Hello guys:

Once again am in a fine mess. I have no clue where this program came from or how it got installed on my computer. For a while I have been finding random files in the My documents folder. Anyway now this WINIFIXER program has installed itself and is causing all kinds of problems. Am posting my hijack this log below - hope someone can help me! Annoying windows keep popping up and asking me if i want WINIFIXER to protect my computer! Somebody please help!

thanks

Sunny

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:01:41, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\apache2triad\bin\httpd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\WINDOWS\Explorer.EXE
C:\apache2triad\mysql\bin\mysqld.exe
C:\WINDOWS\system32\svchost.exe
C:\apache2triad\mail\bin\XMail.exe
C:\apache2triad\bin\httpd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
c:\ip1yo8.exe
C:\Program Files\WinIFixer\WinIFixer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/active...oad/XUpload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Apache Software Foundation - C:\apache2triad\bin\httpd.exe
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2SSL) - Apache Software Foundation - C:\apache2triad\bin\httpd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:\apache2triad\mysql\bin\mysqld.exe
O23 - Service: Apache2Triad PostgreSQL Service (PgSql) - PostgreSQL Global Development Group - C:\apache2triad\pgsql\bin\pg_ctl.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Apache2Triad Xmail Service (XMail) - Unknown owner - C:\apache2triad\mail\bin\XMail.exe

--
End of file - 6641 bytes


This post has been edited by sunny441: May 13 2008, 07:24 PM

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

WinIFixer

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

c:\ip1yo8.exe
C:\WINDOWS\system32\ctfmona.exe
C:\Program Files\WinIFixer\

1. Download combofix at http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe or http://download.bleepingcomputer.com/sUBs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

GreyKnight:

THanks for your reply. While I was waiting for your reply - I ran Malawarebytes anti-malaware tool and got rid of some stuff.

However am going to do the stuff you asked and post back!

thanks

Sunny

Greyknight:

thanks for the prompt reply.

I did as was requested by you. However i did not find any of the directories that you wanted me to delete. I assume that malawarebytes program took care of that. Am pasting my combofix log below

thanks

ComboFix 08-05-12.1 - Sudhir J. Kamath 2008-05-13 22:04:40.1 - NTFSx86
Running from: C:\Documents and Settings\Sudhir J. Kamath\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\imglib.dll
C:\WINDOWS\SNMPAPI.DLL
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-12 15:59 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-12 15:59 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 21:20 . 2008-05-06 21:20 <DIR> d-------- C:\Program Files\GizmoPlugin
2008-05-06 20:45 . 2008-05-06 20:45 <DIR> d-------- C:\Program Files\DialIdol.com
2008-04-28 18:47 . 2008-04-28 18:55 <DIR> d-------- C:\DUKE3D
2008-04-28 18:35 . 2008-04-28 18:35 <DIR> d-------- C:\4dprince
2008-04-22 23:32 . 2008-05-03 12:13 <DIR> d-------- C:\Program Files\Oberon Media
2008-04-22 23:32 . 2008-04-22 23:32 <DIR> d-------- C:\Program Files\GamesBar
2008-04-22 23:32 . 2008-04-22 23:32 <DIR> d-------- C:\Program Files\Common Files\Oberon Media
2008-04-22 23:32 . 2008-04-24 19:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 22:19 . 2008-05-12 15:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-20 22:19 . 2008-04-20 22:19 <DIR> d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\Malwarebytes
2008-04-20 22:19 . 2008-04-20 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-20 15:34 . 2008-04-20 15:34 <DIR> d-------- C:\Program Files\CONEXANT
2008-04-15 18:13 . 2006-02-10 17:55 34,688 --a------ C:\WINDOWS\system32\drivers\samfilt.sys
2008-04-15 18:02 . 2004-03-20 03:54 929,844 --a------ C:\WINDOWS\system32\MFC42D.DLL
2008-04-15 18:02 . 2004-03-20 03:54 798,773 --a------ C:\WINDOWS\system32\MFCO42D.DLL
2008-04-15 18:02 . 2004-03-20 03:54 401,484 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2008-04-15 18:02 . 2001-07-30 17:40 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 01:05 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\.gaim
2008-05-13 01:05 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\BitTorrent
2008-05-12 22:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-07 01:35 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\Skype
2008-05-03 19:08 --------- d-----w C:\Program Files\DOSBox-0.72
2008-05-01 15:40 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-23 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-04-15 21:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-12 23:21 --------- d-----w C:\Program Files\KeyNote
2008-04-12 23:20 --------- d-----w C:\Program Files\Numericon
2008-04-12 23:19 --------- d-----w C:\Program Files\Minitab 15
2008-04-12 23:16 --------- d-----w C:\Program Files\Panda Security
2008-04-10 02:11 --------- d-----w C:\Program Files\Trend Micro
2008-04-09 21:20 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-09 21:17 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-07 03:12 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\U3
2008-04-03 12:58 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\AVG7
2008-03-26 01:58 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-25 04:36 --------- d-----w C:\Program Files\Windows Live
2008-03-25 04:35 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-25 04:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-24 22:44 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-24 20:01 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-03-23 02:31 127 ---ha-w C:\Documents and Settings\All Users\Application Data\emopts.dat
2008-03-23 02:31 --------- d--h--w C:\Documents and Settings\All Users\Application Data\sacache
2008-03-21 20:09 --------- d-----w C:\Program Files\Nexus
2008-03-20 06:30 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 04:25 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\Microsoft Games
2008-03-18 21:57 --------- d-----w C:\Program Files\Microsoft Games
2008-03-12 05:45 39,888 ----a-w C:\Documents and Settings\Sudhir J. Kamath\Application Data\GDIPFONTCACHEV1.DAT
2008-02-21 06:14 1,984 ----a-w C:\WINDOWS\system32\tmp.reg
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 19:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 19:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 19:10 114688]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 13:48 1392640]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 21:09 579584]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32 221184]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-04 00:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\K1RFD\\EchoLink\\EchoLink.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Gizmo Plugin;Gizmo VoIP Service;"C:\Program Files\GizmoPlugin\GizmoPlugin.exe" [2008-05-06 21:20]
R2 XMail;Apache2Triad Xmail Service;C:\apache2triad\mail\bin\XMail.exe [2007-04-19 01:13]
S3 Apache2SSL;Apache2Triad Apache2 Service with SSL;"C:\apache2triad\bin\httpd.exe" -D SSL -n Apache2SSL -k runservice []
S3 PgSql;Apache2Triad PostgreSQL Service;"C:\apache2triad\pgsql\bin\pg_ctl.exe" runservice -N PgSql -D C:\apache2triad\pgsql\data\ []
S3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys [2006-07-21 12:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caee2460-c11e-11db-950b-000f1fb14a4f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f226da10-54f6-11dc-957f-000f1fb14a4f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 22:12:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\apache2triad\mysql\bin\mysqld.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-05-13 22:18:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 02:17:42

Pre-Run: 8,218,591,232 bytes free
Post-Run: 8,146,628,608 bytes free

167 --- E O F --- 2008-05-09 15:07:50

These seem to have adware in them. I suggest uninstalling them via the Add/Remove Programs panel and then delete their folders if they still exist:

C:\Program Files\Oberon Media
C:\Program Files\GamesBar
C:\Program Files\Common Files\Oberon Media

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.

Thanks for your reply.

NOw i have another problem! I have I-Worm/Roron found on my computer.

My anti-virus (AVG) finds random files in my documents folder. Most of them are sound like [bleep] videos or executable files!
repeated scans do not find anything or any virus on the computer!
please help me!

This post has been edited by sunny441: May 14 2008, 07:16 PM

Download Deckard's System Scanner at http://deckard.geekstogo.com/dss.exe or http://www.techsupportforum.com/sectools/Deckard/dss.exe and save it to your desktop.

- Close all applications and windows.
- Double-click on DSS.exe to run it, and follow the prompts.
- When the scan is complete, two text files will open - Main.txt and Extra.txt

Post the main.txt (copy and paste it in your reply) and extra.txt (attach it in your next reply) from the C:\Deckard\System Scanner folder into your next reply.

thanks for the reply for some reason DSS opened up mozilla firefox for some reason! anyway there was some problem with hijack this or something anyway am posting the log below and attaching the file!

Deckard's System Scanner v20071014.68
Run by Sudhir J. Kamath on 2008-05-15 23:06:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-05-16 03:06:32 UTC - RP444 - Deckard's System Scanner Restore Point
3: 2008-05-16 02:43:25 UTC - RP443 - System Checkpoint
2: 2008-05-15 01:50:29 UTC - RP442 - 15th May
1: 2008-05-15 01:50:11 UTC - RP441 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis (run as Sudhir J. Kamath.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:07:49, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\apache2triad\bin\httpd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\apache2triad\mysql\bin\mysqld.exe
C:\WINDOWS\system32\svchost.exe
C:\apache2triad\bin\httpd.exe
C:\apache2triad\mail\bin\XMail.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\Sudhir J. Kamath\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sudhir J. Kamath.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/active...oad/XUpload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apache2Triad Apache2 Service (Apache2) - Apache Software Foundation - C:\apache2triad\bin\httpd.exe
O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2SSL) - Apache Software Foundation - C:\apache2triad\bin\httpd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:\apache2triad\mysql\bin\mysqld.exe
O23 - Service: Apache2Triad PostgreSQL Service (PgSql) - PostgreSQL Global Development Group - C:\apache2triad\pgsql\bin\pg_ctl.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Apache2Triad Xmail Service (XMail) - Unknown owner - C:\apache2triad\mail\bin\XMail.exe

--
End of file - 6671 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080513-220136-791 O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
backup-20080513-220136-874 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

-- File Associations -----------------------------------------------------------

.js - jsfile - DefaultIcon - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe",7
.js - jsfile - shell\open\command - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil©>
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver>
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 SAMFILT - c:\windows\system32\drivers\samfilt.sys <Not Verified; Dolphin, Inc.; Dolphin Keyboard Filter>
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>

S3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 PID_PEPI (Logitech QuickCam IM(PID_PEPI)) - c:\windows\system32\drivers\lv302v32.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>
S3 tifm - c:\windows\system32\drivers\tifm.sys <Not Verified; Texas Instruments; Texas Instruments PCIxx20 UltraMedia>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apache2 (Apache2Triad Apache2 Service) - "c:\apache2triad\bin\httpd.exe" -n apache2 -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
R2 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Diskeeper - "c:\program files\executive software\diskeeper\dkservice.exe" <Not Verified; Executive Software International, Inc.; Diskeeper ™ Disk Defragmenter>
R2 Gizmo Plugin (Gizmo VoIP Service) - "c:\program files\gizmoplugin\gizmoplugin.exe" <Not Verified; SIPphone, Inc.; Gizmo Plugin VOIP Service>
R2 MySql (Apache2Triad MySql Service) - c:\apache2triad\mysql\bin\mysqld.exe
R2 XMail (Apache2Triad Xmail Service) - c:\apache2triad\mail\bin\xmail.exe

S3 Apache2SSL (Apache2Triad Apache2 Service with SSL) - "c:\apache2triad\bin\httpd.exe" -d ssl -n apache2ssl -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 PgSql (Apache2Triad PostgreSQL Service) - "c:\apache2triad\pgsql\bin\pg_ctl.exe" runservice -n pgsql -d c:\apache2triad\pgsql\data\ <Not Verified; PostgreSQL Global Development Group; PostgreSQL>
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; NetGroup - Politecnico di Torino; Remote Packet Capture Daemon>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\4F4AB100811F0F00
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\4F4AB100811F0F00
Service: NIC1394

Class GUID:
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_AC8F&SUBSYS_018D1028&REV_00\4&16793A72&0&23F0
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_AC8F&SUBSYS_018D1028&REV_00\4&16793A72&0&23F0
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth PAN Network Adapter
Device ID: ROOT\NET\0000
Manufacturer: IVT Corporation
Name: Bluetooth PAN Network Adapter
PNP Device ID: ROOT\NET\0000
Service: BT


-- Files created between 2008-04-15 and 2008-05-15 -----------------------------

2008-05-15 09:53:28 0 d-------- C:\WINDOWS\LastGood
2008-05-06 21:20:38 0 d-------- C:\Program Files\GizmoPlugin
2008-05-06 20:45:30 0 d-------- C:\Program Files\DialIdol.com
2008-04-28 18:47:41 0 d-------- C:\DUKE3D
2008-04-28 18:35:32 0 d-------- C:\4dprince
2008-04-22 23:32:54 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-20 22:19:11 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\Malwarebytes
2008-04-20 22:19:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-20 22:19:00 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-20 15:34:07 0 d-------- C:\Program Files\CONEXANT
2008-04-15 18:13:32 34688 --a------ C:\WINDOWS\system32\drivers\samfilt.sys <Not Verified; Dolphin, Inc.; Dolphin Keyboard Filter>


-- Find3M Report ---------------------------------------------------------------

2008-05-15 23:00:44 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\.gaim
2008-05-15 21:40:02 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\BitTorrent
2008-05-14 21:53:46 0 d-------- C:\Program Files\Panda Security
2008-05-14 21:07:17 0 d-------- C:\Program Files\Common Files
2008-05-06 21:35:55 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\Skype
2008-05-03 15:08:29 0 d-------- C:\Program Files\DOSBox-0.72
2008-05-01 11:40:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-22 23:33:08 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\Macromedia
2008-04-15 17:49:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-12 19:21:16 0 d-------- C:\Program Files\KeyNote
2008-04-12 19:20:47 0 d-------- C:\Program Files\Numericon
2008-04-12 19:19:14 0 d-------- C:\Program Files\Minitab 15
2008-04-10 17:16:36 1364 --a------ C:\WINDOWS\checkip.dat
2008-04-09 22:11:13 0 d-------- C:\Program Files\Trend Micro
2008-04-09 17:20:24 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-09 17:17:36 0 d-------- C:\Program Files\Microsoft.NET
2008-04-06 23:12:55 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\U3
2008-04-05 21:04:47 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\Adobe
2008-04-03 08:58:18 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\AVG7
2008-03-25 21:58:29 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-25 00:36:55 0 d-------- C:\Program Files\Windows Live
2008-03-25 00:35:42 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-24 18:44:42 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-22 22:31:07 640 --ah----- C:\WINDOWS\saopts.dat
2008-03-21 16:09:46 0 d-------- C:\Program Files\Nexus
2008-03-20 02:30:44 0 d-------- C:\Program Files\MSXML 4.0
2008-03-19 00:25:23 0 d-------- C:\Documents and Settings\Sudhir J. Kamath\Application Data\Microsoft Games
2008-03-18 17:57:22 0 d-------- C:\Program Files\Microsoft Games
2008-03-12 01:45:04 39888 --a------ C:\Documents and Settings\Sudhir J. Kamath\Application Data\GDIPFONTCACHEV1.DAT
2008-02-21 02:14:23 1984 --a------ C:\WINDOWS\system32\tmp.reg


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [07/19/2005 19:09]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [07/19/2005 19:06]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [07/19/2005 19:10]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [11/01/2006 13:48]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/17/2008 21:09]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [07/19/2005 18:32]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 22:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [09/11/2006 04:40]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeStartMenu"=0 (0x0)
"NoLogOff"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 03/04/2008 00:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caee2460-c11e-11db-950b-000f1fb14a4f}]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f226da10-54f6-11dc-957f-000f1fb14a4f}]
AutoRun\command- G:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-05-15 23:08:19 ------------

What's I-Worm/Roron on your computer? Is it still detected? If so, where is it located now?

greyknight:

thanks for the reply.

That is the exact problem with this virus. I cannot find anything when i scan the computer. But when am surfing or just doing some work all of a sudden AVG will pop up a screen and say that IWORM RORON32 found!! and will say that some random .exe file was found in My documents and what do i want to do. once i hit heal - the file is gone and then things go along as if nothing had happened, till the next time I see the AVG window come up! I looked in the folders and found nothing - it's as if the file just appears randomly and then disappears!

hope that helps!