisualRoute\vr\whois\whois.arin.net-HANDLE-NET-66-52-0-0-1.txt
C:\WINDOWS\System32\cmcache.dat
C:\WINDOWS\system32\drivers\dicn^hua.sys

.
((((((((((((((((((((((((( Files Created from 2007-09-11 to 2007-10-11 )))))))))))))))))))))))))))))))
.

2007-10-08 15:52 <DIR> d-------- C:\WINDOWS\pss
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ehome
2007-10-07 18:21 171,008 --a------ C:\WINDOWS\system32\sccsccp.dll
2007-10-07 18:14 76,288 --a------ C:\WINDOWS\system32\avifil32.dll
2007-10-07 18:14 71,680 --a------ C:\WINDOWS\system32\browsewm.dll
2007-10-07 18:14 62,976 --a------ C:\WINDOWS\system32\browselc.dll
2007-10-07 18:14 59,904 --a------ C:\WINDOWS\system32\cabinet.dll
2007-10-07 18:14 49,152 --a------ C:\WINDOWS\system32\browser.dll
2007-10-07 18:14 6,656 --a------ C:\WINDOWS\system32\batt.dll
2007-10-07 18:13 74,810 --a------ C:\WINDOWS\system32\atl.dll
2007-10-07 18:13 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll
2007-10-07 18:13 8,192 --a------ C:\WINDOWS\system32\autolfn.exe
2007-10-07 18:12 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2007-10-07 18:12 32,512 --------- C:\WINDOWS\system32\drivers\amdk7.sys
2007-10-07 18:12 22,528 --a------ C:\WINDOWS\system32\at.exe
2007-10-07 18:12 14,366 --a------ C:\WINDOWS\system32\asfsipc.dll
2007-10-07 18:11 239,616 --a------ C:\WINDOWS\system32\adsnt.dll
2007-10-07 18:11 162,816 --a------ C:\WINDOWS\system32\adsldp.dll
2007-10-07 18:11 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2007-10-07 18:11 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2007-10-07 18:11 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll
2007-10-07 18:11 41,984 --a------ C:\WINDOWS\system32\alg.exe
2007-10-07 18:10 59,392 --a------ C:\WINDOWS\system32\6to4svc.dll
2007-10-07 18:09 169,984 --a------ C:\WINDOWS\system32\sccbase.dll
2007-10-07 18:09 42,537 --a------ C:\WINDOWS\system32\keyboard.sys
2007-09-30 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\SUPERAntiSpyware.com
2007-09-30 17:54 3,470 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-29 17:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-28 23:34 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\AVG7
2007-09-28 23:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-28 23:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-28 23:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-28 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-28 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-09-28 22:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-28 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\NetWorkSwitch.temp
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Drag'n Drop CD
2007-09-27 18:50 68,608 --a------ C:\WINDOWS\system32\locator.exe
2007-09-27 18:50 68,608 --a--c--- C:\WINDOWS\system32\dllcache\locator.exe
2007-09-27 18:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Funk Software
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2007-09-26 15:48 <DIR> d-------- C:\Program Files\Linksys
2007-09-26 15:48 1,706,800 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-09-26 15:48 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2007-09-26 15:48 1,496,064 --a------ C:\WINDOWS\system32\cc3250mt.dll
2007-09-26 15:48 543,104 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-09-26 15:48 94,208 --a------ C:\WINDOWS\system32\W32N50CT.DLL
2007-09-26 15:48 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2007-09-26 15:48 17,142 --a------ C:\WINDOWS\system32\CBTNDIS5.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 05:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-08 05:02 27,840 ----a-w C:\WINDOWS\java\x.exe
2007-10-03 21:41 --------- d-----w C:\Program Files\Ivde
2007-10-01 03:55 --------- d-----w C:\Program Files\MBKWBar
2007-09-30 06:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-09-30 06:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-30 05:59 --------- d-----w C:\Program Files\Symantec
2007-09-30 05:56 --------- d-----w C:\Documents and Settings\ALEX\Application Data\Lavasoft
2007-09-26 22:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-10 03:41 --------- d-----w C:\Program Files\Microsoft Streets and Trips
2007-08-25 16:28 --------- d-----w C:\Program Files\MySpace
2007-08-24 04:57 --------- d-----w C:\Documents and Settings\ALEX\Application Data\MySpace
2007-08-17 02:12 --------- d-----w C:\Program Files\Opera
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2004-11-04 19:02 41,648 -c--a-w C:\Documents and Settings\ALEX\Application Data\GDIPFONTCACHEV1.DAT
2002-09-08 18:11 56,832 -csha-w C:\Program Files\Thumbs.db
2001-08-18 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2001-08-18 12:00:00 46,592 -csh--w C:\WINDOWS\twain_32.dll
2001-08-18 12:00:00 995,383 --sh--w C:\WINDOWS\system32\mfc42.dll
2001-08-18 12:00:00 50,688 -csh--w C:\WINDOWS\system32\msvcirt.dll
2002-08-29 10:41:08 401,462 --sha-w C:\WINDOWS\system32\msvcp60.dll
2002-08-29 10:41:08 323,072 --sha-w C:\WINDOWS\system32\msvcrt.dll
2002-08-29 10:41:10 569,344 --sh--w C:\WINDOWS\system32\oleaut32.dll
2001-08-18 12:00:00 106,496 --sh--w C:\WINDOWS\system32\olepro32.dll
2001-08-18 12:00:00 9,728 -csh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2007-10-10_17.59.46.04 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 262,144 2007-10-11 23:54:26 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
----a-w 262,144 2007-10-11 00:37:40 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-04-15 18:35]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 03:37]
"S3Hotkey"="s3hotkey.exe" [2001-09-12 21:27 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-20 16:38 C:\WINDOWS\system32\S3Tray2.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 18:08 C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 14:40]
"TFncKy"="TFncKy.exe" []
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 07:11]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-04-09 17:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"kmw_run.exe"="kmw_run.exe" [2003-05-27 14:48 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Linksys Wireless-N Notebook Adapter"="C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe" [2006-04-28 05:55]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-28 23:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 21:31]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [2005-02-01 19:49 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\System32\DRIVERS\TVALG.SYS
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\System32\DRIVERS\KMW_SYS.sys
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\System32\DRIVERS\tsdhd.sys
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\System32\DRIVERS\KMW_USB.sys
S3 pciSd;pciSd;C:\WINDOWS\System32\DRIVERS\tossdpci.sys
S3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\System32\drivers\yacxgc.sys
S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\System32\DRIVERS\wlluc48.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 01:05:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-11 01:20:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-11 23:56:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-11 17:00:30
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-11 17:01:38
C:\ComboFix-quarantined-files.txt ... 2007-10-09 18:18
C:\ComboFix2.txt ... 2007-10-10 18:00
C:\ComboFix3.txt ... 2007-10-09 18:19
.
--- E O F ---


SDFix: Version 1.108

Run by ALEX on Thu 10/11/2007 at 05:54 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\grcbmvcv.exe.tmp - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 18 Aug 2001 94,784 ..SH. --- "C:\WINDOWS\twain.dll"
Sat 18 Aug 2001 46,592 ..SH. --- "C:\WINDOWS\twain_32.dll"
Sat 18 Aug 2001 995,383 ..SH. --- "C:\WINDOWS\system32\mfc42.dll"
Sat 18 Aug 2001 50,688 ..SH. --- "C:\WINDOWS\system32\msvcirt.dll"
Thu 29 Aug 2002 401,462 A.SH. --- "C:\WINDOWS\system32\msvcp60.dll"
Thu 29 Aug 2002 323,072 A.SH. --- "C:\WINDOWS\system32\msvcrt.dll"
Thu 29 Aug 2002 569,344 ..SH. --- "C:\WINDOWS\system32\oleaut32.dll"
Sat 18 Aug 2001 106,496 ..SH. --- "C:\WINDOWS\system32\olepro32.dll"
Sat 18 Aug 2001 9,728 ..SH. --- "C:\WINDOWS\system32\regsvr32.exe"
Sun 4 Dec 2005 3,285,296 A..H. --- "C:\Documents and Settings\ALEX\My Documents\keysetup13.exe"
Fri 4 Jul 2003 119,736 A..H. --- "C:\Documents and Settings\ALEX\My Documents\mtwlingo.exe"
Tue 26 Sep 2006 15,626,209 A..H. --- "C:\Documents and Settings\ALEX\My Documents\PICS 4 GDL.zip"
Sat 2 Aug 2003 391,213 A..H. --- "C:\Documents and Settings\ALEX\My Documents\wwmv0104b02.exe"
Sun 24 Dec 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 25 Sep 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles.BAK.{FEC69D39-ADBA-4928-98F0-3571AA97ABDF}\BITF5.tmp"
Mon 6 Nov 2000 6,784 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\clcd16.dll"
Mon 6 Nov 2000 30,208 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\clcd32.dll"
Mon 6 Nov 2000 177,152 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\clokspl.exe"
Fri 18 Jun 1999 485,600 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\DPLAY61A.EXE"
Mon 6 Nov 2000 138,752 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\dplayerx.dll"
Mon 6 Nov 2000 34,304 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\drvmgt.dll"
Thu 2 Sep 1999 53,304 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\EBUEula.dll"
Thu 25 Nov 1999 2,560,000 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\empires2.exe"
Mon 28 Sep 1998 365,568 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\HA312W32.DLL"
Thu 30 Sep 1999 565,248 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\language.dll"
Mon 6 Nov 2000 67,584 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\mcp.dll"
Tue 3 Nov 1998 112,688 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\SHW32.DLL"
Wed 26 May 2004 19,968 ...H. --- "C:\Documents and Settings\ALEX\Application Data\Microsoft\Word\~WRL0003.tmp"
Sun 10 Jul 2005 28,672 ...H. --- "C:\Documents and Settings\ALEX\Application Data\Microsoft\Word\~WRL0004.tmp"
Mon 13 Jun 2005 585,216 ...H. --- "C:\Documents and Settings\ALEX\Application Data\Microsoft\Word\~WRL1077.tmp"
Sat 21 Dec 2002 4,650,695 A..H. --- "C:\Documents and Settings\ALEX\My Documents\3 SEMESTER\CD\kmd202_en.exe"
Tue 9 Sep 1997 29,184 ...H. --- "C:\Documents and Settings\ALEX\My Documents\Age of Empires II\Data\closedpw.exe"

Finished!

Alex

 

[steamwiz]

Hi

We finally got rid of the cmcache.dat file ...

Nothing new has been created so I think we are just about ready to connect to the net again ...

Just these 3 items shown in Combofix, left to deal with ...

2007-10-08 05:02 27,840 ----a-w C:\WINDOWS\java\x.exe
2007-10-03 21:41 --------- d-----w C:\Program Files\Ivde
2007-10-01 03:55 --------- d-----w C:\Program Files\MBKWBar

RE: C:\Program Files\MBKWBar

This is an adware toolbar which generates pop-up advertisements ... please uninstall from add/remove program in the Control

Panel ... you will see it listed as MBKWBar - Toolbar

RE: C:\Program Files\Ivde ... I think this folder may be empty (it did have a Trojan downloader in it) please let me know

if it is empty ?

RE: C:\WINDOWS\java\x.exe

This C:\WINDOWS\java\x.exe is still in your last Combofix ... was not in the log before that, but first showed in

the one before that...

This is almost certainly malware, please have it scanned and post the results...

Please go here and upload this file ...

C:\WINDOWS\java\x.exe

http://www.virustotal.com/flash/index_en.html

Click the browse button & browse to the file on your computer

Post back the results ... right click on the page > select all

right click again copy

post the results in your next post here...

SO ... connect to the net & let me know how it goes

steam

 

[ALEXSF415]

Hi

RE: C:\Program Files\MBKWBar

I couldn't remove it with the add/remove program in the Control Panel because I didn't find it in there. So I went to C:\Program Files\MBKWBar and deleted it.

RE: C:\Program Files\Ivde
Yes the folder is empty, but the rest is in the virus vault it was Mcdutc.exe

RE: C:\WINDOWS\java\x.exe
I couldn't find this file, I went to Java folder and I also did a search for the file and nothing came up.

I have around 150 files in the AVG virus vault, do you think I should delete everything in there?

Thanks
Alex

 

[steamwiz]

Hi Alex

It would have been better to see if there was an uninstall file in the MBKWBar folder before deleting it, you will now have leftover entries in the registry, which may have been removed with any uninstall file, but that's no big issue...

Seeing as combofix keeps finding the C:\WINDOWS\java\x.exe file (& it's not something you need) we'll see if Combofix can delete it ...

Did you delete this (empty) folder C:\Program Files\Ivde ?

Next step ...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\WINDOWS\java\x.exe

Folder::
C:\Program Files\Ivde

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Then I want you to connect to the internet & do the following :-

You are running an out-of-date version of java

Go to add/remove programs and uninstall any earlier versions ... (in your case jre1.5.0_08)

Then You can go here and install the latest version of Java.

http://java.sun.com/javase/downloads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6' and press the 'Download' button.


Running an out-of-date version of java is an infection risk.

-
THEN ...

Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

please remember to post ...

1. combofix log
2. A new hijackthis log

Oh & YES ... empty the AVG quarantine folder ... they're no problem there, but you don't need to keep them.

& let me know if you have any problems ...

steam

 

[ALEXSF415]

Hi

No I didn't delete the empty folde C:\program Files\Ivde but I went and checked and it was gone.

i did download Java JRE 6, but I didn't install it. Did you want me to install it?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:41 PM, on 10/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\S3Tray2.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\OdHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\explorer.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.toshiba.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Linksys Wireless-N Notebook Adapter] C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3657561249-101265881-2389969595-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100911663445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 8174 bytes

Alex

 

[ALEXSF415]

Hi

I still can't open my notepad, but hijack and combofix can open them, Why do you think this happens?

ComboFix 07-10-11.3 - ALEX 2007-10-13 17:19:57.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.64 [GMT -7:00]
Running from: C:\Documents and Settings\ALEX\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ALEX\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\java\x.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Ivde
C:\WINDOWS\java\x.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-14 to 2007-10-14 )))))))))))))))))))))))))))))))
.

2007-10-11 17:53 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-08 15:52 <DIR> d-------- C:\WINDOWS\pss
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-07 18:31 <DIR> d-------- C:\WINDOWS\ehome
2007-10-07 18:21 171,008 --a------ C:\WINDOWS\system32\sccsccp.dll
2007-10-07 18:14 76,288 --a------ C:\WINDOWS\system32\avifil32.dll
2007-10-07 18:14 71,680 --a------ C:\WINDOWS\system32\browsewm.dll
2007-10-07 18:14 62,976 --a------ C:\WINDOWS\system32\browselc.dll
2007-10-07 18:14 59,904 --a------ C:\WINDOWS\system32\cabinet.dll
2007-10-07 18:14 49,152 --a------ C:\WINDOWS\system32\browser.dll
2007-10-07 18:14 6,656 --a------ C:\WINDOWS\system32\batt.dll
2007-10-07 18:13 74,810 --a------ C:\WINDOWS\system32\atl.dll
2007-10-07 18:13 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll
2007-10-07 18:13 8,192 --a------ C:\WINDOWS\system32\autolfn.exe
2007-10-07 18:12 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2007-10-07 18:12 32,512 --------- C:\WINDOWS\system32\drivers\amdk7.sys
2007-10-07 18:12 22,528 --a------ C:\WINDOWS\system32\at.exe
2007-10-07 18:12 14,366 --a------ C:\WINDOWS\system32\asfsipc.dll
2007-10-07 18:11 239,616 --a------ C:\WINDOWS\system32\adsnt.dll
2007-10-07 18:11 162,816 --a------ C:\WINDOWS\system32\adsldp.dll
2007-10-07 18:11 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2007-10-07 18:11 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2007-10-07 18:11 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll
2007-10-07 18:11 41,984 --a------ C:\WINDOWS\system32\alg.exe
2007-10-07 18:10 59,392 --a------ C:\WINDOWS\system32\6to4svc.dll
2007-10-07 18:09 169,984 --a------ C:\WINDOWS\system32\sccbase.dll
2007-10-07 18:09 42,537 --a------ C:\WINDOWS\system32\keyboard.sys
2007-09-30 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 18:29 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\SUPERAntiSpyware.com
2007-09-30 17:54 3,470 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-29 17:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-28 23:34 <DIR> d-------- C:\Documents and Settings\ALEX\Application Data\AVG7
2007-09-28 23:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-28 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-28 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-09-28 22:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-28 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\NetWorkSwitch.temp
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-09-28 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Drag'n Drop CD
2007-09-27 18:50 68,608 --a------ C:\WINDOWS\system32\locator.exe
2007-09-27 18:50 68,608 --a--c--- C:\WINDOWS\system32\dllcache\locator.exe
2007-09-27 18:47 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Funk Software
2007-09-26 15:49 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2007-09-26 15:48 <DIR> d-------- C:\Program Files\Linksys
2007-09-26 15:48 1,706,800 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-09-26 15:48 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2007-09-26 15:48 1,496,064 --a------ C:\WINDOWS\system32\cc3250mt.dll
2007-09-26 15:48 543,104 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
2007-09-26 15:48 94,208 --a------ C:\WINDOWS\system32\W32N50CT.DLL
2007-09-26 15:48 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2007-09-26 15:48 17,142 --a------ C:\WINDOWS\system32\CBTNDIS5.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 05:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-30 06:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-09-30 06:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-30 05:59 --------- d-----w C:\Program Files\Symantec
2007-09-30 05:56 --------- d-----w C:\Documents and Settings\ALEX\Application Data\Lavasoft
2007-09-26 22:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-10 03:41 --------- d-----w C:\Program Files\Microsoft Streets and Trips
2007-08-25 16:28 --------- d-----w C:\Program Files\MySpace
2007-08-24 04:57 --------- d-----w C:\Documents and Settings\ALEX\Application Data\MySpace
2007-08-17 02:12 --------- d-----w C:\Program Files\Opera
2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 02:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2004-11-04 19:02 41,648 -c--a-w C:\Documents and Settings\ALEX\Application Data\GDIPFONTCACHEV1.DAT
2002-09-08 18:11 56,832 -csha-w C:\Program Files\Thumbs.db
2001-08-18 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2001-08-18 12:00:00 46,592 -csh--w C:\WINDOWS\twain_32.dll
2001-08-18 12:00:00 995,383 --sh--w C:\WINDOWS\system32\mfc42.dll
2001-08-18 12:00:00 50,688 -csh--w C:\WINDOWS\system32\msvcirt.dll
2002-08-29 10:41:08 401,462 --sha-w C:\WINDOWS\system32\msvcp60.dll
2002-08-29 10:41:08 323,072 --sha-w C:\WINDOWS\system32\msvcrt.dll
2002-08-29 10:41:10 569,344 --sh--w C:\WINDOWS\system32\oleaut32.dll
2001-08-18 12:00:00 106,496 --sh--w C:\WINDOWS\system32\olepro32.dll
2001-08-18 12:00:00 9,728 -csh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2007-10-10_17.59.46.04 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-10-10 20:15:32 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 5,976,064 2007-10-12 00:53:52 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
----a-w 159,744 2007-10-12 00:53:53 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 163,328 2007-10-10 20:15:32 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
----a-w 5,976,064 2007-10-12 00:53:39 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
----a-w 159,744 2007-10-12 00:53:39 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
----a-w 262,144 2007-10-14 00:19:53 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
----a-w 262,144 2007-10-11 00:37:40 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-04-15 18:35]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2001-11-14 03:37]
"S3Hotkey"="s3hotkey.exe" [2001-09-12 21:27 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-20 16:38 C:\WINDOWS\system32\S3Tray2.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 18:08 C:\WINDOWS\system32\TFNF5.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 14:40]
"TFncKy"="TFncKy.exe" []
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 07:11]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-04-09 17:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"kmw_run.exe"="kmw_run.exe" [2003-05-27 14:48 C:\WINDOWS\system32\kmw_run.exe]
"MSWheel"="" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"Linksys Wireless-N Notebook Adapter"="C:\Program Files\Linksys\Wireless-N Network Monitor\WPC300N.exe" [2006-04-28 05:55]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-28 23:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 21:31]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-02-01 19:49:19]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [2005-02-01 19:49 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\System32\DRIVERS\TVALG.SYS
R2 NICSer_WPC300N;NICSer_WPC300N;C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\System32\DRIVERS\KMW_SYS.sys
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\System32\DRIVERS\tsdhd.sys
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\System32\DRIVERS\KMW_USB.sys
S3 pciSd;pciSd;C:\WINDOWS\System32\DRIVERS\tossdpci.sys
S3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\System32\drivers\yacxgc.sys
S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\System32\DRIVERS\wlluc48.sys
S4 SCardDrvImapiService;Smart Card Helper SCardDrvImapiService;C:\WINDOWS\System32\acctresh.exe srv
S4 WmiApSrvwinmgmt;WMI Performance Adapter WmiApSrvwinmgmt;C:\WINDOWS\System32\actxprxyv.exe srv

.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 01:05:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-14 00:20:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-14 00:21:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-13 17:25:28
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-13 17:26:35
C:\ComboFix-quarantined-files.txt ... 2007-10-09 18:18
C:\ComboFix2.txt ... 2007-10-11 17:01
C:\ComboFix3.txt ... 2007-10-10 18:00
.
--- E O F ---

Alex

 

[steamwiz]

Hi Alex

Have you connected to the net yet ?

I see you did have both of these ...

C:\Program Files\Ivde
C:\WINDOWS\java\x.exe


& Combofix deleted them ...

Combofix is now clean ...

-
You don't appear to have run Ccleaner ... please do that...

-
YES .. install the new java ...

-
RE: Notepad ... try this ...

The notepad which is used when you open a txt file is in the C:\WINDOWS\system32\notepad.exe folder

There is a backup for the notepad.exe file in the C:\WINDOWS\notepad.exe folder

There is an infection going round which renames the notepad.exe to notpad.exe (note the missing e) ...

& creates a new bogus notepad.exe file ...

SO ... try this ...

Go to C:\WINDOWS\system32 & see if you have both files ... notepad.exe & notpad.exe ?

Assuming you have both ... the bogus notepad.exe file will be about 3k in size

the renamed legit file (notpad.exe) will be about 67k

-Notpad.exe (the the correct one - 67kb - with right icon)
-Notepad.exe .......(a false one - 3kb - with wrong icon)

So...

1. Delete the Notepad.exe in the system32 folder

2. Rename the Notpad.exe in the system32 folder back to Notepad.exe or Copy & paste the Notepad.exe from the C:\WINDOWS folder back into the C:\WINDOWS\system32 folder ...

After doing all the above ... please post a new hijackthis log.

steam