TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Atom on July 02, 2007, 09:31:43 PM

Title: Random Music, Virus?
Post by: Atom on July 02, 2007, 09:31:43 PM

My computer plays random music when no programs are running. Any one know how to fix this? thanks


Logfile of HijackThis v1.99.1
Scan saved at 10:28:08 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\ieredir.exe
C:\Documents and Settings\All Users\Application Data\hwfutczk.exe
C:\WINDOWS\system32\scchk32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\csrss.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\MotiveBrowser\MotiveBrowser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/ (http://\"http://google.bearshare.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {2F851444-52D9-5636-1F36-03FEE90A8197} - C:\WINDOWS\system32\6VTbJnDH.dll
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: msdn_lib.msdn_hlp - {38847C4B-1AB1-4A47-9026-9A6CF7B43D31} - C:\WINDOWS\system32\msdn_lib.dll (file missing)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: 0 - {FC50DF3C-90C6-4C07-3083-FF6E758DA4B8} - C:\Program Files\Common Files\lavu.dll (file missing)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [InstantOn] "C:\Program Files\CyberLink\PowerCinema Linux\ion_install.exe" /c
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe"  -osboot
O4 - HKLM\..\Run: [pfsvgae] C:\Program Files\pfsvgae.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [IE Redir] C:\WINDOWS\ieredir.exe
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [hwfutczk.exe] C:\Documents and Settings\All Users\Application Data\hwfutczk.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [csrss] C:\WINDOWS\csrss.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Lavasoft Personal Firewall Service (LavasoftFirewall) - Agnitum Ltd. - C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

Title: Random Music, Virus?
Post by: guestolo on July 02, 2007, 10:40:28 PM

Hi Atom, let's do the following below please and see what your log looks like afterwards

Print the rest of these instructions or save them too a text file on desktop for reference please

Download [color=\"red\"]SDFix[/color] (http://\"http://downloads.andymanchesta.com/RemovalTools/SDFix.exe\") and save this to your desktop
We will need it in a bit

Download and save [color=\"red\"]Brute Force Uninstaller[/color] (http://\"http://www.merijn.org/files/bfu.zip\")[/b] to the desktop

• Right click the BFU folder on your desktop, and choose Extract All
  
• Click "Next"
• In the box to choose where to extract the files to, click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C:) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
  
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
  

[color=\"red\"]RIGHT-CLICK HERE[/color] (http://\"http://metallica.geekstogo.com/alcanshorty.bfu\")[/b] and choose "Save As" (in IE it's "Save Target As") in order to download [color=\"red\"]Alcan worm remover[/color].
Save it to the
same folder you made earlier (C:\BFU).

Again, we will need this later

Do a "System scan only" with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/ (http://\"http://google.bearshare.com/\")
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)

O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {2F851444-52D9-5636-1F36-03FEE90A8197} - C:\WINDOWS\system32\6VTbJnDH.dll
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)

O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: msdn_lib.msdn_hlp - {38847C4B-1AB1-4A47-9026-9A6CF7B43D31} - C:\WINDOWS\system32\msdn_lib.dll (file missing)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)

O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: 0 - {FC50DF3C-90C6-4C07-3083-FF6E758DA4B8} - C:\Program Files\Common Files\lavu.dll (file missing)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [pfsvgae] C:\Program Files\pfsvgae.exe

O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [IE Redir] C:\WINDOWS\ieredir.exe
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [hwfutczk.exe] C:\Documents and Settings\All Users\Application Data\hwfutczk.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKCU\..\Run: [csrss] C:\WINDOWS\csrss.exe


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Don't worry if you receive any error messages with Hijackthis, just carry on please

Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Go to Start > My Computer and navigate to the C:\BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
  
• Next to the scriptline to execute field click the folder icon (http://metallica.geekstogo.com/foldericon.png)
  and select alcanshorty.bfu
  
• Press Execute and let it do it's job. (You ought to see a progress bar if you did this correctly.)
  
• Wait for the complete script execution box to pop up and press OK.
  
• Press exit to terminate the BFU program.
  

SDFix
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Go to START>>My Computer>>Double click to open the C:\ folder

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  

I'll need to see that report later

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe (http://\"ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe\")

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
• Back at the main window, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found: (http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif)
  
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  (http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif)
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  

Back in Windows

One last tool
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back all the following please, even if it takes more than one reply to do so

1. Post the log from Combofix >>C:\Combofix.txt (Don't post quarantine list.txt unless asked please)
2. Post the report from Dr.Web >>>DrWeb.csv
3. Post a fresh hijackthis log
4. Post the Report.txt in the SDFix folder

Title: Random Music, Virus?
Post by: Atom on July 03, 2007, 12:56:41 AM

"    " - 2007-07-03  1:43:03 - ComboFix 07-06-27.7 - Service Pack 2  NTFS  


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\profsy.html
C:\Program Files\myglobalsearch
C:\Program Files\myglobalsearch\bar\History\search
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\bi.dll
C:\WINDOWS\biprep.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\flt.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\pbar.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\susp.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\bund1\temp.txt
C:\WINDOWS\system32\drv32dta
C:\WINDOWS\system32\drv32dta\klg.tmp
C:\WINDOWS\system32\drv32dta\pstore_070510_195537.txt
C:\WINDOWS\system32\drv32dta\pstore_070510_214722.txt
C:\WINDOWS\system32\drv32dta\pstore_070511_110202.txt
C:\WINDOWS\system32\drv32dta\pstore_070512_210629.txt
C:\WINDOWS\system32\drv32dta\pstore_070513_213841.txt
C:\WINDOWS\system32\drv32dta\pstore_070514_144117.txt
C:\WINDOWS\system32\drv32dta\pstore_070514_144455.txt
C:\WINDOWS\system32\drv32dta\pstore_070515_160610.txt
C:\WINDOWS\system32\drv32dta\pstore_070516_160115.txt
C:\WINDOWS\system32\drv32dta\pstore_070517_115257.txt
C:\WINDOWS\system32\drv32dta\pstore_070517_150040.txt
C:\WINDOWS\system32\drv32dta\pstore_070517_151649.txt
C:\WINDOWS\system32\drv32dta\pstore_070517_234706.txt
C:\WINDOWS\system32\drv32dta\pstore_070518_002850.txt
C:\WINDOWS\system32\drv32dta\pstore_070518_113727.txt
C:\WINDOWS\system32\drv32dta\pstore_070520_165324.txt
C:\WINDOWS\system32\drv32dta\pstore_070521_115532.txt
C:\WINDOWS\system32\drv32dta\pstore_070521_195922.txt
C:\WINDOWS\system32\drv32dta\pstore_070522_141111.txt
C:\WINDOWS\system32\drv32dta\pstore_070522_161713.txt
C:\WINDOWS\system32\drv32dta\pstore_070522_220247.txt
C:\WINDOWS\system32\drv32dta\pstore_070522_225532.txt
C:\WINDOWS\system32\drv32dta\pstore_070522_235357.txt
C:\WINDOWS\system32\drv32dta\pstore_070523_114702.txt
C:\WINDOWS\system32\drv32dta\pstore_070523_151029.txt
C:\WINDOWS\system32\drv32dta\pstore_070524_150515.txt
C:\WINDOWS\system32\drv32dta\pstore_070525_115812.txt
C:\WINDOWS\system32\drv32dta\pstore_070525_135440.txt
C:\WINDOWS\system32\drv32dta\pstore_070529_162116.txt
C:\WINDOWS\system32\drv32dta\pstore_070529_165233.txt
C:\WINDOWS\system32\drv32dta\pstore_070530_015231.txt
C:\WINDOWS\system32\drv32dta\pstore_070530_110934.txt
C:\WINDOWS\system32\drv32dta\pstore_070530_173353.txt
C:\WINDOWS\system32\drv32dta\pstore_070531_113259.txt
C:\WINDOWS\system32\drv32dta\pstore_070531_145120.txt
C:\WINDOWS\system32\drv32dta\pstore_070601_193636.txt
C:\WINDOWS\system32\drv32dta\pstore_070602_220056.txt
C:\WINDOWS\system32\drv32dta\pstore_070603_150119.txt
C:\WINDOWS\system32\drv32dta\pstore_070603_213838.txt
C:\WINDOWS\system32\drv32dta\pstore_070604_152622.txt
C:\WINDOWS\system32\drv32dta\pstore_070605_160649.txt
C:\WINDOWS\system32\drv32dta\pstore_070605_161301.txt
C:\WINDOWS\system32\drv32dta\pstore_070606_160458.txt
C:\WINDOWS\system32\drv32dta\pstore_070607_023529.txt
C:\WINDOWS\system32\drv32dta\pstore_070607_170428.txt
C:\WINDOWS\system32\drv32dta\pstore_070608_205459.txt
C:\WINDOWS\system32\drv32dta\pstore_070610_020459.txt
C:\WINDOWS\system32\drv32dta\pstore_070610_220405.txt
C:\WINDOWS\system32\drv32dta\pstore_070611_160039.txt
C:\WINDOWS\system32\drv32dta\pstore_070612_160652.txt
C:\WINDOWS\system32\drv32dta\pstore_070612_221849.txt
C:\WINDOWS\system32\drv32dta\pstore_070612_223309.txt
C:\WINDOWS\system32\drv32dta\pstore_070612_225033.txt
C:\WINDOWS\system32\drv32dta\pstore_070613_164005.txt
C:\WINDOWS\system32\drv32dta\pstore_070613_233850.txt
C:\WINDOWS\system32\drv32dta\pstore_070614_151254.txt
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\wml.exe


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


(((((((((((((((((((((((((   Files Created from 2007-06-03 to 2007-07-03  )))))))))))))))))))))))))))))))


2007-07-03 01:41    49,152    --a------    C:\WINDOWS\nircmd.exe
2007-07-03 00:16    <DIR>    d--------    C:\DOCUME~1\ZACTHI~1\DoctorWeb
2007-07-03 00:01    <DIR>    d--------    C:\WINDOWS\ERUNT
2007-07-03 00:00    <DIR>    d--------    C:\bintheredunthat
2007-06-18 23:23    <DIR>    d--------    C:\WINDOWS\system32\qchrqilr
2007-06-18 21:58    99,072    --a------    C:\qchrqilr1.exe
2007-06-18 21:58    94,464    --a------    C:\qchrqilr3.exe
2007-06-18 21:58    286,720    --a------    C:\WINDOWS\system32\scchk32.exe
2007-06-18 21:58    100,096    --a------    C:\qchrqilr2.exe
2007-06-14 02:18    4    --a------    C:\WINDOWS\system32\stfv.bin
2007-06-14 02:18    12    --a------    C:\WINDOWS\system32\sl.bin
2007-06-14 02:17    25,856    --a------    C:\WINDOWS\vxddsk.exe


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-27 06:11:45    190,560    ----a-w    C:\DOCUME~1\ZACTHI~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-20 21:07:57    --------    d-----w    C:\DOCUME~1\ZACTHI~1\APPLIC~1\AdobeUM
2007-06-07 01:28:15    --------    d-----w    C:\Program Files\AIM6
2007-06-04 23:09:05    --------    d--h--w    C:\Program Files\WindowsUpdate
2007-05-31 18:51:40    388    ----a-w    C:\WINDOWS\urls.dat
2007-05-31 18:51:40    18,906    ----a-w    C:\WINDOWS\htmlcode.dat
2007-05-23 20:50:17    --------    d-----w    C:\DOCUME~1\ZACTHI~1\APPLIC~1\U3
2007-05-16 15:12:02    683,520    ----a-w    C:\WINDOWS\system32\inetcomm.dll
2007-05-03 00:39:44    --------    d-----w    C:\DOCUME~1\ZACTHI~1\APPLIC~1\ZangoToolbar
2007-04-25 14:21:15    144,896    ----a-w    C:\WINDOWS\system32\schannel.dll
2007-04-19 04:04:55    552    ----a-w    C:\WINDOWS\system32\d3d8caps.dat
2007-04-19 03:50:40    167    ----a-w    C:\WINDOWS\system32\3090.bat
2007-04-19 03:50:27    128    ----a-w    C:\WINDOWS\system32\ap.exe
2007-04-19 03:49:42    8,464    ----a-w    C:\WINDOWS\system32\sporder.dll
2007-04-19 03:49:29    32,768    ----a-w    C:\WINDOWS\system32\setup9x.exe
2007-04-18 16:12:23    2,854,400    ----a-w    C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36    33,624    ----a-w    C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54    1,710,936    ----a-w    C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48    549,720    ----a-w    C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42    325,976    ----a-w    C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36    203,096    ----a-w    C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28    92,504    ----a-w    C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20    53,080    ----a-w    C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20    43,352    ----a-w    C:\WINDOWS\system32\wups2.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 21:38]
{31FF080D-12A3-439A-A2EF-4BA95A3148E8}=C:\Program Files\GetRight\xx2gr.dll [2006-07-17 17:11]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 04:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-28 15:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-28 15:40]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 21:07 C:\WINDOWS\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-09-28 15:52 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-28 15:48 C:\WINDOWS\ALCWZRD.EXE]
"SMSERIAL"="sm56hlpr.exe" [2005-09-28 15:46 C:\WINDOWS\sm56hlpr.exe]
"nwiz"="nwiz.exe" [2005-09-28 15:39 C:\WINDOWS\system32\nwiz.exe]
"InstantOn"="C:\Program Files\CyberLink\PowerCinema Linux\ion_install.exe" [2005-05-11 21:28]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 00:24]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-08-06 20:48]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 08:00 C:\WINDOWS\system32\bthprops.cpl]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 17:21]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 13:45 C:\WINDOWS\KHALMNPR.Exe]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2004-04-23 12:00]
"PCLEPCI"="C:\PROGRA~1\Pinnacle\PPE\PPE.EXE" [2004-02-03 16:13]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-06 01:53]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 18:05]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-06-21 13:14]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" []
"VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 18:33]
"A Verizon App"="C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 13:20]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe" [2005-04-13 19:51]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41]
"Personal Firewall"="C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe" [2005-11-03 15:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 17:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
Source= C:\Program Files\Common Files\profsy.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EOUApp]
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
C:\Program Files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs    BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41ebc66e-a9ad-11db-ac13-0012f09606ab}]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5a508cc-096e-11dc-acf4-0012f09606ab}]
AutoRun\command- F:\LaunchU3.exe -a


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{Y479C6D0-OTRW-U5GH-S1EE-E02310B4E666}
C:\WINDOWS\system32\tmrsrv32.exe

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-07-03 01:48:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001105-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}]


Completion time: 2007-07-03  1:50:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-03 01:50

    --- E O F ---









          hwfutczk.exe;C:\Documents and Settings\All Users\Application    Data;Trojan.Swizzor;Deleted.;    
   
   
   
          Temp_NAME_;C:\Documents    and Settings\Zac Thiele\Local Settings;Trojan.DownLoader.based;Deleted.;    
   
   
          backup-20070702-235318-392.dll;C:\Program    Files\HijackThis\backups;Trojan.DownLoader.24732;Deleted.;    
   
   
          Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;    
   
   
   
   
   
   
          A0005658.dll;C:\System    Volume    Information\_restore{A8FB012F-BFEC-4849-8A67-726196FE896A}\RP38;Trojan.DownLoader.24818;Deleted.;          A0006241.exe;C:\System    Volume    Information\_restore{A8FB012F-BFEC-4849-8A67-726196FE896A}\RP46;Trojan.LowZones.234;Deleted.;          A0006242.exe;C:\System    Volume    Information\_restore{A8FB012F-BFEC-4849-8A67-726196FE896A}\RP46;BackDoor.Generic.1409;Deleted.;          A0006259.exe;C:\System    Volume    Information\_restore{A8FB012F-BFEC-4849-8A67-726196FE896A}\RP46;Trojan.LowZones.234;Deleted.;          A0006260.exe;C:\System    Volume    Information\_restore{A8FB012F-BFEC-4849-8A67-726196FE896A}\RP46;BackDoor.Generic.1409;Deleted.;          A0006298.exe;C:\System    Volume    Information\_restore{A8FB012F-BFEC-4849-8A67-726196FE896A}\RP46;Trojan.Swizzor;Deleted.;          A0006299.dll;C:\System    Volume    Information\_restore{A8FB012F-BFEC-4849-8A67-726196FE896A}\RP46;Trojan.DownLoader.24732;Deleted.;          os1zn2mO7Z.exe;C:\WINDOWS;Trojan.Swizzor;Deleted.;    
   
   
   
   
   
   
          6VTbJnDH.dll;C:\WINDOWS\system32;Trojan.DownLoader.24732;Deleted.;    
   
   
   
   
   
          actskn45.ocx;C:\WINDOWS\system32;Trojan.Isbar.439;Deleted.;    
   
   
   
   
   
   
          msdn_lib.dll.bak;C:\WINDOWS\system32;Trojan.DownLoader.24818;Deleted.;    
   
   
   
   
          msorcl32.exe;C:\WINDOWS\system32;BackDoor.Generic.1599;Deleted.;    
   
   
   
   
   
          wmvds32.dll;C:\WINDOWS\system32;Trojan.DownLoader.23174;Deleted.;    
   
   
   
   
   
         
   
   
   
   
   
   
   
   
   
   
   
   
     





SDFix: Version 1.89

Run by Zac Thiele on Tue 07/03/2007 at 12:04 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
core

ImagePath:
system32\drivers\core.sys

core - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\csrss.exe  - Deleted
C:\WINDOWS\ieredir.exe  - Deleted
C:\WINDOWS\preredir.exe  - Deleted
C:\WINDOWS\system32\~.exe  - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk  - Deleted
C:\WINDOWS\system32\install.exe  - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINDOWS
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
 
Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
 


                                 Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\Zac Thiele\Desktop\Unused Desktop Shortcuts\Word\MSDE2000\SQLRESLD.DLL
C:\Documents and Settings\Zac Thiele\Application Data\U3\temp\Launchpad Removal.exe
C:\Documents and Settings\Zac Thiele\Application Data\Verizon\VSP\downloads\vz-sas-tutorials-2006-09_v2.18467.zip.dir\en\images\Thumbs.db

                                 Finished

Title: Random Music, Virus?
Post by: Atom on July 03, 2007, 12:57:58 AM

Logfile of HijackThis v1.99.1
Scan saved at 1:57:24 AM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Common Files\MotiveBrowser\MotiveBrowser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [InstantOn] "C:\Program Files\CyberLink\PowerCinema Linux\ion_install.exe" /c
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe"  -osboot
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Lavasoft Personal Firewall Service (LavasoftFirewall) - Agnitum Ltd. - C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

Title: Random Music, Virus?
Post by: guestolo on July 03, 2007, 07:37:21 PM

Can you do the following please
Go ahead and delete Dr.Web cureit.exe from desktop and the log it created

Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (except for "My current home page")

Access your add/remove programs and remove Zango toolbar if found
Reboot the computer after removal if found

Open notepad and copy/paste the text in the quotebox below into it:
Don't include the word 'quote' please

Quote

File::
C:\WINDOWS\urls.dat
C:\WINDOWS\htmlcode.dat
C:\WINDOWS\system32\3090.bat
C:\WINDOWS\system32\ap.exe
C:\WINDOWS\system32\setup9x.exe
C:\qchrqilr1.exe
C:\qchrqilr3.exe
C:\WINDOWS\system32\scchk32.exe
C:\qchrqilr2.exe
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\sl.bin
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\system32\tmrsrv32.exe

Folder::
C:\DOCUME~1\ZACTHI~1\DoctorWeb
C:\bintheredunthat
C:\WINDOWS\system32\qchrqilr
C:\DOCUME~1\ZACTHI~1\APPLIC~1\ZangoToolbar

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{Y479C6D0-OTRW-U5GH-S1EE-E02310B4E666}]

Save this as ComboFix-Do.txt to your desktop

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.
(http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif)


This will start ComboFix again. After reboot, (in case it asks to reboot)
A log should open, I'll need to see it later, save it to a convienent location
Or you can also find the log again at C:\Combofix.txt

I see a Firewall and Anti-Spyware software on your computer, but I don't see any Anti-Virus software
If you don't have your own to install, I highly recommend that you install one of these free versions
ONLY install one, more than one active AV will cause conflicts

AVG 7 by Grisoft (http://\"http://free.grisoft.com/doc/2/lng/us/tpl/v5\")
OR
Avast Home Edition by ALWIL (http://\"http://www.avast.com/eng/down_home.html\")
OR
Avira AntiVir Personal Edition Classic (http://\"http://www.free-av.com/antivirus/allinonen.html\")
OR
Active Virus Shield (http://\"http://www.activevirusshield.com/antivirus/freeav/index.adp\")
Powered by Kaspersky's>"UNCheck Security toolbar during install"

After your new AV is installed, ensure it is updated and run a complete system scan
Let it fix whatever it finds
Reboot the computer afterwards

Back in Windows
Can you post the following

1. Post a fresh hijackthis log
2. Post the new log from Combofix

Keep me informed how things are running please

NOTE: I see a service related to Symantec's Live updater in your log
Did you recently uninstall Norton's? Do you still need the service?
Did you uninstall Symantec's Live updater from add/remove?