Author Topic: Microsoft C++ Runtime Error Firefox (Read 2025 times)

asiankid · « **on:** July 27, 2007, 01:36:59 PM »

Well I tried to browse the internet with firefox this morning and it keeps dying. I'm using Safe Mode right now and the last program I downloaded and installed was WinRAR. Help!

Logfile of HijackThis v1.99.1
Scan saved at 2:33:19 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Rar$EX17.141\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Rar$EX00.203\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [j6201035] rundll32 C:\WINDOWS\system32\j6201035.dll sook
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\xhayksms.dll",realset
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsjch.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

guestolo · « **Reply #1 on:** July 27, 2007, 06:23:45 PM »

Can you do the following please

Download this file - Combofix.exe and save it ONLY to your desktop, we will need it in a bit

Download and save [color=\"red\"]Brute Force Uninstaller[/color][/b] to the desktop

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to, click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

NOTE: If your using WinRar to extract the contents, First create a new folder in C:\ folder
Called BFU
So you now have C:\BFU
Right click on bfu.zip and choose Extract Files...and choose the C:\BFU folder destination path
[color=\"red\"]RIGHT-CLICK HERE[/color][/b] and choose "Save As" (in IE it's "Save Target As") in order to download [color=\"red\"]Alcan worm remover[/color].
Save it then transfer to the
same folder you made earlier (C:\BFU).

Go to Start > My Computer and navigate to the C:\BFU folder.

Start the Brute Force Uninstaller by doubleclicking BFU.exe
Next to the scriptline to execute field click the folder icon
and select alcanshorty.bfu
Press Execute and let it do it's job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot your computer
Can you boot to Normal windows please

Back in Windows

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Can you additionally do the following
Download Hijackthis 2.0.2 from my signature below
SAVE it to your desktop

Double click on HJTInstall.exe to run it
Choose Install

Hijackthis v2.0.2 will open

Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum

Also include the log from Combofix located here>>C:\Combofix.txt

asiankid · « **Reply #2 on:** July 27, 2007, 08:22:30 PM »

I got done with everything until

"Next to the scriptline to execute field click the folder icon and select alcanshorty.bfu"

because I can't find "alcanshorty.bfu"

guestolo · « **Reply #3 on:** July 27, 2007, 08:30:54 PM »

I mentioned that you had to Right click and save alcanshorty.bfu in my last reply

Did you do that step?
If you did
Navigate to C:\BFU folder and open it

You may have save alcanshorty.bfu with a .txt extension
so it may look like the following

C:\BFU\alcanshorty.bfu.txt

If it is, can you right click on alcanshorty.bfu.txt and rename it to alcanshorty.bfu
Eliminate the .txt please, then try again

NOTE: I'm on my way out the door for dinner soon
If you have troubles with a step, carry on with the remainder of the instructions

asiankid · « **Reply #4 on:** July 27, 2007, 09:04:24 PM »

Yeah I over read that. xD Well I did everything. Here are the two logs. By the way, thanks for helping me.

"HP_Administrator" - 2007-07-27 21:52:57 - ComboFix 07-07-23.6 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\abjfliew.dll
C:\WINDOWS\system32\cuepmxrp.dll
C:\WINDOWS\system32\ennaqmha.dll
C:\WINDOWS\system32\fhbfsrps.dll
C:\WINDOWS\system32\fuvtrnxh.dll
C:\WINDOWS\system32\gdqnokdh.dll
C:\WINDOWS\system32\gsnaadty.dll
C:\WINDOWS\system32\ijimgiwo.dll
C:\WINDOWS\system32\jatvfawe.dll
C:\WINDOWS\system32\javkiuvo.dll
C:\WINDOWS\system32\jcoojhid.dll
C:\WINDOWS\system32\knajafbu.dll
C:\WINDOWS\system32\mqmctvsk.dll
C:\WINDOWS\system32\mtgcpaav.dll
C:\WINDOWS\system32\sfmtkiin.dll
C:\WINDOWS\system32\tmp31F.tmp.dll
C:\WINDOWS\system32\tmp3BC.tmp.dll
C:\WINDOWS\system32\tsgbdqeq.dll
C:\WINDOWS\system32\viavejlq.dll
C:\WINDOWS\system32\wlyluqvo.dll
C:\WINDOWS\system32\wqovnypm.dll
C:\WINDOWS\system32\xyxkgvky.dll
C:\WINDOWS\jkkjkh.dll
C:\WINDOWS\khgday.dll
C:\WINDOWS\mliged.dll
C:\WINDOWS\system32\weilfjba.ini
C:\WINDOWS\system32\ytdaansg.ini
C:\WINDOWS\system32\owigmiji.ini
C:\WINDOWS\system32\mpynvoqw.ini
C:\WINDOWS\hkjkkj.ini
C:\WINDOWS\yadghk.ini
C:\WINDOWS\degilm.ini

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

c:\autorun.inf
C:\DOCUME~1\HP_ADM~1\APPLIC~1.\addon.dat
C:\DOCUME~1\HP_ADM~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\S858EZKA\www.broadcaster.com
C:\DOCUME~1\HP_ADM~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\HP_ADM~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\racle~1
C:\WINDOWS\IA
C:\WINDOWS\system32\bnyqhyv.dat
C:\WINDOWS\system32\bnyqhyv.exe
C:\WINDOWS\system32\bnyqhyv_nav.dat
C:\WINDOWS\system32\bnyqhyv_navps.dat
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\uzcx.exe
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\tmp31F.tmp.dll
C:\WINDOWS\system32\tmp3BC.tmp.dll
C:\WINDOWS\system32\tmp3F5.tmp.dll
C:\WINDOWS\system32\tmp8B2.tmp.dll
C:\WINDOWS\system32\tmpC12.tmp.dll
C:\WINDOWS\system32\tmpF10.tmp.dll
C:\WINDOWS\ufdata2000.log
d:\autorun.inf

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-28 )))))))))))))))))))))))))))))))

2007-07-27 21:52 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-27 21:44 <DIR> d-------- C:\bintheredunthat
2007-07-27 21:17 <DIR> d-------- C:\BFU
2007-07-15 11:34 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-14 15:18 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-07-14 15:18 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-07-12 23:38 <DIR> d-------- C:\Program Files\America's Army Server Manager
2007-07-11 18:25 <DIR> d-------- C:\Program Files\Free Download Manager
2007-07-07 21:24 <DIR> d-------- C:\Program Files\EA GAMES
2007-07-07 21:17 <DIR> d-------- C:\NVIDIA

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-28 01:50:08 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Xfire
2007-07-27 21:54:34 -------- d-----w C:\Program Files\WarRock
2007-07-27 21:35:14 -------- d-s---w C:\Program Files\Xfire
2007-07-27 17:45:40 -------- d-sh--w C:\Program Files\Free KGB Key Logger
2007-07-27 17:45:13 -------- d-----w C:\Program Files\music_now
2007-07-27 00:57:26 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Azureus
2007-07-13 03:51:08 -------- d-----w C:\Program Files\LimeWire
2007-07-13 03:39:03 -------- d-----w C:\Program Files\America's Army
2007-07-13 01:38:28 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\AdobeUM
2007-07-10 05:20:51 4,442 ----a-w C:\WINDOWS\mozver.dat
2007-07-08 01:24:58 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-08 01:17:07 -------- d-----w C:\Program Files\DaemonTools_WhenUSave_Installer
2007-06-28 22:14:35 -------- d-----w C:\Program Files\Azureus
2007-06-26 05:32:13 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\style bind
2007-06-21 18:55:13 -------- d-----w C:\Program Files\eMule
2007-06-21 14:49:45 45,568 ----a-w C:\WINDOWS\system32\dsupl.exe
2007-06-21 05:08:42 2,472 ----a-w C:\clean.bat
2007-06-21 04:25:11 -------- d-----w C:\Program Files\Error Expert
2007-06-21 04:10:49 -------- d-----w C:\Program Files\Share_Accelerator_MM
2007-06-19 02:30:23 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Sonic
2007-06-19 02:30:11 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Leadertech
2007-06-18 21:44:30 -------- d-----w C:\Program Files\AIM6
2007-06-18 21:44:28 -------- d-----w C:\Program Files\Viewpoint
2007-06-17 16:47:03 686,840 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-06-17 16:26:22 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-06-17 16:10:40 -------- d--h--r C:\DOCUME~1\HP_ADM~1\APPLIC~1\SecuROM
2007-06-17 16:00:13 -------- d-----w C:\Program Files\Ubisoft
2007-06-17 15:12:45 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinRAR
2007-06-15 01:35:08 -------- d-----w C:\Program Files\Globe7
2007-06-13 15:25:17 -------- d-----w C:\Program Files\Common Files\stardock
2007-06-13 04:42:42 -------- d-----w C:\Program Files\BitTorrent
2007-06-13 04:03:14 -------- d-----w C:\Program Files\BitDownload
2007-06-13 03:57:58 -------- d-----w C:\Program Files\style bind
2007-06-11 01:51:48 1,859,254 --sh--w C:\WINDOWS\system32\mpqss.ini2
2007-06-11 00:46:35 1,848,069 --sh--w C:\WINDOWS\system32\mpqss.bak1
2007-06-10 00:46:25 1,849,579 --sha-w C:\WINDOWS\system32\mpqss.bak2
2007-06-09 13:17:01 131,124 ----a-w C:\WINDOWS\system32\xhayksms.dll
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AvastSS.scr
2006-11-20 00:26:12 0 ----a-w C:\DOCUME~1\HP_ADM~1\APPLIC~1\wklnhst.dat
2006-12-13 22:32:22 80 --sh--r C:\WINDOWS\system32\4090D52FA0.dll
2006-11-22 03:04:32 88 --sh--r C:\WINDOWS\system32\A02FD59040.sys
2006-11-22 03:04:32 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 00:54 C:\WINDOWS\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2006-01-24 15:15 C:\WINDOWS\system32\nwiz.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 19:35]
"PCDrProfiler"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"ALCMTR"="ALCMTR.EXE" [2005-05-03 14:43 C:\WINDOWS\ALCMTR.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 15:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 17:00]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-29 11:09]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-07-10 21:07:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 14:40:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

R0 bb-run;Promise driver accelerator;C:\WINDOWS\system32\DRIVERS\bb-run.sys
R0 ftsata2;ftsata2;C:\WINDOWS\system32\DRIVERS\ftsata2.sys
R0 iaStor;Intel RAID Controller;C:\WINDOWS\system32\DRIVERS\iaStor.sys
R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap.sys
R2 ARSVC;ARSVC;C:\WINDOWS\arservice.exe
R2 ehRecvr;Media Center Receiver Service;C:\WINDOWS\eHome\ehRecvr.exe
R2 ehSched;Media Center Scheduler Service;C:\WINDOWS\eHome\ehSched.exe
R2 McrdSvc;Media Center Extender Service;C:\WINDOWS\ehome\mcrdsvc.exe
R3 aracpi;aracpi;C:\WINDOWS\system32\DRIVERS\aracpi.sys
R3 arkbcfltr;Microsoft PS2 Keyboard Filter;C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
R3 armoucfltr;Microsoft PS2 Mouse Filter;C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
R3 ARPolicy;ARPolicy;C:\WINDOWS\system32\DRIVERS\arpolicy.sys
R3 Ps2;PS2;C:\WINDOWS\system32\DRIVERS\PS2.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;USB2 Enabled Hub;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbohci.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
R3 usbstor;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
S1 rxp;rxp;\??\C:\WINDOWS\system32\drivers\rxp.sys
S2 AFSEGTGF Windows Service;AFSEGTGF Windows Service;C:\WINDOWS\system32\dsjch.exe -service
S3 arhidfltr;MS Ar HID Filter Driver;C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\E:\INSTAL~E\Core\BVRPMPR5.SYS
S3 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 MHN;MHN;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 MHNDRV;MHN driver;C:\WINDOWS\system32\DRIVERS\mhndrv.sys
S3 MR97310_USB_DUAL_CAMERA;CIF Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1);C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
S3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\system32\DRIVERS\usbccgp.sys
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fd56ec3-0bf3-11dc-8a35-0c0c0c0c0c01}]
Auto\command- F:\tel.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98983a3a-5630-11db-87a0-001731c64165}]
Auto\command- tel.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7B566F8A-624C-2570-0B75-A27CDC7119CF}
C:\WINDOWS\NtmsData\klswd.exe s

Contents of the 'Scheduled Tasks' folder
2007-07-27 07:00:00 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-27 21:57:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-27 21:59:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-27 21:58

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 10:03:03 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsjch.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

guestolo · « **Reply #5 on:** July 27, 2007, 10:38:54 PM »

You still didn't update Hijackthis?
Read Everything I'm posting to you
Please do the following

Download Hijackthis 2.0.2 from my signature below
SAVE it to your desktop

Double click on HJTInstall.exe to run it
Choose Install

Hijackthis v2.0.2 will open

Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum

In addition:
Download and unzip to your desktop InstalledPrograms.zip
Double click on InstalledPrograms.vbs

Click OK at the IP prompt and click YES to view the results now
A text file will open, can you copy and paste back here the whole contents

ALLOW this script to run if prompted by your AntiVirus

asiankid · « **Reply #6 on:** July 27, 2007, 11:35:07 PM »

xD Sorry I thought I did I re-scan for HiJackThis.

Logfile of HijackThis v1.99.1
Scan saved at 12:32:49 AM, on 7/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\HP_Administrator\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsjch.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

INSTALLED SOFTWARE (261) - HPA1520N - 7/28/2007 12:34:07 AM

Ad-Aware SE Personal Ver: 1.06
Adobe Flash Player 9 ActiveX Ver: 9
Adobe Reader 7.0.9 Ver: 7.0.9 Installed: 7/12/2007
Adobe Shockwave Player Ver: 10.1.3.18
Agere Systems PCI-SV92PP Soft Modem
AI RoboForm (All Users)
AIM 6
AiO_Scan Ver: 50.0.206.000 Installed: 5/6/2006
AiO_Scan_CDA Ver: 51.0.230.000 Installed: 5/6/2006
AiOSoftware Ver: 50.0.206.000 Installed: 5/6/2006
AiOSoftwareNPI Ver: 51.0.230.000 Installed: 5/6/2006
America's Army Ver: 2.8.1 Installed: 7/12/2007
Apple Software Update Ver: 1.0.2.1 Installed: 11/2/2006
avast! Antivirus Ver: 4.7
AVG Anti-Spyware 7.5
Azureus Vuze
Battlefield 2(tm) Installed: 7/7/2007
BufferChm Ver: 70.0.170.000 Installed: 5/6/2006
CameraDrivers Ver: 5.0.0.328 Installed: 5/6/2006
CameraDrivers Ver: 6.0.0.212 Installed: 5/6/2006
CameraUserGuides Ver: 6.0.0.212 Installed: 5/6/2006
CP_AtenaShokunin1Config Ver: 70.0.170.000 Installed: 5/6/2006
CP_CalendarTemplates1 Ver: 70.0.170.000 Installed: 5/6/2006
cp_LightScribeConfig Ver: 70.0.170.000 Installed: 5/6/2006
cp_OnlineProjectsConfig Ver: 70.0.170.000 Installed: 5/6/2006
CP_Package_Basic1 Ver: 70.0.170.000 Installed: 5/6/2006
CP_Package_Variety1 Ver: 70.0.170.000 Installed: 5/6/2006
CP_Package_Variety2 Ver: 70.0.170.000 Installed: 5/6/2006
CP_Package_Variety3 Ver: 70.0.170.000 Installed: 5/6/2006
CP_Panorama1Config Ver: 70.0.170.000 Installed: 5/6/2006
cp_PosterPrintConfig Ver: 70.0.170.000 Installed: 5/6/2006
cp_UpdateProjectsConfig Ver: 70.0.170.000 Installed: 5/6/2006
CueTour Ver: 70.0.170.000 Installed: 5/6/2006
CustomerResearchQFolder Ver: 1.00.0000 Installed: 10/2/2006
Destinations Ver: 70.0.170.000 Installed: 5/6/2006
DeviceFunctionQFolder Ver: 1.00.0000 Installed: 10/2/2006
Diner Dash Ver: 1.0 (Cracked By CoffeeMan)
Diner Dash Ver: WT005638
Diner Dash 2
DocProc Ver: 6.0.0.0 Installed: 5/6/2006
DocumentViewer Ver: 61.0.163.000 Installed: 5/6/2006
Enhanced Multimedia Keyboard Solution
Fax Ver: 50.0.206.000 Installed: 5/6/2006
Fax_CDA Ver: 51.0.230.000 Installed: 5/6/2006
High Definition Audio Driver Package - KB888111 Ver: 20040219.000000
HijackThis 1.99.1 Ver: 1.99.1
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393) Installed: 5/6/2006
Hotfix for Windows XP (KB888795) Ver: 3
Hotfix for Windows XP (KB891593) Ver: 2
Hotfix for Windows XP (KB893357) Ver: 2 Installed: 5/6/2006
Hotfix for Windows XP (KB895961) Ver: 1
Hotfix for Windows XP (KB899337) Ver: 5
Hotfix for Windows XP (KB899510) Ver: 1
Hotfix for Windows XP (KB902841) Ver: 1
Hotfix for Windows XP (KB906569) Ver: 2 Installed: 5/6/2006
Hotfix for Windows XP (KB912024) Ver: 2 Installed: 5/6/2006
Hotfix for Windows XP (KB935448) Ver: 1 Installed: 4/12/2007
HP Deskjet 3900 series Ver: 5.0
HP Deskjet Printer Preload Ver: 10.1.0 Installed: 5/6/2006
HP DigitalMedia Archive Ver: 2.0 Installed: 5/6/2006
HP Document Viewer 6.1 Ver: 6.1
HP DVD Play 2.1
HP Extended Capabilities 5.0 Ver: 5.0
HP Image Zone Express Ver: 1.5.1.29 Installed: 10/2/2006
HP Imaging Device Functions 7.0 Ver: 7.0
HP Photosmart 330,380,420,470,7800,8000,8200 Series Ver: 8.1
HP Photosmart Cameras 6.0 Ver: 6.0
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5 Ver: 6.5
HP PSC & OfficeJet 5.3.B
HP PSC & OfficeJet 6.1.A
HP Software Update Ver: 3.0.7.014 Installed: 5/6/2006
HP Solution Center and Imaging Support Tools 6.1 Ver: 6.1
HPDeskjet3900Series Ver: 1.00.0000 Installed: 10/2/2006
hpiCamDrvQFolder Ver: 6.0.0 Installed: 5/6/2006
HPPhotoSmartExpress Ver: 70.0.170.000 Installed: 5/6/2006
HPProductAssistant Ver: 61.0.163.000 Installed: 5/6/2006
HpSdpAppCoreApp Ver: 3.00.0000 Installed: 5/6/2006
Insaniquarium Deluxe Ver: WT005641
Insaniquarium Deluxe 1.0
InstantShareDevices Ver: 70.0.170.000 Installed: 5/6/2006
iTunes Ver: 7.0.2.16 Installed: 11/16/2006
Java(tm) SE Runtime Environment 6 Update 1 Ver: 1.6.0.10 Installed: 4/25/2007
LightScribe 1.4.84.1 Ver: 1.4.84.1 Installed: 5/6/2006
MapleStory
MarketResearch Ver: 53.0.13.000 Installed: 10/2/2006
Microsoft .NET Framework 1.0 Hotfix (KB887998) Installed: 8/6/2006
Microsoft .NET Framework 1.0 Hotfix (KB930494) Installed: 7/12/2007
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Ver: 1.1.4322 Installed: 7/12/2007
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Ver: 2.0.50727 Installed: 7/12/2007
Microsoft Away Mode Ver: 6.0.0160.0
Microsoft Office Professional Edition 2003 Ver: 11.0.5614.0 Installed: 11/11/2006
Microsoft Works Ver: 08.04.0623 Installed: 5/6/2006
Mozilla Firefox (2.0.0.5) Ver: 2.0.0.5 (en-US)
MSXML 4.0 SP2 (KB927978) Ver: 4.20.9841.0 Installed: 11/15/2006
MyCam CIF Ver: 2.02.0000 Installed: 10/29/2006
MySpaceIM Ver: 0.0.40.0 Installed: 11/2/2006
Nero Suite
NewCopy Ver: 50.0.206.000 Installed: 5/6/2006
NewCopy_CDA Ver: 51.0.230.000 Installed: 5/6/2006
NVIDIA Drivers
OptionalContentQFolder Ver: 1.00.0000 Installed: 5/6/2006
PanoStandAlone Ver: 61.0.163.000 Installed: 5/6/2006
PhotoGallery Ver: 70.0.170.000 Installed: 5/6/2006
Picasa 2 Ver: 2.0
PSPrinters08 Ver: 8.01.0000 Installed: 5/6/2006
PSTAPlugin Ver: 8.01.0000 Installed: 5/6/2006
QuickTime Ver: 7.1.3.170 Installed: 11/16/2006
RandMap Ver: 70.0.170.000 Installed: 5/6/2006
Readme Ver: 51.0.230.000 Installed: 5/6/2006
Realtek High Definition Audio Driver
Scan Ver: 6.0.0.0 Installed: 5/6/2006
ScannerCopy Ver: 6.0.0.0 Installed: 5/6/2006
Security Update for Microsoft .NET Framework 2.0 (KB928365) Ver: 2
Security Update for Step By Step Interactive Training (KB898458) Ver: 20050502.101010 Installed: 8/6/2006
Security Update for Step By Step Interactive Training (KB923723) Ver: 20050502.101010 Installed: 2/16/2007
Security Update for Windows Media Player 10 (KB911565) Installed: 5/6/2006
Security Update for Windows Media Player 10 (KB917734) Installed: 8/6/2006
Security Update for Windows Media Player 6.4 (KB925398) Installed: 12/14/2006
Security Update for Windows XP (KB890046) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB893756) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB896358) Ver: 1 Installed: 5/6/2006
Security Update for Windows XP (KB896422) Ver: 1 Installed: 5/6/2006
Security Update for Windows XP (KB896423) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB896424) Ver: 1 Installed: 5/6/2006
Security Update for Windows XP (KB896428) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB899587) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB899589) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB899591) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB900725) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB901017) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB901214) Ver: 1 Installed: 5/6/2006
Security Update for Windows XP (KB902400) Ver: 1 Installed: 5/6/2006
Security Update for Windows XP (KB904706) Ver: 2 Installed: 5/6/2006
Security Update for Windows XP (KB905414) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB905749) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB905915) Ver: 1 Installed: 5/6/2006
Security Update for Windows XP (KB908519) Ver: 1 Installed: 5/6/2006
Security Update for Windows XP (KB911562) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB911567) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB911927) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB912919) Ver: 1 Installed: 5/6/2006
Security Update for Windows XP (KB913580) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB914388) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB914389) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB916281) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB917159) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB917344) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB917422) Ver: 1 Installed: 8/14/2006
Security Update for Windows XP (KB917953) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB918118) Ver: 1 Installed: 2/16/2007
Security Update for Windows XP (KB918439) Ver: 1 Installed: 8/6/2006
Security Update for Windows XP (KB918899) Ver: 1 Installed: 8/14/2006
Security Update for Windows XP (KB919007) Ver: 1 Installed: 9/13/2006
Security Update for Windows XP (KB920213) Ver: 1 Installed: 11/15/2006
Security Update for Windows XP (KB920214) Ver: 1 Installed: 8/14/2006
Security Update for Windows XP (KB920670) Ver: 1 Installed: 8/14/2006
Security Update for Windows XP (KB920683) Ver: 1 Installed: 8/14/2006
Security Update for Windows XP (KB920685) Ver: 1 Installed: 9/13/2006
Security Update for Windows XP (KB921398) Ver: 1 Installed: 8/14/2006
Security Update for Windows XP (KB921883) Ver: 1 Installed: 8/8/2006
Security Update for Windows XP (KB922616) Ver: 1 Installed: 8/14/2006
Security Update for Windows XP (KB922760) Ver: 1 Installed: 11/15/2006
Security Update for Windows XP (KB922819) Ver: 1 Installed: 10/13/2006
Security Update for Windows XP (KB923191) Ver: 1 Installed: 10/13/2006
Security Update for Windows XP (KB923414) Ver: 1 Installed: 10/13/2006
Security Update for Windows XP (KB923689) Installed: 12/14/2006
Security Update for Windows XP (KB923694) Ver: 1 Installed: 12/14/2006
Security Update for Windows XP (KB923980) Ver: 1 Installed: 11/15/2006
Security Update for Windows XP (KB924191) Ver: 1 Installed: 10/13/2006
Security Update for Windows XP (KB924270) Ver: 1 Installed: 11/15/2006
Security Update for Windows XP (KB924496) Ver: 1 Installed: 10/13/2006
Security Update for Windows XP (KB924667) Ver: 1 Installed: 2/16/2007
Security Update for Windows XP (KB925454) Ver: 1 Installed: 12/14/2006
Security Update for Windows XP (KB925486) Ver: 1 Installed: 9/27/2006
Security Update for Windows XP (KB925902) Ver: 1 Installed: 4/4/2007
Security Update for Windows XP (KB926255) Ver: 1 Installed: 12/14/2006
Security Update for Windows XP (KB926436) Ver: 1 Installed: 2/16/2007
Security Update for Windows XP (KB927779) Ver: 1 Installed: 2/16/2007
Security Update for Windows XP (KB927802) Ver: 1 Installed: 2/16/2007
Security Update for Windows XP (KB928090) Ver: 1 Installed: 2/16/2007
Security Update for Windows XP (KB928255) Ver: 1 Installed: 2/16/2007
Security Update for Windows XP (KB928843) Ver: 1 Installed: 2/16/2007
Security Update for Windows XP (KB929123) Ver: 1 Installed: 6/14/2007
Security Update for Windows XP (KB929969) Ver: 1 Installed: 1/13/2007
Security Update for Windows XP (KB930178) Ver: 1 Installed: 4/12/2007
Security Update for Windows XP (KB931261) Ver: 1 Installed: 4/12/2007
Security Update for Windows XP (KB931768) Ver: 1 Installed: 5/9/2007
Security Update for Windows XP (KB931784) Ver: 1 Installed: 4/12/2007
Security Update for Windows XP (KB932168) Ver: 1 Installed: 4/12/2007
Security Update for Windows XP (KB933566) Ver: 1 Installed: 6/14/2007
Security Update for Windows XP (KB935839) Ver: 1 Installed: 6/14/2007
Security Update for Windows XP (KB935840) Ver: 1 Installed: 6/14/2007
Serif PhotoPlus 6.0 Ver: 6.00
Shockwave Director 10.1.3
SkinsHP1 Ver: 70.0.170.000 Installed: 5/6/2006
SlideShow Ver: 70.0.170.000 Installed: 5/6/2006
SlideShowMusic Ver: 70.0.170.000 Installed: 5/6/2006
SolutionCenter Ver: 61.0.163.000 Installed: 5/6/2006
Sonic Express Labeler Ver: 2.1.0 Installed: 5/6/2006
Sonic MyDVD Plus Ver: 6.2.0 Installed: 5/6/2006
Sonic RecordNow Audio Ver: 2.0.6 Installed: 5/6/2006
Sonic RecordNow Copy Ver: 2.0.6 Installed: 5/6/2006
Sonic RecordNow Data Ver: 2.0.6 Installed: 5/6/2006
Sonic Update Manager Ver: 3.0.0 Installed: 5/6/2006
Sonic_PrimoSDK Ver: 70.0.170.000 Installed: 5/6/2006
Spybot - Search & Destroy 1.4 Ver: 1.4
Status Ver: 61.0.163.000 Installed: 5/6/2006
Toolbox Ver: 61.0.163.000 Installed: 5/6/2006
TrayApp Ver: 61.0.163.000 Installed: 5/6/2006
Unload Ver: 7.0.0 Installed: 5/6/2006
Update for Windows Media Player 10 (KB913800) Installed: 8/6/2006
Update for Windows Media Player 10 (KB926251) Installed: 12/14/2006
Update for Windows XP (KB898461) Ver: 1 Installed: 8/6/2006
Update for Windows XP (KB900485) Ver: 2 Installed: 8/6/2006
Update for Windows XP (KB908531) Ver: 2 Installed: 8/6/2006
Update for Windows XP (KB910437) Ver: 1 Installed: 8/6/2006
Update for Windows XP (KB911280) Ver: 2 Installed: 8/6/2006
Update for Windows XP (KB912945) Ver: 1 Installed: 5/6/2006
Update for Windows XP (KB916595) Ver: 1 Installed: 8/6/2006
Update for Windows XP (KB920872) Ver: 1 Installed: 9/13/2006
Update for Windows XP (KB922582) Ver: 1 Installed: 9/13/2006
Update for Windows XP (KB927891) Ver: 3 Installed: 5/23/2007
Update for Windows XP (KB929338) Ver: 1 Installed: 3/14/2007
Update for Windows XP (KB930916) Ver: 1 Installed: 5/9/2007
Update for Windows XP (KB931836) Ver: 1 Installed: 2/16/2007
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
Viewpoint Media Player
WarRock Ver: 2.2 Installed: 3/10/2007
WebFldrs XP Ver: 9.50.7523 Installed: 8/30/2005
WebReg Ver: 61.0.163.000 Installed: 5/6/2006
Windows Driver Package - Camera Maker (MR97310_USB_DUAL_CAMERA) Image 05/02/2006 2.0.1.0 Ver: 2.0.1.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player Firefox Plugin Ver: 1.0.0.8 Installed: 6/1/2007
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB883667 Ver: 20040812.104354
Windows XP Hotfix - KB885250 Ver: 20050118.202711
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB887742 Ver: 20041103.095002
Windows XP Hotfix - KB888113 Ver: 20041116.131036
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB890175 Ver: 20041201.233338
Windows XP Hotfix - KB890859 Ver: 1 Installed: 8/6/2006
Windows XP Hotfix - KB891781 Ver: 20050110.165439
Windows XP Hotfix - KB892050 Ver: 3 Installed: 5/6/2006
Windows XP Hotfix - KB893066 Ver: 1 Installed: 5/6/2006
Windows XP Media Center Edition 2005 KB908246 Installed: 5/6/2006
Windows XP Media Center Edition 2005 KB912067 Installed: 5/6/2006
WinFlyer
Xfire (remove only)
Yahoo! Internet Mail
Yahoo! Messenger

guestolo · « **Reply #7 on:** July 27, 2007, 11:48:46 PM »

Well, let's try this again
Delete all copies of Hijackthis you have right now
I want you to update your copy, let me post these instructions once again

Download Hijackthis 2.0.2 from my signature below
SAVE it to your desktop

Double click on HJTInstall.exe to run it
Choose Install

Hijackthis v2.0.2 will open

Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum

asiankid · « **Reply #8 on:** July 27, 2007, 11:57:50 PM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:35 AM, on 7/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsjch.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6549 bytes

guestolo · « **Reply #9 on:** July 29, 2007, 09:53:17 PM »

Sorry for the delay
Can you do the following, you still have problems on this machine

Download tel.xls.exe_Remover.exe
and save it to desktop

Download and save to desktop
Flash_Disinfector.exe

We'll need both these tools in a bit

Reboot your computer into safe mode and sign in with your usual account
Ensure that if you have any flash drives>>Eg.. Usb thumbdrives
Plug them in

Double click on Flash_Disinfector.exe and follow the prompts
Double click on tel.xls.exe_Remover.exe and follow the prompts

Boot back to Normal Windows

* Download avz4en.zip from [color=\"#0000FF\"]HERE[/color]
* Unzip it to a folder on your desktop
* Double click on AVZ.exe
* Click on the webupdate icon

* Click on the start button.
* Wait for the update to finish
* You will get a message that says "Automatic update completed successfully. Update has been successfully downloaded and installed"
* Click OK
* Under the search parameter tab, change the heuristic analysis mode to "Maximum heuristics level" and tick the box next to "Extended analysis
* Make sure that the following options are selected

Detect API hooks and rootkits
Check SPI / LSP settings
Search for keyloggers
Search for TCP/UDP ports used by trojan horses

* Under the file types tab select all files
* Under the search range tab, select the following options

Check running processes
Heuristic system check

* Make sure that all the Disks listed are selected
* Click start and wait for the scan to finish
* When the scan has finished click on the save icon

* Leave the default name of avz_log and save it to your desktop
* This will put the file avz_log.txt on your desktop, please post the contents of that file

Also include a fresh hijackthis log file

asiankid · « **Reply #10 on:** July 30, 2007, 12:49:45 AM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />

AVZ Antiviral Toolkit log; AVZ version is 4.25
Scanning started at 7/30/2007 12:10:33 AM
Database loaded: 119334 signatures, 2 NN profile(s), 55 microprograms of healing, signature database released 29.07.2007 12:41
Heuristic microprograms loaded : 370
Digital signatures of system files loaded: 61046
Heuristic analyzer mode: Maximum heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights
1. Searching for rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section: .text
Analysis: ntdll.dll, export table found in section: .text
Analysis: user32.dll, export table found in section: .text
Analysis: advapi32.dll, export table found in section: .text
Analysis: ws2_32.dll, export table found in section: .text
Analysis: wininet.dll, export table found in section: .text
Analysis: rasapi32.dll, export table found in section: .text
Analysis: urlmon.dll, export table found in section: .text
Analysis: netapi32.dll, export table found in section: .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=0846E0)
Kernel ntkrnlpa.exe found in the memory at the address 804D7000
SDT = 8055B6E0
KiST = 80503940 (284)
Function NtCreateKey (29) intercepted (80622104->F72F80D0), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtEnumerateKey (47) intercepted (80622944->F72FDFB2), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtEnumerateValueKey (49) intercepted (80622BAE->F72FE340), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtOpenKey (77) intercepted (8062349A->F72F80B0), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtOpenProcess (7A) intercepted (805C9CFE->F7B7D8AC), hook C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Function NtQueryKey (A0) intercepted (806237BE->F72FE418), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtQueryValueKey (B1) intercepted (806201BE->F72FE298), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtSetValueKey (F7) intercepted (806207C4->F72FE4AA), hook C:\WINDOWS\system32\Drivers\sptd.sys
Function NtTerminateProcess (101) intercepted (805D1226->F7B7D812), hook C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Functions checked: 284, intercepted: 9, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
The extended monitoring driver (AVZPM) is not installed, examination is not performed
2. Scanning memory
Number of processes found: 46
Analyzer - the process under analysis is 1372 C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer - the process under analysis is 1420 C:\Program Files\Alwil Software\Avast4\ashServ.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing?
Analyzer - the process under analysis is 260 C:\Program Files\QuickTime\qttask.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer - the process under analysis is 288 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer - the process under analysis is 364 C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer - the process under analysis is 380 C:\Program Files\AIM6\aim6.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
[ES]:Loads RASAPI DLL - may use dialing?
Analyzer - the process under analysis is 540 C:\Program Files\AIM6\aolsoftware.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing?
Analyzer - the process under analysis is 552 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
[ES]:Loads RASAPI DLL - may use dialing?
Analyzer - the process under analysis is 1236 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
[ES]:Application has no visible windows
Analyzer - the process under analysis is 2088 C:\WINDOWS\system32\PnkBstrA.exe
[ES]:Contains network functionality
[ES]:Capable of sending mail ?!
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer - the process under analysis is 2580 C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
[ES]:Contains network functionality
[ES]:Capable of sending mail ?!
[ES]:Listens TCP ports !
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing?
Analyzer - the process under analysis is 2800 C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
[ES]:Contains network functionality
[ES]:Listens TCP ports !
[ES]:Listens HTTP ports !
[ES]:Application has no visible windows
Analyzer - the process under analysis is 3836 C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Number of modules loaded: 410
Memory checking - complete
3. Scanning disks
Direct reading C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\pq8eml4n.default\cert8.db
Direct reading C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\pq8eml4n.default\history.dat
Direct reading C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\pq8eml4n.default\key3.db
Direct reading C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\pq8eml4n.default\urlclassifier2.sqlite
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\1907720e-77b36199/{ZIP}/BaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\1907720e-77b36199/{ZIP}/VaaaaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\1907720e-77b36199/{ZIP}/Baaaaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\1ce941ce-677f182c/{ZIP}/BaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\1ce941ce-677f182c/{ZIP}/VaaaaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\1ce941ce-677f182c/{ZIP}/Baaaaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\254ab48e-4babaa3e/{ZIP}/BaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\254ab48e-4babaa3e/{ZIP}/VaaaaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\254ab48e-4babaa3e/{ZIP}/Baaaaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\26\2a68265a-787715d0/{ZIP}/BaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\26\2a68265a-787715d0/{ZIP}/VaaaaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\26\2a68265a-787715d0/{ZIP}/Baaaaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-23dd0c56/{ZIP}/BaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-23dd0c56/{ZIP}/VaaaaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\26\5ef5f5a-23dd0c56/{ZIP}/Baaaaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\41\3f27a9-3fd00faf/{ZIP}/BaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\41\3f27a9-3fd00faf/{ZIP}/VaaaaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\41\3f27a9-3fd00faf/{ZIP}/Baaaaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-20bbb7fd.zip/{ZIP}/BaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-20bbb7fd.zip/{ZIP}/VaaaaaaaBaa.class >>>>> Trojan.Java.ClassLoader.ao
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-c7f7e15-20bbb7fd.zip/{ZIP}/Baaaaa.class >>>>> Trojan.Java.ClassLoader.ao
Direct reading C:\Documents and Settings\HP_Administrator\Cookies\index.dat
Direct reading C:\Documents and Settings\HP_Administrator\Desktop\armyops280_win(1).exe
Direct reading C:\Documents and Settings\HP_Administrator\Desktop\armyops280_win.exe
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\AOL OCP\AIM\Storage\data\asianvietsweetie\localStorage\common.cls
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\pq8eml4n.default\Cache\_CACHE_001_
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\pq8eml4n.default\Cache\_CACHE_002_
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\pq8eml4n.default\Cache\_CACHE_003_
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\index.dat
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\MSHist012007072320070730\index.dat
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\MSHist012007072920070730\index.dat
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\MSHist012007073020070731\index.dat
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Temp\hpodvd09.log
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~WRC0000.tmp
Direct reading C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\M5OJEFMZ\adserver[1].php Cannot open file "C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\M5OJEFMZ\adserver[1].php". The process cannot access the file because it is being used by another process
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\M5OJEFMZ\adserver[2].php Cannot open file "C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\M5OJEFMZ\adserver[2].php". The process cannot access the file because it is being used by another process
Direct reading C:\Documents and Settings\HP_Administrator\My Documents\1984..doc
Direct reading C:\Documents and Settings\HP_Administrator\My Documents\Azureus Downloads\AA281FullInstaller_BitTorrent.exe
Direct reading C:\Documents and Settings\HP_Administrator\My Documents\Azureus Downloads\Grand Theft Auto - San Andreas.iso
Direct reading C:\Documents and Settings\HP_Administrator\NTUSER.DAT
C:\Documents and Settings\HP_Administrator\Shared\E-40 ft. T-Pain- U and Dat .mp3 - Extension masking is detected(danger level 5%)
C:\Documents and Settings\HP_Administrator\Shared\young joc I_Know_U_See_It__Clean_ .mp3 - Extension masking is detected(danger level 5%)
C:\Documents and Settings\HP_Administrator\Shared\Yung Joc - (New Joc City) - 08 - I Know You See It .mp3 - Extension masking is detected(danger level 5%)
C:\Documents and Settings\HP_Administrator\Shared\Yung Joc - I Know You See It (Dirty) .mp3 - Extension masking is detected(danger level 5%)
Direct reading C:\Documents and Settings\LocalService\Cookies\index.dat
Direct reading C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Direct reading C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
Direct reading C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Direct reading C:\Documents and Settings\LocalService\NTUSER.DAT
Direct reading C:\Documents and Settings\NetworkService\Cookies\index.dat
Direct reading C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Direct reading C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Direct reading C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Direct reading C:\Documents and Settings\NetworkService\NTUSER.DAT
C:\hp\KBD\runHSC.exe >>> suspicion for AdvWare.Win32.VirtualBouncer.c ( 0044105C 00304E19 000EF470 00000000 16384)
C:\hp\recovery\wizard\fscommand\AppRecoveryLink.exe >>> suspicion for DoS.Win32.Opdos ( 00410AA2 00304E19 000F152C 001F1E7E 28672)
C:\hp\recovery\wizard\fscommand\CreatorLink.exe >>> suspicion for DoS.Win32.Opdos ( 00410AA2 00304E19 000F152C 001F1E7E 28672)
C:\hp\recovery\wizard\fscommand\RecordnowLink.exe >>> suspicion for DoS.Win32.Opdos ( 00410AA2 00304E19 000F152C 001F1E7E 28672)
C:\hp\recovery\wizard\fscommand\RestoreLink.exe >>> suspicion for DoS.Win32.Opdos ( 00410AA2 00304E19 000F152C 001F1E7E 28672)
C:\hp\recovery\wizard\fscommand\RTCDLink.exe >>> suspicion for DoS.Win32.Opdos ( 00410AA2 00304E19 000F152C 001F1E7E 28672)
C:\hp\recovery\wizard\fscommand\RunLink.exe >>> suspicion for DoS.Win32.Opdos ( 00410AA2 00304E19 000F152C 001F1E7E 28672)
C:\hp\recovery\wizard\fscommand\SysRecoveryLink.exe >>> suspicion for DoS.Win32.Opdos ( 00410AA2 00304E19 000F152C 001F1E7E 28672)
C:\hp\recovery\wizard\fscommand\WizardLink.exe >>> suspicion for DoS.Win32.Opdos ( 00410AA2 00304E19 000F152C 001F1E7E 28672)
Direct reading C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db
Direct reading C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt
C:\Program Files\Diner Dash 2\ReflexiveArcade\Application.dat Invalid file - not a PKZip file
C:\Program Files\Diner Dash 2\ReflexiveArcade\Arcade.dat Invalid file - not a PKZip file
C:\QooBox\Quarantine\C\WINDOWS\system32\abjfliew.dll.vir >>> suspicion for AdvWare.Win32.Virtumonde.kg ( 0B99DBC7 01B1A046 0029D636 0023A4D6 131124)
C:\QooBox\Quarantine\C\WINDOWS\system32\cuepmxrp.dll.vir >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\QooBox\Quarantine\C\WINDOWS\system32\ennaqmha.dll.vir >>> suspicion for AdvWare.Win32.Virtumonde.kb ( 0B3135E1 015E435F 0027AE21 00250DA2 50745)
C:\QooBox\Quarantine\C\WINDOWS\system32\fhbfsrps.dll.vir >>> suspicion for AdvWare.Win32.BHO.v ( 0B634177 064B4968 0024BD1E 00280BC9 124436)
C:\QooBox\Quarantine\C\WINDOWS\system32\fuvtrnxh.dll.vir >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\QooBox\Quarantine\C\WINDOWS\system32\gdqnokdh.dll.vir >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\QooBox\Quarantine\C\WINDOWS\system32\gsnaadty.dll.vir >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B362F6C 01B7C443 0023F233 0023CD05 131124)
C:\QooBox\Quarantine\C\WINDOWS\system32\ijimgiwo.dll.vir >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B362F6C 01B7C443 0023F233 0023CD05 131124)
C:\QooBox\Quarantine\C\WINDOWS\system32\jatvfawe.dll.vir >>> suspicion for AdvWare.Win32.Virtumonde.ir ( 0D461F06 01A2B9DE 0029E2BB 00280214 49204)
C:\QooBox\Quarantine\C\WINDOWS\system32\javkiuvo.dll.vir >>> suspicion for Trojan.Win32.BHO.o ( 0C110628 005E5E84 0023A0B2 0025270C 55316)
C:\QooBox\Quarantine\C\WINDOWS\system32\jcoojhid.dll.vir >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\QooBox\Quarantine\C\WINDOWS\system32\mqmctvsk.dll.vir >>> suspicion for AdvWare.Win32.BHO.v ( 0BBC8AB8 0400D4A1 00248BCC 0028C2C4 125460)
C:\QooBox\Quarantine\C\WINDOWS\system32\mtgcpaav.dll.vir >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\QooBox\Quarantine\C\WINDOWS\system32\sfmtkiin.dll.vir >>> suspicion for Trojan.Win32.BHO.g ( 0AF37A9C 0175643C 0027A1EF 00255ECC 49204)
C:\QooBox\Quarantine\C\WINDOWS\system32\tsgbdqeq.dll.vir >>> suspicion for AdvWare.Win32.BHO.v ( 0B634177 064B4968 0024BD1E 00280BC9 124436)
C:\QooBox\Quarantine\C\WINDOWS\system32\viavejlq.dll.vir >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\QooBox\Quarantine\C\WINDOWS\system32\wlyluqvo.dll.vir >>> suspicion for AdvWare.Win32.BHO.v ( 0B9D9EDF 03ABBA0A 00286896 00280E64 125460)
C:\QooBox\Quarantine\C\WINDOWS\system32\wqovnypm.dll.vir >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B527BB8 01EFFACC 0024909E 002685D6 132660)
C:\QooBox\Quarantine\C\WINDOWS\system32\xyxkgvky.dll.vir >>> suspicion for Trojan.Win32.BHO.g ( 0B52CEDA 01568055 00263EE0 0023AF63 49204)
C:\QooBox\Quarantine\catchme2007-07-27_215729.57.zip/{ZIP}/core.sys >>> suspicion for Rootkit.Win32.Agent.eq ( 09467360 06A5F7CD 0025D115 00226578 72320)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP176\A0066604.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
Direct reading C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP180\A0076844.exe
Direct reading C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP181\A0076847.exe
Direct reading C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP181\A0076899.exe
Direct reading C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP181\A0079906.exe
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP184\A0083913.dll >>> suspicion for AdvWare.Win32.Virtumonde.hb ( 0B98AB21 01F6F305 0025B262 00256691 132660)
Direct reading C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP188\A0096215.exe
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP189\A0101316.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP189\A0101317.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP191\A0106353.dll >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B1B4526 01D07FDC 002689E8 0028E1FF 132660)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP196\A0111639.dll >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B527BB8 01EFFACC 0024909E 002685D6 132660)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP203\A0117856.dll >>> suspicion for AdvWare.Win32.Virtumonde.kg ( 0B99DBC7 01B1A046 0029D636 0023A4D6 131124)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131360.scr >>>>> AdvWare.Win32.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131371.DLL >>>>> AdvWare.Win32.ToolBar.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131372.DLL >>>>> AdvWare.Win32.MyWebSearch.af
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131374.DLL >>>>> AdvWare.Win32.MyWebSearch.au
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131375.SCR >>>>> AdvWare.Win32.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131376.DLL >>>>> AdvWare.Win32.MyWebSearch.au
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131377.DLL >>>>> AdvWare.Win32.ToolBar.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131378.EXE >>>>> AdvWare.Win32.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131379.DLL >>>>> AdvWare.Win32.MyWebSearch.an
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131380.DLL >>>>> AdvWare.Win32.MyWebSearch.aq
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131381.DLL >>>>> AdvWare.Win32.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131384.DLL >>>>> AdvWare.Win32.IWon.a
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP214\A0131388.DLL >>>>> AdvWare.ToolBar.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP215\A0132324.DLL >>> suspicion for AdvWare.Win32.MyWebSearch.as ( 0075D21B 00000000 00212D13 0023D2AA 57344)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP215\A0132329.EXE >>>>> AdvWare.Win32.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP215\A0132330.DLL >>>>> AdvWare.Win32.MyWebSearch
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134644.dll >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134646.dll >>> suspicion for AdvWare.Win32.Virtumonde.kb ( 0B3135E1 015E435F 0027AE21 00250DA2 50745)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134647.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134649.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134653.dll >>> suspicion for AdvWare.Win32.Virtumonde.ir ( 0D461F06 01A2B9DE 0029E2BB 00280214 49204)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134654.dll >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134659.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134661.dll >>> suspicion for Trojan.Win32.BHO.g ( 0AF37A9C 0175643C 0027A1EF 00255ECC 49204)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134666.dll >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134668.dll >>> suspicion for AdvWare.Win32.BHO.v ( 0B9D9EDF 03ABBA0A 00286896 00280E64 125460)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134669.dll >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B527BB8 01EFFACC 0024909E 002685D6 132660)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP223\A0134670.dll >>> suspicion for Trojan.Win32.BHO.g ( 0B52CEDA 01568055 00263EE0 0023AF63 49204)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP224\A0134690.dll >>> suspicion for Trojan.Win32.BHO.bd ( 0BF5787C 017E8DFB 00287344 00254D91 58420)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP224\A0135535.DLL >>> suspicion for Trojan.Win32.BHO.bd ( 0BF5787C 017E8DFB 00287344 00254D91 58420)
Direct reading C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP248\A0145569.exe
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156536.dll >>>>> Keylogger.Win32.KGBSpy.34
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156674.dll >>> suspicion for AdvWare.Win32.Virtumonde.kg ( 0B99DBC7 01B1A046 0029D636 0023A4D6 131124)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156675.dll >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156676.dll >>> suspicion for AdvWare.Win32.Virtumonde.kb ( 0B3135E1 015E435F 0027AE21 00250DA2 50745)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156677.dll >>> suspicion for AdvWare.Win32.BHO.v ( 0B634177 064B4968 0024BD1E 00280BC9 124436)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156678.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156679.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156680.dll >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B362F6C 01B7C443 0023F233 0023CD05 131124)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156681.dll >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B362F6C 01B7C443 0023F233 0023CD05 131124)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156682.dll >>> suspicion for AdvWare.Win32.Virtumonde.ir ( 0D461F06 01A2B9DE 0029E2BB 00280214 49204)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156683.dll >>> suspicion for Trojan.Win32.BHO.o ( 0C110628 005E5E84 0023A0B2 0025270C 55316)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156684.dll >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156686.dll >>> suspicion for AdvWare.Win32.BHO.v ( 0BBC8AB8 0400D4A1 00248BCC 0028C2C4 125460)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156687.dll >>> suspicion for Trojan-Spy.Win32.VBStat.h ( 0C4B04E0 0141C207 00286445 0028FEF0 76412)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156688.dll >>> suspicion for Trojan.Win32.BHO.g ( 0AF37A9C 0175643C 0027A1EF 00255ECC 49204)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156689.dll >>> suspicion for AdvWare.Win32.BHO.v ( 0B634177 064B4968 0024BD1E 00280BC9 124436)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156690.dll >>> suspicion for Trojan.Win32.BHO.bd ( 0B6294C0 01A8D44C 0028430F 00275DC8 50740)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156691.dll >>> suspicion for AdvWare.Win32.BHO.v ( 0B9D9EDF 03ABBA0A 00286896 00280E64 125460)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156692.dll >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B527BB8 01EFFACC 0024909E 002685D6 132660)
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP258\A0156693.dll >>> suspicion for Trojan.Win32.BHO.g ( 0B52CEDA 01568055 00263EE0 0023AF63 49204)
Direct reading C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP259\change.log
Direct reading C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{51C08E9B-857D-4E70-A6F4-EF26F1A870C1}.crmlog
Direct reading C:\WINDOWS\SchedLgU.Txt
Direct reading C:\WINDOWS\SoftwareDistribution\ReportingEvents.log
C:\WINDOWS\system32\awtst.exe - Suspicion for Virus.Win32.PE_Type1(danger level 75%)
Direct reading C:\WINDOWS\system32\CatRoot2\edb.log
Direct reading C:\WINDOWS\system32\CatRoot2\tmp.edb
Direct reading C:\WINDOWS\system32\config\Antivirus.Evt
Direct reading C:\WINDOWS\system32\config\AppEvent.Evt
Direct reading C:\WINDOWS\system32\config\default
Direct reading C:\WINDOWS\system32\config\Media Ce.evt
Direct reading C:\WINDOWS\system32\config\SAM
Direct reading C:\WINDOWS\system32\config\SecEvent.Evt
Direct reading C:\WINDOWS\system32\config\SECURITY
Direct reading C:\WINDOWS\system32\config\software
Direct reading C:\WINDOWS\system32\config\SysEvent.Evt
Direct reading C:\WINDOWS\system32\config\system
Direct reading C:\WINDOWS\system32\drivers\sptd.sys
Direct reading C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log
Direct reading C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
Direct reading C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
C:\WINDOWS\system32\xhayksms.dll >>> suspicion for AdvWare.Win32.Virtumonde.ar ( 0B362F6C 01B7C443 0023F233 0023CD05 131124)
Direct reading C:\WINDOWS\Temp\Perflib_Perfdata_58c.dat
Direct reading C:\WINDOWS\WindowsUpdate.log
D:\I386\DRV\APP32031\src\runHSC.exe >>> suspicion for AdvWare.Win32.VirtualBouncer.c ( 0044105C 00304E19 000EF470 00000000 16384)
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\WINDOWS\system32\nview.dll --> Suspicion for a Keylogger or Trojan DLL
C:\WINDOWS\system32\nview.dll>>> Behavioral analysis:
1. Reacts to events: keyboard, window events, all events
2. Determines PID of current process
C:\WINDOWS\system32\nview.dll>>> Neural net: file with probability of 0.22% like a typical keyboard/mouse events interceptor
C:\Program Files\Xfire\xfire_toucan_26993.dll --> Suspicion for a Keylogger or Trojan DLL
C:\Program Files\Xfire\xfire_toucan_26993.dll>>> Behavioral analysis:
1. Reacts to events: keyboard, window events, all events
C:\Program Files\Xfire\xfire_toucan_26993.dll>>> Neural net: file with probability of 23.09% like a typical keyboard/mouse events interceptor
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
In the database: 317 port descriptions
Opened at this PC: 98 TCP ports and 46 UDP ports
>> Attention: Port 1116 UDP - Backdoor.Lurker (c:\program files\xfire\xfire.exe)
Note: Do NOT delete suspicious files, send them for analysis (see FAQ and Help for more details)
7. Heuristic system check
Checking complete
Files scanned: 500648, extracted from archives: 394229, malicious programs found 37
Scanning finished at 7/30/2007 1:43:54 AM
Time of scanning: 01:33:22
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:59 AM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsjch.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6614 bytes

guestolo · « **Reply #11 on:** July 30, 2007, 08:16:29 AM »

Ok, that scan looks good
Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Can we see what the 2 fixes repaired I had you run in safe mode

Do a fresh scan with Combofix please
When it's done, post the new log>>C:\Combofix.txt

Let me know how things are running

asiankid · « **Reply #12 on:** July 30, 2007, 10:56:21 AM »

Things work GREAT! My Firefox doesn't explode on me anymore and I don't have anymore pop-ups or anything! Thanks again for helping me so much!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

"HP_Administrator" - 2007-07-30 11:07:24 - ComboFix 07-07-23.6 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\xhayksms.dll
C:\WINDOWS\system32\smskyahx.ini

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-30 )))))))))))))))))))))))))))))))

2007-07-30 01:41   <DIR>   d--------   C:\DOCUME~1\HP_ADM~1\APPLIC~1\SystemRequirementsLab
2007-07-29 23:45   26,112   --a------   C:\WINDOWS\system32\nircmd.exe
2007-07-29 23:40   <DIR>   drahs----   C:\autorun.inf
2007-07-28 15:34   <DIR>   d--------   C:\Program Files\DivX
2007-07-28 00:56   <DIR>   d--------   C:\Program Files\Trend Micro
2007-07-27 21:52   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-07-27 21:44   <DIR>   d--------   C:\bintheredunthat
2007-07-27 21:17   <DIR>   d--------   C:\BFU
2007-07-15 11:34   22,328   --a------   C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-14 15:18   66,872   --a------   C:\WINDOWS\system32\PnkBstrA.exe
2007-07-14 15:18   103,736   --a------   C:\WINDOWS\system32\PnkBstrB.exe
2007-07-12 23:38   <DIR>   d--------   C:\Program Files\America's Army Server Manager
2007-07-11 18:25   <DIR>   d--------   C:\Program Files\Free Download Manager
2007-07-09 15:07   200,704   --a------   C:\WINDOWS\system32\ssldivx.dll
2007-07-09 15:07   1,044,480   --a------   C:\WINDOWS\system32\libdivx.dll
2007-07-07 21:24   <DIR>   d--------   C:\Program Files\EA GAMES
2007-07-07 21:17   <DIR>   d--------   C:\NVIDIA
2007-06-21 14:47   <DIR>   d--------   C:\Program Files\eMule
2007-06-21 10:49   45,568   --a------   C:\WINDOWS\system32\dsupl.exe
2007-06-21 01:08   2,472   --a------   C:\clean.bat
2007-06-21 00:19   <DIR>   d--------   C:\Program Files\Error Expert
2007-06-20 22:52   <DIR>   d--------   C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback
2007-06-18 22:30   <DIR>   d--------   C:\DOCUME~1\HP_ADM~1\APPLIC~1\Sonic
2007-06-18 22:30   <DIR>   d--------   C:\DOCUME~1\HP_ADM~1\APPLIC~1\Leadertech
2007-06-17 12:26   108,144   --a------   C:\WINDOWS\system32\CmdLineExt.dll
2007-06-17 12:10   68,888   --a------   C:\WINDOWS\system32\xinput1_3.dll
2007-06-17 12:10   62,744   --a------   C:\WINDOWS\system32\xinput1_2.dll
2007-06-17 12:10   237,848   --a------   C:\WINDOWS\system32\xactengine2_4.dll
2007-06-17 12:10   236,824   --a------   C:\WINDOWS\system32\xactengine2_3.dll
2007-06-17 12:10   2,414,360   --a------   C:\WINDOWS\system32\d3dx9_31.dll
2007-06-17 12:10   15,128   --a------   C:\WINDOWS\system32\x3daudio1_1.dll
2007-06-17 12:10   <DIR>   dr-h-----   C:\DOCUME~1\HP_ADM~1\APPLIC~1\SecuROM
2007-06-17 12:00   <DIR>   d--------   C:\Program Files\Ubisoft
2007-06-17 11:42   <DIR>   d--------   C:\Program Files\DaemonTools_WhenUSave_Installer
2007-06-17 11:38   686,840   --a------   C:\WINDOWS\system32\drivers\sptd.sys
2007-06-17 11:12   <DIR>   d--------   C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinRAR
2007-06-13 23:03   <DIR>   d--------   C:\Program Files\Globe7
2007-06-13 00:26   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-06-13 00:25   <DIR>   d--------   C:\DOCUME~1\HP_ADM~1\APPLIC~1\Azureus
2007-06-13 00:24   <DIR>   d--------   C:\Program Files\Azureus
2007-06-12 23:57   <DIR>   d--------   C:\Program Files\style bind
2007-06-09 19:09   95,872   --a------   C:\WINDOWS\system32\AvastSS.scr
2007-06-09 19:09   94,552   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-09 19:09   85,952   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-09 19:09   43,176   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-09 19:09   26,888   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-09 19:09   23,416   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-09 19:08   745,600   --a------   C:\WINDOWS\system32\aswBoot.exe
2007-06-08 17:56   1,859,254   ---hs----   C:\WINDOWS\system32\mpqss.ini2

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-30 15:49:09   --------   d-----w   C:\DOCUME~1\HP_ADM~1\APPLIC~1\Xfire
2007-07-28 19:34:26   4,576   ----a-w   C:\WINDOWS\mozver.dat
2007-07-27 21:54:34   --------   d-----w   C:\Program Files\WarRock
2007-07-27 21:35:14   --------   d-s---w   C:\Program Files\Xfire
2007-07-27 17:45:40   --------   d-sh--w   C:\Program Files\Free KGB Key Logger
2007-07-27 17:45:13   --------   d-----w   C:\Program Files\music_now
2007-07-13 03:51:08   --------   d-----w   C:\Program Files\LimeWire
2007-07-13 03:39:03   --------   d-----w   C:\Program Files\America's Army
2007-07-13 01:38:28   --------   d-----w   C:\DOCUME~1\HP_ADM~1\APPLIC~1\AdobeUM
2007-07-08 01:24:58   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-06-26 05:32:13   --------   d-----w   C:\DOCUME~1\HP_ADM~1\APPLIC~1\style bind
2007-06-21 04:10:49   --------   d-----w   C:\Program Files\Share_Accelerator_MM
2007-06-18 21:44:30   --------   d-----w   C:\Program Files\AIM6
2007-06-18 21:44:28   --------   d-----w   C:\Program Files\Viewpoint
2007-06-13 15:25:17   --------   d-----w   C:\Program Files\Common Files\stardock
2007-06-13 04:42:42   --------   d-----w   C:\Program Files\BitTorrent
2007-06-13 04:03:14   --------   d-----w   C:\Program Files\BitDownload
2007-06-11 00:46:35   1,848,069   --sh--w   C:\WINDOWS\system32\mpqss.bak1
2007-06-10 00:46:25   1,849,579   --sha-w   C:\WINDOWS\system32\mpqss.bak2
2007-05-16 15:12:02   683,520   ----a-w   C:\WINDOWS\system32\inetcomm.dll
2006-11-20 00:26:12   0   ----a-w   C:\DOCUME~1\HP_ADM~1\APPLIC~1\wklnhst.dat
2006-12-13 22:32:22   80   --sh--r   C:\WINDOWS\system32\4090D52FA0.dll
2006-11-22 03:04:32   88   --sh--r   C:\WINDOWS\system32\A02FD59040.sys
2006-11-22 03:04:32   2,516   --sha-w   C:\WINDOWS\system32\KGyGaAvL.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 00:54 C:\WINDOWS\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2006-01-24 15:15 C:\WINDOWS\system32\nwiz.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 19:35]
"PCDrProfiler"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 15:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 17:00]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-29 11:09]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-07-10 21:07:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 14:40:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

R0 bb-run;Promise driver accelerator;C:\WINDOWS\system32\DRIVERS\bb-run.sys
R0 ftsata2;ftsata2;C:\WINDOWS\system32\DRIVERS\ftsata2.sys
R0 iaStor;Intel RAID Controller;C:\WINDOWS\system32\DRIVERS\iaStor.sys
R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap.sys
R2 ARSVC;ARSVC;C:\WINDOWS\arservice.exe
R2 ehRecvr;Media Center Receiver Service;C:\WINDOWS\eHome\ehRecvr.exe
R2 ehSched;Media Center Scheduler Service;C:\WINDOWS\eHome\ehSched.exe
R2 McrdSvc;Media Center Extender Service;C:\WINDOWS\ehome\mcrdsvc.exe
R3 aracpi;aracpi;C:\WINDOWS\system32\DRIVERS\aracpi.sys
R3 arkbcfltr;Microsoft PS2 Keyboard Filter;C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
R3 armoucfltr;Microsoft PS2 Mouse Filter;C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
R3 ARPolicy;ARPolicy;C:\WINDOWS\system32\DRIVERS\arpolicy.sys
R3 Ps2;PS2;C:\WINDOWS\system32\DRIVERS\PS2.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;USB2 Enabled Hub;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbohci.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
R3 usbstor;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
S1 rxp;rxp;\??\C:\WINDOWS\system32\drivers\rxp.sys
S2 AFSEGTGF Windows Service;AFSEGTGF Windows Service;C:\WINDOWS\system32\dsjch.exe -service
S3 arhidfltr;MS Ar HID Filter Driver;C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\E:\INSTAL~E\Core\BVRPMPR5.SYS
S3 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 MHN;MHN;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 MHNDRV;MHN driver;C:\WINDOWS\system32\DRIVERS\mhndrv.sys
S3 MR97310_USB_DUAL_CAMERA;CIF Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1);C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
S3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\system32\DRIVERS\usbccgp.sys
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fd56ec3-0bf3-11dc-8a35-0c0c0c0c0c01}]
Auto\command- F:\tel.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9666843c-22cb-11dc-8a66-0c0c0c0c0c01}]
Auto\command- tel.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98983a3a-5630-11db-87a0-001731c64165}]
Auto\command- tel.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7B566F8A-624C-2570-0B75-A27CDC7119CF}
C:\WINDOWS\NtmsData\klswd.exe s

Contents of the 'Scheduled Tasks' folder
2007-07-30 07:00:00 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-30 11:52:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-30 11:53:49 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-30 11:53
C:\ComboFix2.txt ... 2007-07-27 21:59

   --- E O F ---

guestolo · « **Reply #13 on:** July 30, 2007, 06:51:34 PM »

Can you do me a favor please, Combofix has been updated to help remove some entries in your log
Delete Combofix.exe on desktop

Download a fresh copy of Combofix from [color=\"#0000FF\"]HERE[/color]
Save it again to desktop
We'll need it in a bit

Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- AFSEGTGF Windows Service

Double click on it---
In the drop down menu, change the startup type to Disabled
Apply it and then exit out of there

Open notepad and copy/paste the text in the quotebox below into it:

Quote

File::
C:\autorun.inf
C:\WINDOWS\system32\mpqss.ini2
C:\WINDOWS\system32\mpqss.bak1
C:\WINDOWS\system32\mpqss.bak2
C:\WINDOWS\system32\dsjch.exe
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

Folder::
C:\bintheredunthat
C:\BFU
C:\Program Files\DaemonTools_WhenUSave_Installer

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7fd56ec3-0bf3-11dc-8a35-0c0c0c0c0c01}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9666843c-22cb-11dc-8a66-0c0c0c0c0c01}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98983a3a-5630-11db-87a0-001731c64165}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7B566F8A-624C-2570-0B75-A27CDC7119CF}]

Save this file with the name of
CFScript

Take note the pic above
Drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Could you also do the following
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

go to either of these links
http://www.virustotal.com/
OR
http://virusscan.jotti.org/

Use the browse button and navigate to the file on your harddrive
C:\WINDOWS\system32\dsupl.exe<-this file

Right click on the file, and choose Select>>or double click on it
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please

Do the same for these files also
C:\WINDOWS\system32\4090D52FA0.dll
C:\WINDOWS\system32\A02FD59040.sys

NOTE: I see this in your combofix.txt
C:\Program Files\Free KGB Key Logger
Did you knowingly install this key logger? If not we should remove it

asiankid · « **Reply #14 on:** July 30, 2007, 09:21:06 PM »

I didn't install that free kgb keylogger.

ComboFix 07-07-31 - "HP_Administrator" 2007-07-30 21:19:25.1 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\autorun.inf
C:\BFU
C:\BFU\alcanshorty.bfu
C:\BFU\BFU.exe
C:\bintheredunthat
C:\Program Files\DaemonTools_WhenUSave_Installer
C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
C:\WINDOWS\system32\mpqss.bak1
C:\WINDOWS\system32\mpqss.bak2
C:\WINDOWS\system32\mpqss.ini2
C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-31 )))))))))))))))))))))))))))))))

2007-07-30 01:41 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\SystemRequirementsLab
2007-07-29 23:45 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-07-28 15:34 <DIR> d-------- C:\Program Files\DivX
2007-07-28 00:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-27 21:52 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-15 11:34 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-14 15:18 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-07-14 15:18 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-07-12 23:38 <DIR> d-------- C:\Program Files\America's Army Server Manager
2007-07-11 18:25 <DIR> d-------- C:\Program Files\Free Download Manager
2007-07-09 15:07 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-09 15:07 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-07 21:24 <DIR> d-------- C:\Program Files\EA GAMES
2007-07-07 21:17 <DIR> d-------- C:\NVIDIA
2007-06-21 14:47 <DIR> d-------- C:\Program Files\eMule
2007-06-21 10:49 45,568 --a------ C:\WINDOWS\system32\dsupl.exe
2007-06-21 01:08 2,472 --a------ C:\clean.bat
2007-06-21 00:19 <DIR> d-------- C:\Program Files\Error Expert
2007-06-20 22:52 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback
2007-06-18 22:30 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Sonic
2007-06-18 22:30 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Leadertech
2007-06-17 12:26 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-17 12:10 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-06-17 12:10 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-06-17 12:10 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-06-17 12:10 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-06-17 12:10 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-06-17 12:10 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-06-17 12:10 <DIR> dr-h----- C:\DOCUME~1\HP_ADM~1\APPLIC~1\SecuROM
2007-06-17 12:00 <DIR> d-------- C:\Program Files\Ubisoft
2007-06-17 11:38 686,840 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-17 11:12 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinRAR
2007-06-13 23:03 <DIR> d-------- C:\Program Files\Globe7
2007-06-13 00:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-06-13 00:25 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Azureus
2007-06-13 00:24 <DIR> d-------- C:\Program Files\Azureus
2007-06-12 23:57 <DIR> d-------- C:\Program Files\style bind
2007-06-09 19:09 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-09 19:09 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-09 19:09 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-09 19:09 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-09 19:09 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-09 19:09 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-09 19:08 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-30 17:25 --------- d-------- C:\Program Files\WarRock
2007-07-30 11:52 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Xfire
2007-07-28 15:34 4576 --a------ C:\WINDOWS\mozver.dat
2007-07-27 17:35 --------- d---s---- C:\Program Files\Xfire
2007-07-27 13:45 --------- d--hs---- C:\Program Files\Free KGB Key Logger
2007-07-27 13:45 --------- d-------- C:\Program Files\music_now
2007-07-12 23:51 --------- d-------- C:\Program Files\LimeWire
2007-07-12 23:39 --------- d-------- C:\Program Files\America's Army
2007-07-12 21:38 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\AdobeUM
2007-07-07 21:24 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-26 01:32 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\style bind
2007-06-21 00:10 --------- d-------- C:\Program Files\Share_Accelerator_MM
2007-06-18 17:44 --------- d-------- C:\Program Files\Viewpoint
2007-06-18 17:44 --------- d-------- C:\Program Files\AIM6
2007-06-13 11:25 --------- d-------- C:\Program Files\Common Files\stardock
2007-06-13 00:42 --------- d-------- C:\Program Files\BitTorrent
2007-06-13 00:03 --------- d-------- C:\Program Files\BitDownload
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-19 20:26 0 --a------ C:\DOCUME~1\HP_ADM~1\APPLIC~1\wklnhst.dat
2006-12-13 22:32:22 80 --sh--r C:\WINDOWS\system32\4090D52FA0.dll
2006-11-22 03:04:32 88 --sh--r C:\WINDOWS\system32\A02FD59040.sys
2006-11-22 03:04:32 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 00:54 C:\WINDOWS\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2006-01-24 15:15 C:\WINDOWS\system32\nwiz.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 19:35]
"PCDrProfiler"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 17:00]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-29 11:09]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-07-10 21:07:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 14:40:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

R0 bb-run;Promise driver accelerator;C:\WINDOWS\system32\DRIVERS\bb-run.sys
R0 ftsata2;ftsata2;C:\WINDOWS\system32\DRIVERS\ftsata2.sys
R0 iaStor;Intel RAID Controller;C:\WINDOWS\system32\DRIVERS\iaStor.sys
R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap.sys
R2 ARSVC;ARSVC;C:\WINDOWS\arservice.exe
R2 ehRecvr;Media Center Receiver Service;C:\WINDOWS\eHome\ehRecvr.exe
R2 ehSched;Media Center Scheduler Service;C:\WINDOWS\eHome\ehSched.exe
R2 McrdSvc;Media Center Extender Service;C:\WINDOWS\ehome\mcrdsvc.exe
R3 aracpi;aracpi;C:\WINDOWS\system32\DRIVERS\aracpi.sys
R3 arkbcfltr;Microsoft PS2 Keyboard Filter;C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
R3 armoucfltr;Microsoft PS2 Mouse Filter;C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
R3 ARPolicy;ARPolicy;C:\WINDOWS\system32\DRIVERS\arpolicy.sys
R3 Ps2;PS2;C:\WINDOWS\system32\DRIVERS\PS2.sys
S1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
S1 rxp;rxp;\??\C:\WINDOWS\system32\drivers\rxp.sys
S3 arhidfltr;MS Ar HID Filter Driver;C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\E:\INSTAL~E\Core\BVRPMPR5.SYS
S3 MHN;MHN;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 MHNDRV;MHN driver;C:\WINDOWS\system32\DRIVERS\mhndrv.sys
S3 MR97310_USB_DUAL_CAMERA;CIF Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys
S4 AFSEGTGF Windows Service;AFSEGTGF Windows Service;C:\WINDOWS\system32\dsjch.exe -service

*Newly Created Service* - PNKBSTRK

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-30 21:21:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-30 21:22:18
C:\ComboFix-quarantined-files.txt ... 2007-07-30 21:22
C:\ComboFix2.txt ... 2007-07-30 11:53
C:\ComboFix3.txt ... 2007-07-27 21:59

--- E O F ---

File: dsupl.exe Status:         [color=\"red\"]INFECTED/MALWARE[/color]                   MD5:               30adac128c2c3491e48ee019435ddb53                   Packers detected:             -                         Bit9 reports:               File not found

     Scan taken on 31 Jul 2007 02:35:14 (GMT)     A-Squared     Found nothing AntiVir     Found TR/Genetik.FH ArcaVir     Found nothing Avast     Found nothing AVG Antivirus     Found Generic5.LAK BitDefender     Found Trojan.Dloader.BKV ClamAV     Found Trojan.Downloader-11698 CPsecure     Found nothing Dr.Web     Found DLOADER.Trojan (probable variant) F-Prot Antivirus     Found Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus F-Secure Anti-Virus     Found Trojan.Win32.Small.mw Fortinet     Found W32/GENETIK.DH!tr Kaspersky Anti-Virus     Found Trojan.Win32.Small.mw NOD32     Found probably a variant of Win32/Genetik (probable variant) Norman Virus Control     Found W32/Malware.YJJ Panda Antivirus     Found Generic Rising Antivirus     Found nothing Sophos Antivirus     Found Mal/Behav-010 VirusBuster     Found nothing VBA32     Found nothing

File: 4090D52FA0.dll Status:         [color=\"#00bb00\"]OK[/color]                   MD5:               55831523fc98753fa7f47581a2bbe16a                   Packers detected:             -                         Bit9 reports:               File not found

     Scan taken on 31 Jul 2007 02:39:42 (GMT)     A-Squared     Found nothing AntiVir     Found nothing ArcaVir     Found nothing Avast     Found nothing AVG Antivirus     Found nothing BitDefender     Found nothing ClamAV     Found nothing CPsecure     Found nothing Dr.Web     Found nothing F-Prot Antivirus     Found nothing F-Secure Anti-Virus     Found nothing Fortinet     Found nothing Kaspersky Anti-Virus     Found nothing NOD32     Found nothing Norman Virus Control     Found nothing Panda Antivirus     Found nothing Rising Antivirus     Found nothing Sophos Antivirus     Found nothing VirusBuster     Found nothing VBA32     Found nothing

File: A02FD59040.sys Status:         [color=\"#00bb00\"]OK[/color]                   MD5:               25e6d10d08f9b655d7a79afee7632278                   Packers detected:             -                         Bit9 reports:               File not found

     Scan taken on 31 Jul 2007 02:42:57 (GMT)     A-Squared     Found nothing AntiVir     Found nothing ArcaVir     Found nothing Avast     Found nothing AVG Antivirus     Found nothing BitDefender     Found nothing ClamAV     Found nothing CPsecure     Found nothing Dr.Web     Found nothing F-Prot Antivirus     Found nothing F-Secure Anti-Virus     Found nothing Fortinet     Found nothing Kaspersky Anti-Virus     Found nothing NOD32     Found nothing Norman Virus Control     Found nothing Panda Antivirus     Found nothing Rising Antivirus     Found nothing Sophos Antivirus     Found nothing VirusBuster     Found nothing VBA32     Found nothing
EDIT: Okay it's better.

guestolo · « **Reply #15 on:** July 30, 2007, 10:54:50 PM »

Looking better, just some final entries
and that service name is being stubborn

Please do the following,

Download [color=\"blue\"]OTMoveIt[/color] by OldTimer:

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
================================================

C:\WINDOWS\system32\dsupl.exe
C:\Program Files\Free KGB Key Logger

======================================================
Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
Click the red "[color=\"red\"]MoveIt![/color]" button.
Close OTMoveIt.

[color=\"red\"]Note[/color]: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

OTMoveIt will create a log here
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
Where mmddyyyy_hhmmss is the date of the tool run., I'll need to see this log in a bit

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

AFSEGTGF Windows Service

Right click on it and choose "Properties".
Beside "Startup Type" in the dropdown menu select "Disabled".
On the "General" tab under "Service Status", if selectable, click the "Stop" button to stop the service.
Click Apply then OK.
Exit

Immediately afterwards
Open Hijackthis>>
Click the Open the Misc Tools section
Click the Delete an NT Service button
In the next window in the open blank field
Copy>>Paste the bold text below

AFSEGTGF Windows Service

Then click the OK button
Hijackthis should warn the service will be deleted and to restart computer
Do so

Back in Windows
Come back here and post a fresh hijackthis log and the log from OTMoveIt please

asiankid · « **Reply #16 on:** July 31, 2007, 11:20:46 AM »

File/Folder C:\WINDOWS\system32\dsupl.exe not found.
File/Folder C:\Program Files\Free KGB Key Logger not found.

Created on 07/31/2007 12:04:30

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:10 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\OTMoveIt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6558 bytes

guestolo · « **Reply #17 on:** July 31, 2007, 07:18:07 PM »

File/Folder C:\WINDOWS\system32\dsupl.exe not found.
File/Folder C:\Program Files\Free KGB Key Logger not found.

Did you already manually delete the file and folder???

asiankid · « **Reply #18 on:** July 31, 2007, 08:28:11 PM »

I accidentally did it twice and forgot to save the results of the first one. xD

guestolo · « **Reply #19 on:** July 31, 2007, 10:30:12 PM »

Looks good
You can delete
tel.xls.exe_Remover.exe
Flash_Disinfector.exe
avz4en.zip and it's folder

If everything is running better
Please do the following
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Give it a name and click Create
When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning

You should give your computer a bit more protection
Install
SpywareBlaster 3.5.1 by JavaCool

After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

Keep your AV updated and actively running in the background

double-click OTMoveIt.exe to run it.
Click the Cleanup! button
A list will be downloaded>>Allow it Internet access if prompted by your Firewall
Select Yes at the prompt
Wait for the confirmation box to open to reboot the computer
Select Yes to reboot Now

Back in Windows
Empty the recycle bin

NOTE: I would change all passwords to email, online banking, online gaming, etc..
As you had signs of a keylogger that you didn't install yourself

I hope that helps

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

News:

Author Topic: Microsoft C++ Runtime Error Firefox (Read 2025 times)