smitfraud-c.toolbar888

P

PARTSMAN70

New member
please assist me with the above problem.I've been trying for days to get rid of it...thanks partsman...

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\BHPS\lic\bin\lmgrd.exe
C:\PROGRA~1\BHPS\lic\bin\bhepcls.exe
C:\WINNT\system32\Smtray.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 206.22.106.182 bhsv51
O1 - Hosts: 192.110.68.101 adp.kiaprod.kiausa.com
O1 - Hosts: 192.110.68.102 dcs.kiausa.com
O1 - Hosts: 192.110.68.102 ftp.kiaweb.kiausa.com
O1 - Hosts: 206.22.106.129 sda.ds.adp.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINNT\system32\tmp428.tmp.dll
O2 - BHO: MSVPS System - {2724E072-19D0-486d-A819-9D914191AE92} - C:\WINNT\ietools.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {89558207-90d2-4c5b-abac-3dbb071d5c6d} - C:\WINNT\system32\atrduk.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINNT\system32\lsasss.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [winehq.org] rundll32.exe "C:\WINNT\byvuro.dll",realset
O15 - Trusted Zone: WWW.AUTOPARTNERS.NET
O15 - Trusted Zone: WWW.DEALERWORLD.COM
O16 - DPF: {00906302-0F14-442C-B39C-275F61BC25BC} (atSdaCfg Control) - file://D:\autorun\atSdaCfg.CAB
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - file://D:\autorun\PC-CONFIG-CHECK.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1182367978265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182367959359
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://cdn.downloadcontrol.com/files/installers/cab/Install-Errorprotector-Free.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C340251-7F16-468B-86D0-0DA8E10E98AE}: NameServer = 24.92.226.11,24.92.226.12
O20 - AppInit_DLLs: c:\winnt\system32\mlljjkk.dll
O20 - Winlogon Notify: atrduk - C:\WINNT\SYSTEM32\atrduk.dll
O20 - Winlogon Notify: kbduba - kbduba.dll (file missing)
O21 - SSODL: mssms - {77DFA47D-1D19-4FC9-8D33-874A0C9D9F6A} - C:\WINNT\mssms.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ProQuest Product License Manager - Macrovision Corporation - C:\PROGRA~1\BHPS\lic\\bin\lmgrd.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe
 
sorry i missed top of page

Logfile of HijackThis v1.99.1
Scan saved at 4:24:32 PM, on 6/27/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\BHPS\lic\bin\lmgrd.exe
C:\PROGRA~1\BHPS\lic\bin\bhepcls.exe
C:\WINNT\system32\Smtray.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 206.22.106.182 bhsv51
O1 - Hosts: 192.110.68.101 adp.kiaprod.kiausa.com
O1 - Hosts: 192.110.68.102 dcs.kiausa.com
O1 - Hosts: 192.110.68.102 ftp.kiaweb.kiausa.com
O1 - Hosts: 206.22.106.129 sda.ds.adp.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINNT\system32\tmp438.tmp.dll
O2 - BHO: MSVPS System - {2724E072-19D0-486d-A819-9D914191AE92} - C:\WINNT\ietools.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {89558207-90d2-4c5b-abac-3dbb071d5c6d} - C:\WINNT\system32\atrduk.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINNT\system32\lsasss.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [winehq.org] rundll32.exe "C:\WINNT\cbxurq.dll",realset
O15 - Trusted Zone: WWW.AUTOPARTNERS.NET
O15 - Trusted Zone: WWW.DEALERWORLD.COM
O16 - DPF: {00906302-0F14-442C-B39C-275F61BC25BC} (atSdaCfg Control) - file://D:\autorun\atSdaCfg.CAB
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - file://D:\autorun\PC-CONFIG-CHECK.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1182367978265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182367959359
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://cdn.downloadcontrol.com/files/installers/cab/Install-Errorprotector-Free.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C340251-7F16-468B-86D0-0DA8E10E98AE}: NameServer = 24.92.226.11,24.92.226.12
O20 - AppInit_DLLs: c:\winnt\system32\mlljjkk.dll
O20 - Winlogon Notify: atrduk - C:\WINNT\SYSTEM32\atrduk.dll
O20 - Winlogon Notify: kbduba - kbduba.dll (file missing)
O21 - SSODL: mssms - {77DFA47D-1D19-4FC9-8D33-874A0C9D9F6A} - C:\WINNT\mssms.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ProQuest Product License Manager - Macrovision Corporation - C:\PROGRA~1\BHPS\lic\\bin\lmgrd.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe
 
Hi

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
 
VundoFix V6.5.1

Checking Java version...

Scan started at 10:17:35 AM 6/28/2007

Listing files found while scanning....

C:\WINNT\system32\tmp2F0.tmp.dll

Beginning removal...

Performing Repairs to the registry.
Done!
 
Logfile of HijackThis v1.99.1
Scan saved at 10:28:10 AM, on 6/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINNT\system32\nvsvc32.exe
C:\PROGRA~1\BHPS\lic\bin\lmgrd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\BHPS\lic\bin\bhepcls.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Smtray.exe
C:\WINNT\system32\Promon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 206.22.106.182 bhsv51
O1 - Hosts: 192.110.68.101 adp.kiaprod.kiausa.com
O1 - Hosts: 192.110.68.102 dcs.kiausa.com
O1 - Hosts: 192.110.68.102 ftp.kiaweb.kiausa.com
O1 - Hosts: 206.22.106.129 sda.ds.adp.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINNT\system32\tmp5.tmp.dll
O2 - BHO: MSVPS System - {2724E072-19D0-486d-A819-9D914191AE92} - C:\WINNT\ietools.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {89558207-90d2-4c5b-abac-3dbb071d5c6d} - C:\WINNT\system32\atrduk.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINNT\system32\lsasss.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [winehq.org] rundll32.exe "C:\WINNT\yaxxxu.dll",realset
O15 - Trusted Zone: WWW.AUTOPARTNERS.NET
O15 - Trusted Zone: WWW.DEALERWORLD.COM
O16 - DPF: {00906302-0F14-442C-B39C-275F61BC25BC} (atSdaCfg Control) - file://D:\autorun\atSdaCfg.CAB
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - file://D:\autorun\PC-CONFIG-CHECK.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1182367978265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182367959359
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://cdn.downloadcontrol.com/files/installers/cab/Install-Errorprotector-Free.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C340251-7F16-468B-86D0-0DA8E10E98AE}: NameServer = 24.92.226.11,24.92.226.12
O20 - AppInit_DLLs: c:\winnt\system32\mlljjkk.dll
O20 - Winlogon Notify: atrduk - C:\WINNT\SYSTEM32\atrduk.dll
O20 - Winlogon Notify: kbduba - kbduba.dll (file missing)
O21 - SSODL: mssms - {77DFA47D-1D19-4FC9-8D33-874A0C9D9F6A} - C:\WINNT\mssms.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ProQuest Product License Manager - Macrovision Corporation - C:\PROGRA~1\BHPS\lic\\bin\lmgrd.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe
 
Hi

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Please download the following program and save it to your desktop:

http://noahdfear.geekstogo.com/FindAWF.exe

Once downloaded, double-click on the file to run it. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.

Post:

- a fresh HijackThis log
- combofix report
- contents of awf.txt
 
"pquser2" - 06/28/2007 10:35:24 - ComboFix 07-06-27.7 - Service Pack 4 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\awtqpnl.dll
C:\WINNT\system32\awvtqoo.dll
C:\WINNT\system32\awvtutu.dll
C:\WINNT\system32\ddccyxy.dll
C:\WINNT\system32\jkkllkj.dll
C:\WINNT\system32\mlljgdd.dll
C:\WINNT\system32\mlljjkk.dll
C:\WINNT\system32\pmnnnno.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\pquser2\APPLIC~1.\macromedia\Flash Player\#SharedObjects\J7RECVEJ\www.broadcaster.com
C:\DOCUME~1\pquser2\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\pquser2\APPLIC~1\tmp160.tmp.exe
C:\DOCUME~1\pquser2\APPLIC~1\tmp161.tmp.exe
C:\DOCUME~1\pquser2\APPLIC~1\tmp162.tmp.exe
C:\DOCUME~1\pquser2\APPLIC~1\tmp163.tmp.exe
C:\DOCUME~1\pquser2\APPLIC~1\tmp2F0.tmp.exe
C:\DOCUME~1\pquser2\APPLIC~1\tmp3.tmp.exe
C:\DOCUME~1\pquser2\APPLIC~1\tmp436.tmp.exe
C:\DOCUME~1\pquser2\APPLIC~1\tmp438.tmp.exe
C:\DOCUME~1\pquser2\APPLIC~1\tmp5.tmp.exe
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\companion wizard\CompWiz.xml
C:\WINNT\search_res.txt
C:\WINNT\system32\winsys.exe


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 )))))))))))))))))))))))))))))))


2007-06-28 10:40 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4d0.dat
2007-06-28 10:34 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-28 10:27 134,903 --a------ C:\WINNT\yaxxxu.dll
2007-06-28 10:17 <DIR> d-------- C:\VundoFix Backups
2007-06-27 17:51 134,917 --a------ C:\WINNT\xxyyvs.dll
2007-06-27 17:51 134,917 --a------ C:\WINNT\ssqrqq.dll
2007-06-27 17:19 26,944 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2007-06-27 17:10 59,427 --a------ C:\WINNT\system32\tmp5.tmp.dll
2007-06-27 15:54 59,427 --a------ C:\WINNT\system32\tmp438.tmp.dll
2007-06-26 17:51 59,480 --a------ C:\WINNT\system32\tmp428.tmp.dll
2007-06-26 12:45 59,480 --a------ C:\WINNT\system32\tmp3C1.tmp.dll
2007-06-26 12:45 59,480 --a------ C:\WINNT\system32\tmp3C0.tmp.dll
2007-06-26 12:42 135,052 --a------ C:\WINNT\opqrol.dll
2007-06-26 08:01 <DIR> d-------- C:\Program Files\TrojanHunter 4.0
2007-06-26 08:00 59,480 --a------ C:\WINNT\system32\tmp4.tmp.dll
2007-06-26 07:50 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-25 17:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-25 17:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-25 17:33 <DIR> d-------- C:\DOCUME~1\pquser2\APPLIC~1\Lavasoft
2007-06-25 17:23 59,480 --a------ C:\WINNT\system32\tmp3.tmp.dll
2007-06-25 16:58 271,224 --a------ C:\WINNT\system32\mucltui.dll
2007-06-20 15:29 <DIR> d-------- C:\WINNT\system32\SoftwareDistribution
2007-06-20 12:29 60,771 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\tmpB.tmp.exe
2007-06-20 11:39 60,771 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\tmp1.tmp.exe
2007-06-20 10:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-20 10:16 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-06-12 17:56 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-06-12 17:53 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-12 17:27 <DIR> d-------- C:\Program Files\Adaptec
2007-06-12 17:26 208,896 --a------ C:\WINNT\system32\wmpns.dll
2007-06-12 17:19 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\PC Tools
2007-06-11 16:43 462,848 --a------ C:\WINNT\system32\msaatext.dll
2007-06-11 16:43 360,448 --a------ C:\WINNT\system32\oleacc.dll
2007-06-11 16:43 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2007-06-11 12:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-06-11 12:50 <DIR> d-------- C:\DOCUME~1\pquser2\APPLIC~1\AdwareAlert
2007-06-08 15:43 38,247 --a------ C:\WINNT\system32\atrduk.dll
2007-05-30 09:16 72,192 --a------ C:\WINNT\mssms.dll
2007-05-30 09:16 69,120 --a------ C:\WINNT\ietools.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-27 21:04:24 -------- d-----w C:\Program Files\Registry Defender
2007-06-25 21:06:55 -------- d-----w C:\Program Files\PC Tools AntiVirus
2007-06-20 19:20:56 -------- d-----w C:\Program Files\Google
2007-06-11 22:02:27 -------- d-----w C:\DOCUME~1\pquser2\APPLIC~1\PC Tools
2007-06-11 21:49:37 -------- d-----w C:\Program Files\QuickTime
2007-05-16 21:06:06 -------- d-----w C:\DOCUME~1\pquser2\APPLIC~1\ADP
2007-05-16 21:04:33 -------- d-----w C:\Program Files\ADP
2007-05-16 21:04:15 -------- d-----w C:\Program Files\psqlODBC
2007-05-16 21:03:50 -------- d-----w C:\Program Files\ADP Dealer Services
2007-05-16 20:55:06 -------- d---a-w C:\Program Files\sda
2007-05-16 20:55:06 -------- d-----w C:\Program Files\Common Files\supportsoft
2007-05-16 18:42:07 -------- d-----w C:\DOCUME~1\pquser2\APPLIC~1\AdobeUM
2007-04-30 19:26:40 45,056 ----a-w C:\WINNT\system32\xcacls.exe
2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL
2007-04-17 02:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-17 02:43:44 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 02:43:40 208,248 ----a-w C:\WINNT\system32\muweb.dll
2007-04-16 12:44:08 54,032 ----a-w C:\WINNT\system32\mpr.dll
2007-04-05 07:17:39 2,854,400 ----a-w C:\WINNT\system32\msi.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [06-01-12 20:38 ]
{2724E072-19D0-486d-A819-9D914191AE92}=C:\WINNT\ietools.dll [07-05-24 06:03 ]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [05-05-31 01:04 ]
{89558207-90d2-4c5b-abac-3dbb071d5c6d}=C:\WINNT\system32\atrduk.dll [07-06-08 15:43 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 15:05 C:\WINNT\system32\mobsync.exe]
"Smapp"="Smtray.exe" [01-07-25 14:22 C:\WINNT\system32\SMTray.exe]
"Promon.exe"="Promon.exe" [00-04-13 07:34 C:\WINNT\system32\promon.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" []
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" []
"THGuard"="C:\Program Files\TrojanHunter 4.0\THGuard.exe" [04-09-02 14:47 ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [07-06-27 17:19 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6809e580-a3a7-11d1-9a00-00a0c945b006}"="C:\Program Files\Roxio\GoBack\ShellExt.dll" [01-03-08 23:00 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{77DFA47D-1D19-4FC9-8D33-874A0C9D9F6A}"="C:\WINNT\mssms.dll" [07-05-24 04:37 ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atrduk]
atrduk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kbduba]
kbduba.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\winnt\system32\mlljjkk.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
WmdmPmSN

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

Contents of the 'Scheduled Tasks' folder
2007-06-27 07:00:00 C:\WINNT\tasks\AdwareAlert Scheduled Scan.job
2007-06-27 07:00:00 C:\WINNT\tasks\SpywareBot Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-28 10:40:12
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-28 10:42:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-06-28 10:41

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

07/24/2006 03:52p 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINNT\SYSTEM32\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

09/29/2004 08:15a 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

03/19/2007 02:02p 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

282624 Jul 24 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
344064 Sep 29 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
171448 Mar 19 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"


end of reportLogfile of HijackThis v1.99.1
Scan saved at 10:48, on 6/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINNT\system32\nvsvc32.exe
C:\PROGRA~1\BHPS\lic\bin\lmgrd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\BHPS\lic\bin\bhepcls.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Smtray.exe
C:\WINNT\system32\Promon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {2724E072-19D0-486d-A819-9D914191AE92} - C:\WINNT\ietools.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {89558207-90d2-4c5b-abac-3dbb071d5c6d} - C:\WINNT\system32\atrduk.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O15 - Trusted Zone: WWW.AUTOPARTNERS.NET
O15 - Trusted Zone: WWW.DEALERWORLD.COM
O16 - DPF: {00906302-0F14-442C-B39C-275F61BC25BC} (atSdaCfg Control) - file://D:\autorun\atSdaCfg.CAB
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - file://D:\autorun\PC-CONFIG-CHECK.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1182367978265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182367959359
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://cdn.downloadcontrol.com/files/installers/cab/Install-Errorprotector-Free.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C340251-7F16-468B-86D0-0DA8E10E98AE}: NameServer = 24.92.226.11,24.92.226.12
O20 - AppInit_DLLs: c:\winnt\system32\mlljjkk.dll
O20 - Winlogon Notify: atrduk - C:\WINNT\SYSTEM32\atrduk.dll
O20 - Winlogon Notify: kbduba - kbduba.dll (file missing)
O21 - SSODL: mssms - {77DFA47D-1D19-4FC9-8D33-874A0C9D9F6A} - C:\WINNT\mssms.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ProQuest Product License Manager - Macrovision Corporation - C:\PROGRA~1\BHPS\lic\\bin\lmgrd.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe



--- E O F ---
 
Hi

Open HijackThis, click do a system scan only and checkmark these:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: MSVPS System - {2724E072-19D0-486d-A819-9D914191AE92} - C:\WINNT\ietools.dll
O2 - BHO: (no name) - {89558207-90d2-4c5b-abac-3dbb071d5c6d} - C:\WINNT\system32\atrduk.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://cdn.downloadcontrol.com/files...ector-Free.cab
O20 - AppInit_DLLs: c:\winnt\system32\mlljjkk.dll
O20 - Winlogon Notify: atrduk - C:\WINNT\SYSTEM32\atrduk.dll
O20 - Winlogon Notify: kbduba - kbduba.dll (file missing)
O21 - SSODL: mssms - {77DFA47D-1D19-4FC9-8D33-874A0C9D9F6A} - C:\WINNT\mssms.dll

Close all windows including browser and press fix checked.

Reboot.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINNT\yaxxxu.dll
C:\WINNT\xxyyvs.dll
C:\WINNT\ssqrqq.dll
C:\WINNT\system32\tmp5.tmp.dll
C:\WINNT\system32\tmp438.tmp.dll
C:\WINNT\system32\tmp428.tmp.dll
C:\WINNT\system32\tmp3C1.tmp.dll
C:\WINNT\system32\tmp3C0.tmp.dll
C:\WINNT\opqrol.dll
C:\WINNT\system32\tmp4.tmp.dll
C:\WINNT\system32\tmp3.tmp.dll
C:\DOCUME~1\ADMINI~1\APPLIC~1\tmpB.tmp.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\tmp1.tmp.exe
C:\WINNT\system32\atrduk.dll
C:\WINNT\mssms.dll
C:\WINNT\ietools.dll
c:\winnt\system32\mlljjkk.dll

Folder::
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\Program Files\SpywareBot
Click to expand...

Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Combo-Do.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
 
"pquser2" - 06/28/2007 11:24:27 - ComboFix 07-06-27.7 - Service Pack 4 NTFS
Command switches used :: C:\Documents and Settings\pquser2\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ADMINI~1\APPLIC~1\tmp1.tmp.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\tmpB.tmp.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ProductCode
C:\WINNT\mssms.dll
C:\WINNT\opqrol.dll
C:\WINNT\search_res.txt
C:\WINNT\ssqrqq.dll
C:\WINNT\system32\atrduk.dll
C:\WINNT\system32\tmp3.tmp.dll
C:\WINNT\system32\tmp3C0.tmp.dll
C:\WINNT\system32\tmp3C1.tmp.dll
C:\WINNT\system32\tmp4.tmp.dll
C:\WINNT\system32\tmp428.tmp.dll
C:\WINNT\system32\tmp438.tmp.dll
C:\WINNT\system32\tmp5.tmp.dll
C:\WINNT\xxyyvs.dll
C:\WINNT\yaxxxu.dll


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 )))))))))))))))))))))))))))))))


2007-06-28 10:34 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-28 10:17 <DIR> d-------- C:\VundoFix Backups
2007-06-27 17:19 26,944 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2007-06-26 08:01 <DIR> d-------- C:\Program Files\TrojanHunter 4.0
2007-06-26 07:50 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-25 17:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-25 17:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-25 17:33 <DIR> d-------- C:\DOCUME~1\pquser2\APPLIC~1\Lavasoft
2007-06-25 16:58 271,224 --a------ C:\WINNT\system32\mucltui.dll
2007-06-20 15:29 <DIR> d-------- C:\WINNT\system32\SoftwareDistribution
2007-06-20 10:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-20 10:16 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-06-12 17:56 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-06-12 17:53 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-12 17:27 <DIR> d-------- C:\Program Files\Adaptec
2007-06-12 17:26 208,896 --a------ C:\WINNT\system32\wmpns.dll
2007-06-12 17:19 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\PC Tools
2007-06-11 16:43 462,848 --a------ C:\WINNT\system32\msaatext.dll
2007-06-11 16:43 360,448 --a------ C:\WINNT\system32\oleacc.dll
2007-06-11 16:43 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2007-06-11 12:50 <DIR> d-------- C:\DOCUME~1\pquser2\APPLIC~1\AdwareAlert


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-27 21:04:24 -------- d-----w C:\Program Files\Registry Defender
2007-06-25 21:06:55 -------- d-----w C:\Program Files\PC Tools AntiVirus
2007-06-20 19:20:56 -------- d-----w C:\Program Files\Google
2007-06-11 22:02:27 -------- d-----w C:\DOCUME~1\pquser2\APPLIC~1\PC Tools
2007-06-11 21:49:37 -------- d-----w C:\Program Files\QuickTime
2007-05-16 21:06:06 -------- d-----w C:\DOCUME~1\pquser2\APPLIC~1\ADP
2007-05-16 21:04:33 -------- d-----w C:\Program Files\ADP
2007-05-16 21:04:15 -------- d-----w C:\Program Files\psqlODBC
2007-05-16 21:03:50 -------- d-----w C:\Program Files\ADP Dealer Services
2007-05-16 20:55:06 -------- d---a-w C:\Program Files\sda
2007-05-16 20:55:06 -------- d-----w C:\Program Files\Common Files\supportsoft
2007-05-16 18:42:07 -------- d-----w C:\DOCUME~1\pquser2\APPLIC~1\AdobeUM
2007-04-30 19:26:40 45,056 ----a-w C:\WINNT\system32\xcacls.exe
2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL
2007-04-17 02:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-17 02:43:44 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 02:43:40 208,248 ----a-w C:\WINNT\system32\muweb.dll
2007-04-16 12:44:08 54,032 ----a-w C:\WINNT\system32\mpr.dll
2007-04-05 07:17:39 2,854,400 ----a-w C:\WINNT\system32\msi.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [06-01-12 20:38 ]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [05-05-31 01:04 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 15:05 C:\WINNT\system32\mobsync.exe]
"Smapp"="Smtray.exe" [01-07-25 14:22 C:\WINNT\system32\SMTray.exe]
"Promon.exe"="Promon.exe" [00-04-13 07:34 C:\WINNT\system32\promon.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" []
"THGuard"="C:\Program Files\TrojanHunter 4.0\THGuard.exe" [04-09-02 14:47 ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [07-06-27 17:19 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6809e580-a3a7-11d1-9a00-00a0c945b006}"="C:\Program Files\Roxio\GoBack\ShellExt.dll" [01-03-08 23:00 ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atrduk]
atrduk.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
WmdmPmSN


Contents of the 'Scheduled Tasks' folder
2007-06-27 07:00:00 C:\WINNT\tasks\AdwareAlert Scheduled Scan.job
2007-06-27 07:00:00 C:\WINNT\tasks\SpywareBot Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-28 11:28:17
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-28 11:29:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-06-28 11:29
C:\ComboFix2.txt ... 07-06-28 10:42

--- E O F ---Logfile of HijackThis v1.99.1
Scan saved at 11:31, on 6/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\BHPS\lic\bin\lmgrd.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\BHPS\lic\bin\bhepcls.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Smtray.exe
C:\WINNT\system32\Promon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O15 - Trusted Zone: WWW.AUTOPARTNERS.NET
O15 - Trusted Zone: WWW.DEALERWORLD.COM
O16 - DPF: {00906302-0F14-442C-B39C-275F61BC25BC} (atSdaCfg Control) - file://D:\autorun\atSdaCfg.CAB
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - file://D:\autorun\PC-CONFIG-CHECK.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1182367978265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182367959359
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C340251-7F16-468B-86D0-0DA8E10E98AE}: NameServer = 24.92.226.11,24.92.226.12
O20 - Winlogon Notify: atrduk - atrduk.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ProQuest Product License Manager - Macrovision Corporation - C:\PROGRA~1\BHPS\lic\\bin\lmgrd.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe
 
Hi

Open HijackThis, click do a system scan only and checkmark this:

O20 - Winlogon Notify: atrduk - atrduk.dll (file missing)

Close all windows including browser and press fix checked.

Copy text below to Notepad and save it as remawf.bat (save it as all files, *.*)

@ECHO OFF
move /Y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"
move /Y "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe" "C:\Program Files\ATI Technologies\ATI Control Panel\"
move /Y "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462"

It should look like this ->
bat.JPG


Boot in safe mode.

Doubleclick remawf.bat; black dos windows will flash, that's normal.

(In case you are unsure how to create a bat file, take a look here with screenshots.)

Reboot.

Re-run findawf.

Post:

- a fresh HijackThis log
- findawf report
 
Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\WINNT\SYSTEM32\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 12:30, on 6/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\BHPS\lic\bin\lmgrd.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\BHPS\lic\bin\bhepcls.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Smtray.exe
C:\WINNT\system32\Promon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O15 - Trusted Zone: WWW.AUTOPARTNERS.NET
O15 - Trusted Zone: WWW.DEALERWORLD.COM
O16 - DPF: {00906302-0F14-442C-B39C-275F61BC25BC} (atSdaCfg Control) - file://D:\autorun\atSdaCfg.CAB
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - file://D:\autorun\PC-CONFIG-CHECK.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1182367978265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182367959359
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C340251-7F16-468B-86D0-0DA8E10E98AE}: NameServer = 24.92.226.11,24.92.226.12
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ProQuest Product License Manager - Macrovision Corporation - C:\PROGRA~1\BHPS\lic\\bin\lmgrd.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe



end of report
 
Hi

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Post:

- a fresh HijackThis log
- kaspersky report
 
KASPERSKY ONLINE SCANNER REPORT
Thursday, June 28, 2007 14:51
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 28/06/2007
Kaspersky Anti-Virus database records: 355012


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 26313
Number of viruses found 6
Number of infected objects 15
Number of suspicious objects 0
Duration of the scan process 00:27:01

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\pquser2\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\pquser2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\pquser2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\pquser2\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\pquser2\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\pquser2\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\pquser2\ntuser.dat.LOG Object is locked skipped

C:\gobackio.bin Object is locked skipped

C:\Program Files\BHPS\lic\log\lmgrd.log Object is locked skipped

C:\QooBox\Quarantine\C\DOCUME~1\pquser2\APPLIC~1\tmp160.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped

C:\QooBox\Quarantine\C\DOCUME~1\pquser2\APPLIC~1\tmp161.tmp.exe.vir Infected: Trojan.Win32.BHO.bd skipped

C:\QooBox\Quarantine\C\DOCUME~1\pquser2\APPLIC~1\tmp162.tmp.exe.vir Infected: Trojan.Win32.BHO.bd skipped

C:\QooBox\Quarantine\C\DOCUME~1\pquser2\APPLIC~1\tmp163.tmp.exe.vir Infected: Trojan.Win32.BHO.bd skipped

C:\QooBox\Quarantine\C\DOCUME~1\pquser2\APPLIC~1\tmp436.tmp.exe.vir Infected: Trojan.Win32.BHO.bd skipped

C:\QooBox\Quarantine\C\DOCUME~1\pquser2\APPLIC~1\tmp438.tmp.exe.vir Infected: Trojan.Win32.BHO.bd skipped

C:\QooBox\Quarantine\C\WINNT\mssms.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.bn skipped

C:\QooBox\Quarantine\C\WINNT\ssqrqq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\QooBox\Quarantine\C\WINNT\system32\tmp438.tmp.dll.vir Infected: Trojan.Win32.BHO.bd skipped

C:\QooBox\Quarantine\C\WINNT\system32\tmp5.tmp.dll.vir Infected: Trojan.Win32.BHO.bd skipped

C:\QooBox\Quarantine\C\WINNT\xxyyvs.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\WINNT\CSC\00000001 Object is locked skipped

C:\WINNT\Debug\ipsecpa.log Object is locked skipped

C:\WINNT\Debug\oakley.log Object is locked skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped

C:\WINNT\Downloaded Program Files\CONFLICT.2\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped

C:\WINNT\Downloaded Program Files\UERT_0001_D19M2109NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped

C:\WINNT\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped

C:\WINNT\SchedLgU.Txt Object is locked skipped

C:\WINNT\SoftwareDistribution\EventCache\{0CF0DE0E-5292-48E4-BB16-5216D220BF94}.bin Object is locked skipped

C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\default Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\software Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\system Object is locked skipped

C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped

C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed. Logfile of HijackThis v1.99.1
Scan saved at 14:53, on 6/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\BHPS\lic\bin\lmgrd.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\BHPS\lic\bin\bhepcls.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Smtray.exe
C:\WINNT\system32\Promon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O15 - Trusted Zone: WWW.AUTOPARTNERS.NET
O15 - Trusted Zone: WWW.DEALERWORLD.COM
O16 - DPF: {00906302-0F14-442C-B39C-275F61BC25BC} (atSdaCfg Control) - file://D:\autorun\atSdaCfg.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - file://D:\autorun\PC-CONFIG-CHECK.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1182367978265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182367959359
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C340251-7F16-468B-86D0-0DA8E10E98AE}: NameServer = 24.92.226.11,24.92.226.12
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ProQuest Product License Manager - Macrovision Corporation - C:\PROGRA~1\BHPS\lic\\bin\lmgrd.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe
 
Hi

Empty this folder:

C:\QooBox\Quarantine\

Empty Recycle Bin

Please download the Killbox.
Save it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.2\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINNT\Downloaded Program Files\UERT_0001_D19M2109NetInstaller.exe
C:\WINNT\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Empty this folder:

C:\!KillBox

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report
 
I think we're getting better.....

KASPERSKY ONLINE SCANNER REPORT
Thursday, June 28, 2007 15:56
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 28/06/2007
Kaspersky Anti-Virus database records: 355012


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 26268
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:27:11

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\pquser2\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\pquser2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\pquser2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\pquser2\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\pquser2\Local Settings\History\History.IE5\MSHist012007062820070629\index.dat Object is locked skipped

C:\Documents and Settings\pquser2\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\pquser2\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\pquser2\ntuser.dat.LOG Object is locked skipped

C:\gobackio.bin Object is locked skipped

C:\Program Files\BHPS\lic\log\lmgrd.log Object is locked skipped

C:\WINNT\CSC\00000001 Object is locked skipped

C:\WINNT\Debug\ipsecpa.log Object is locked skipped

C:\WINNT\Debug\oakley.log Object is locked skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\SchedLgU.Txt Object is locked skipped

C:\WINNT\SoftwareDistribution\EventCache\{0CF0DE0E-5292-48E4-BB16-5216D220BF94}.bin Object is locked skipped

C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\default Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\software Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\system Object is locked skipped

C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped

C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 15:57, on 6/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\sda\bin\tgsrvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\BHPS\lic\bin\lmgrd.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\BHPS\lic\bin\bhepcls.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Smtray.exe
C:\WINNT\system32\Promon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O15 - Trusted Zone: WWW.AUTOPARTNERS.NET
O15 - Trusted Zone: WWW.DEALERWORLD.COM
O16 - DPF: {00906302-0F14-442C-B39C-275F61BC25BC} (atSdaCfg Control) - file://D:\autorun\atSdaCfg.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - file://D:\autorun\PC-CONFIG-CHECK.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1182367978265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182367959359
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C340251-7F16-468B-86D0-0DA8E10E98AE}: NameServer = 24.92.226.11,24.92.226.12
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ProQuest Product License Manager - Macrovision Corporation - C:\PROGRA~1\BHPS\lic\\bin\lmgrd.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: SupportSoft Repair Service (sda) (tgsrvc_sda) - SupportSoft, Inc. - C:\Program Files\sda\bin\tgsrvc.exe
 
I think we're good to go........

I can't fully express my awe at the ability of you folks to diagnose and repair problems like this.......and on a volunteer basis no less!! A Pay Pal donation will be coming forthwith. A thousand thanks........

Partsman
 
Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm
2) Agnitum
3) Sunbelt/Kerio
4) Comodo

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Update Acrobat Reader to version 8.0.

  • Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources


  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!
 
Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
 
You must log in or register to reply here.
Back
Top