security warning: this computer may be infected with harmful or unwanted software!

[*]Jotti / Virus total results

Eveything came us as 0 bytes...

[*]ComboFix Log

ComboFix 07-10-26.4 - Tom 2007-10-27 21:13:47.3 - NTFSx86
Running from: C:\Documents and Settings\Tom\My Documents\Virus Killers\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tom\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\134tmp.exe
C:\135tmp.exe
C:\13tmp.exe
C:\WINDOWS\system32\awtrrpo.dll
C:\WINDOWS\system32\cookie1.dat
C:\WINDOWS\system32\RabioSetup.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\134tmp.exe
C:\Documents and Settings\All Users\Application Data\Rabio
C:\WINDOWS\system32\cookie1.dat
C:\WINDOWS\system32\gugwuocq.dll
C:\WINDOWS\system32\ps1.dat
C:\WINDOWS\system32\RabioSetup.exe
C:\WINDOWS\system32\rc.dat
C:\WINDOWS\system32\vbmqmywp.dll
C:\WINDOWS\system32\yxlyosbu.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-27 20:43 <DIR> d----c--- C:\Documents and Settings\Tom\Application Data\AVG7
2007-10-27 20:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-27 20:42 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-27 00:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-25 13:16 <DIR> d-------- C:\Program Files\Microsoft Calculator Plus
2007-10-22 23:23 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2007-10-22 22:52 2,440 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-22 22:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-22 22:49 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-22 19:47 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-22 19:47 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-22 19:47 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-22 19:47 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-22 19:47 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-22 13:18 <DIR> d-------- C:\Program Files\Adsense Helper Object
2007-10-22 00:50 <DIR> d----c--- C:\Documents and Settings\Tom\Application Data\Grisoft
2007-10-22 00:49 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-22 00:49 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-22 00:43 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-21 23:37 <DIR> d----c--- C:\VundoFix Backups
2007-10-21 23:22 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-21 23:14 <DIR> d----c--- C:\Documents and Settings\Tom\Application Data\GetRightToGo
2007-10-21 22:46 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-21 22:46 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-10-21 22:46 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-10-21 22:44 <DIR> d-------- C:\Program Files\Google
2007-10-21 19:01 <DIR> d--hs---- C:\WINDOWS\RFYgQ3VzdG9tZXI
2007-10-21 19:01 17,408 --a--c--- C:\psapi.dll
2007-10-19 21:27 <DIR> d-------- C:\Program Files\Xvid
2007-10-19 20:50 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-19 16:52 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-10-19 16:50 <DIR> d-------- C:\Program Files\MSBuild
2007-10-19 16:50 <DIR> d-------- C:\Program Files\Microsoft Works
2007-10-19 16:47 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-10-19 16:44 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-19 16:32 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-19 16:31 <DIR> dr-h-c--- C:\MSOCache
2007-10-19 15:42 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-19 15:32 <DIR> d-------- C:\WINDOWS\EHome
2007-10-17 12:55 <DIR> d----c--- C:\Temp
2007-10-17 12:32 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\shctxex.vb
2007-10-17 12:31 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-10-17 12:31 516,173 --a------ C:\WINDOWS\system32\msvcp60d.dll
2007-10-17 12:31 385,100 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2007-10-17 12:31 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2007-10-17 12:31 69,632 --a------ C:\WINDOWS\system32\vzcontextmenu.dll
2007-10-17 12:31 4,608 --a------ C:\WINDOWS\system32\W95INF32.DLL
2007-10-17 12:31 2,272 --a------ C:\WINDOWS\system32\W95INF16.DLL
2007-10-17 12:15 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-10-17 11:53 <DIR> d----c--- C:\MediaCell
2007-10-17 11:21 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-17 11:20 <DIR> d-------- C:\Program Files\Blaze Media Pro
2007-10-05 12:31 159,744 --a------ C:\WINDOWS\system32\lfpng13n.dll
2007-10-03 18:18 <DIR> d-------- C:\Program Files\MSN Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-20 09:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-19 19:30 --------- d-----w C:\Program Files\Waves
2007-10-19 19:30 --------- d-----w C:\Program Files\FLAC
2007-10-19 19:30 --------- d-----w C:\Program Files\DivX
2007-09-21 17:41 --------- d-----w C:\Program Files\Queens of the Stone Age Active Desktop
2007-09-21 11:18 --------- dc----w C:\Documents and Settings\Tom\Application Data\MSN6
2007-09-21 10:25 --------- dc----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-09-17 01:50 15,939 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-09-12 14:30 --------- d-----w C:\Program Files\InterActual
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\RFYgQ3VzdG9tZXI ----



((((((((((((((((((((((((((((( snapshot@2007-10-27_15.24.01.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-27 19:42:41 821,728 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2007-10-27 19:42:45 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2007-10-27 19:42:45 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2007-10-27 19:42:47 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2007-10-27 19:42:47 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18FA53D3-B7A8-4309-8045-D43D6AA2DCE9}]
2007-10-22 13:18 26112 --a------ C:\Program Files\Adsense Helper Object\aho.v5.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-10-28 22:10]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 08:06 C:\WINDOWS\system32\ptipbmf.dll]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 19:54 C:\WINDOWS\SOUNDMAN.EXE]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-16 00:41]
"DeltTray"="DeltTray.exe" [2002-12-06 17:19 C:\WINDOWS\system32\delttray.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 17:28]
"NWEReboot"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-14 13:35]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"workflow"="E:\installs\workflow.exe" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2003-05-16 00:45]
"74c2da49"="C:\WINDOWS\system32\gugwuocq.dll" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-27 20:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Ooei"="C:\PROGRA~1\COMMON~1\SKS~1\netdde.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Fast Start.lnk
backup=C:\WINDOWS\pss\Microsoft Office Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office Find Fast Indexer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Find Fast Indexer.lnk
backup=C:\WINDOWS\pss\Microsoft Office Find Fast Indexer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office Shortcut Bar.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Shortcut Bar.lnk
backup=C:\WINDOWS\pss\Microsoft Office Shortcut Bar.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
R3 Intels51;Intel(R) 536EP Modem;C:\WINDOWS\system32\DRIVERS\Intels51.sys
R3 NeroCd2k;NeroCd2k;C:\WINDOWS\system32\drivers\NeroCd2k.sys
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys
S3 USBKT1X1;M-Audio USB Keystation;C:\WINDOWS\system32\drivers\usbkt1x1.sys
S3 yukonx86;NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\yukonx86.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-24 09:26:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 21:18:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-27 21:20:25 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-27 15:24
.
--- E O F ---

[*]Contents of C:\Kresults.txt

Volume in drive C is System
Volume Serial Number is 74C2-DAE6

Directory of C:\Documents and Settings\Tom\Desktop

Volume in drive C is System
Volume Serial Number is 74C2-DAE6

Directory of C:\Documents and Settings\Tom\Desktop

Volume in drive C is System
Volume Serial Number is 74C2-DAE6

Directory of C:\Program Files

[.]
[..]
[Adobe]
[Adsense Helper Object]
[ahead]
[Analog Devices]
[Apple Software Update]
[ATI Technologies]
[AviSynth 2.5]
[Belkin]
[Blaze Media Pro]
[CDisplay]
[Common Files]
[ComPlus Applications]
[CyberLink]
[Digital Design Ltd]
[DivX]
[DVD Decrypter]
[ffdshow]
[FLAC]
[FLVPlayer]
[Google]
[Grisoft]
[HighMAT CD Writing Wizard]
[Incomplete]
[InstallShield Installation Information]
[Intel]
[InterActual]
[Internet Explorer]
[iPod]
[IrfanView]
[iTunes]
[Java]
[LitexMedia]
[Marvell]
[Messenger]
[Microsoft Calculator Plus]
[microsoft frontpage]
[Microsoft IntelliPoint]
[Microsoft IntelliType Pro]
[Microsoft Office]
[Microsoft Visual Studio]
[Microsoft Works]
[Microsoft.NET]
[Movie Maker]
[Mozilla Firefox]
[MSBuild]
[MSN Gaming Zone]
[MSN Messenger]
[MuvAudio]
[MyWay]
[NetMeeting]
[Netscape]
[NoAdware3]
[Online Services]
[Outlook Express]
[Queens of the Stone Age Active Desktop]
[QuickTime]
[Real]
[Samsung]
[Spyware Nuker 2004]
[Steinberg]
[tunebite]
[TurnTool]
[Uninstall Information]
[Waves]
[Western Digital Technologies]
[Winamp]
[Windows Journal Viewer]
[Windows Media Player]
[Windows NT]
[WindowsUpdate]
[WinRAR]
[xerox]
[Xvid]

0 File(s) 0 bytes
75 Dir(s) 4,599,631,872 bytes free
 
[*]A fresh HJT log (after all the above has been done)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:24:57, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Tom\My Documents\Virus Killers\HijackThis\HijackThis.exe

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Adsense Helper Object - {18FA53D3-B7A8-4309-8045-D43D6AA2DCE9} - C:\Program Files\Adsense Helper Object\aho.v5.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [workflow] E:\installs\workflow.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [74c2da49] rundll32.exe "C:\WINDOWS\system32\gugwuocq.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ooei] "C:\PROGRA~1\COMMON~1\SKS~1\netdde.exe" -vt yazb
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/abarth/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1192801435718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1192801426359
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Dhcbe_a_ds - Midiman/M-Audio - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8618 bytes

[*]How are things running now ?

Things seem to be running fine at the moment. The only unusual thing that's happening at the moment is that a shortcut for IE keeps popping up on my desktop every time I boot the computer. I remove it and then it's there again next time I start up! It's annoying as I don't even use IE but not that disruptive really...
 
Do you know what these are ?
E:\installs\workflow.exe
C:\PROGRA~1\COMMON~1\SKS~1\netdde.exe
The information I can find says they are legitimate, but they look odd to me.

If you can find them, please could you upload them to Jotti for me :)
(you may need to show hidden files and folders, if you need help just let me know)


These are considered to be dubious programs

Remove Programs
Now click Start---Control Panel. Double click Add or Remove Programs. If any of the following programs are listed there,
click on the program to highlight it, and click on remove.
  • MyWay >> See info HERE
  • Adsense Helper Object >> See info HERE
  • Spyware Nuker 2004 >> Personal choice See info HERE
  • NoAdware3 >> Personal choice See info HERE
  • InterActual Has been linked with Spyware, I can find no current information
Now close the Control Panel.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u3
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The Java Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.

Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available.
  • Please go to this link Adobe Acrobat Reader Download Link
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines (if still Present)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: Adsense Helper Object - {18FA53D3-B7A8-4309-8045-D43D6AA2DCE9} - C:\Program Files\Adsense Helper Object\aho.v5.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O4 - HKLM\..\Run: [74c2da49] rundll32.exe "C:\WINDOWS\system32\gugwuocq.dll",b

O23 - Service: Dhcbe_a_ds - Midiman/M-Audio - (no file)
Click to expand...
- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

Kaspersky Online Scanner .

Go Here http://www.kaspersky.com/virusscanner

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Please post the report in your reply along with a fresh HJT log.
 
OK, I've just done an AVG system scan. It's about 40% of the way through 'healing infected files' - all 6741 of them! I'll let that finish and then I'll follow the steps in your latest post :)
 
katana said:
How's it going ?
Click to expand...

Sorry for my absence, I've been pretty busy since the weekend. The computer seems to be running fine at the moment. It's a little slower but I think that's due to all the anti-spyware, anti-virus stuff I have running now!

The Kapersky scanner won't work for me for some reason but here's a fresh HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:03:59, on 10/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\MSOffice\Office\FINDFAST.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tom\My Documents\Virus Killers\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [workflow] E:\installs\workflow.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ooei] "C:\PROGRA~1\COMMON~1\SKS~1\netdde.exe" -vt yazb
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/abarth/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1192801435718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1192801426359
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Dhcbe_a_ds - Midiman/M-Audio - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8367 bytes
 
I click 'Kapersky Online Scanner' and then the privacy statement pops up, I press 'accept' and it does nothing. :spider:
 
Are you using IE or FireFox ?
It should work with FireFox, but I have had a few problems myself.
Try IE if you haven't already :)
 
You must log in or register to reply here.
Back
Top