[dJonE]

Hello, im having problems when using my computer...opening folders is taking a very long time and i also just found out that for some reason i cannot play sound on my computer...i dont know if these problems are related but my logs are below, hope someone could help

HIJACKTHIS

Logfile of HijackThis v1.99.1
Scan saved at 6:38:07 PM, on 2/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Adam\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://slickdeals.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://farm.thinktar...ams/r...&o=0&q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://farm.thinktar...ams/r...&o=0&q=
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ANR] C:\Program Files\voice_record\ANR.exe
O4 - HKCU\..\Run: [MySpaceIM] "C:\Program Files\MySpace\IM\MySpaceIM.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Padus, Inc. - (no file)



------------------------------------------------------------------------------------------------------------------



Incident Status Location

Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat
Adware:adware/azesearch Not disinfected Windows Registry
Adware:Adware/SearchAid Not disinfected C:\!KillBox\ms32.tmp
Virus:Bck/Webber.gen Not disinfected C:\!KillBox\x[1].chm[/explorer.exe]
Hacktool:Exploit/Codebase.gen Not disinfected C:\!KillBox\x[1].chm[/x.htm]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Adam\Cookies\[email protected][2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Adam\Cookies\adam@burstnet[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Adam\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Adam\Desktop\SpyAxeFix\Process.exe
Virus:Trj/Zapchast.Z Not disinfected C:\Program Files\mIRC\download\DivXPlayerPro64-Setup.exe[Pixelbt32.exe]
Virus:Trj/Pakes.V Not disinfected C:\Program Files\mIRC\download\DivXPlayerPro64-Setup.exe[xpq.exe]
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\mIRC\download\DivXPlayerPro64-Setup.exe[xpq.exe][mgrsts.exe]
Adware:Adware/Zango Not disinfected C:\Program Files\mIRC\download\Spy Sweeper 5 Final\keygen\keygen.exe
Adware:Adware/Zango Not disinfected C:\Program Files\mIRC\download\Webroot_Spy_Sweeper_5_Final.rar[Spy Sweeper 5 Final\keygen\keygen.exe]
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\ac3_0008.exe[PSCastor.exe]


----------------------------------------------------------------------------------------------------------------------




SUPERAntiSpyware Scan Log
Generated 02/02/2007 at 04:19 PM

Application Version : 3.5.1016

Core Rules Database Version : 3177
Trace Rules Database Version: 1187

Scan type : Complete Scan
Total Scan Time : 02:24:43

Memory items scanned : 334
Memory threats detected : 0
Registry items scanned : 4775
Registry threats detected : 9
File items scanned : 195664
File threats detected : 14

Adware.Tracking Cookie
C:\Documents and Settings\Adam\Cookies\[email protected][1].txt
C:\Documents and Settings\Adam\Cookies\[email protected][1].txt
C:\Documents and Settings\Adam\Cookies\[email protected][1].txt
C:\Documents and Settings\Adam\Cookies\adam@burstnet[2].txt

Trojan.Windows Overlay Components/SysMon
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#DeviceDesc

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

Trojan.DollarRevenue
C:\WINDOWS\keyboard1.dat

Adware.AdSponsor
C:\Program Files\AdSponsor

Trojan.Rustock/HUY32
C:\WINDOWS\system32:huy32.sys

BearShare File Sharing Client
C:\PROGRAM FILES\MIRC\DOWNLOAD\BEARSHARE_PRO_V5.0.2.3_+_CRACK\BEARSHARE.EXE

Adware.180solutions/Search Assistant
C:\PROGRAM FILES\MIRC\DOWNLOAD\SPY SWEEPER 5 FINAL\KEYGEN\KEYGEN.EXE

Trojan.Downloader-AC3/Gen
C:\WINDOWS\AC3_0008.EXE

Trojan.Downloader-PMTLauncher
C:\WINDOWS\SYSTEM32\PFBO0YJ.EXE

Trace.Known Threat Sources
C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\OPWNKVCD\index[1].htm
C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\KLQNWX67\spacer[1].gif

[Advertisements]

Hi dJonE,
Sorry for the delay in reviewing your post

You may wish to print out a copy of these instructions to follow while you complete this procedure

Please disable AVG Anti-Spyware, it may hinder in the fixing of some HJT entries. You can re-enable it after you're clean
Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an S in the system tray.
In the Resident Shield section, toggle the AVG Anti-Spyware active protection off by clicking Change state which will then change the protection status to inactive
If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to Restart the Resident Shield
Reply No and set it to inactive for the duration of your cleanup

I need you to download some programs to aide in our fix :Do Not Run Them Yet

Download ATF (Atribune Temp File) Cleaner© by Atribune

Download ComboFix to your Desktop

Reboot to Safe mode
Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Make sure you have Disconnected from the Internet !

Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Double click on combofix.exe
Follow the prompts

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall

When finished, it will produce a log for you

Reboot to Normal Mode

Run Kaspersky WebScanner
Click on Kaspersky Online Scanner
NOTE For Internet Explorer 7 Users : If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading t he latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan:
Select My Computer

Then the program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Reboot

Post a fresh HijackThis Log, the ComboFix log, and the Kaspersky Virus Scan Log here
(You may need to use several replies as the logs may be cut off)

Thank You !!

[Linkmaster]

Hi dJonE,
Sorry for the delay in reviewing your post

You may wish to print out a copy of these instructions to follow while you complete this procedure

Please disable AVG Anti-Spyware, it may hinder in the fixing of some HJT entries. You can re-enable it after you're clean
Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an S in the system tray.
In the Resident Shield section, toggle the AVG Anti-Spyware active protection off by clicking Change state which will then change the protection status to inactive
If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to Restart the Resident Shield
Reply No and set it to inactive for the duration of your cleanup

I need you to download some programs to aide in our fix :Do Not Run Them Yet

Download ATF (Atribune Temp File) Cleaner© by Atribune

Download ComboFix to your Desktop

Reboot to Safe mode
Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Make sure you have Disconnected from the Internet !

Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Double click on combofix.exe
Follow the prompts

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall

When finished, it will produce a log for you

Reboot to Normal Mode

Run Kaspersky WebScanner
Click on Kaspersky Online Scanner
NOTE For Internet Explorer 7 Users : If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading t he latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan:
Select My Computer

Then the program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Reboot

Post a fresh HijackThis Log, the ComboFix log, and the Kaspersky Virus Scan Log here
(You may need to use several replies as the logs may be cut off)

Thank You !!

[dJonE]

Its ok about the wait im just glad someone got back, THANK YOU!!!!

here are my logs

Logfile of HijackThis v1.99.1
Scan saved at 6:09:06 PM, on 2/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Adam\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://slickdeals.net/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ANR] C:\Program Files\voice_record\ANR.exe
O4 - HKCU\..\Run: [MySpaceIM] "C:\Program Files\MySpace\IM\MySpaceIM.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Padus, Inc. - (no file)

-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 07, 2007 6:03:19 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/02/2007
Kaspersky Anti-Virus database records: 265913
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
E:\

Scan Statistics:
Total number of scanned objects: 95116
Number of viruses found: 8
Number of infected objects: 20 / 0
Number of suspicious objects: 1
Duration of the scan process: 01:23:39

Infected Object Name / Virus Name / Last Action
C:\!KillBox\x[1].chm/explorer.exe Infected: Backdoor.Win32.Padodor.c skipped
C:\!KillBox\x[1].chm/x.htm Suspicious: Exploit.HTML.CodeBaseExec skipped
C:\!KillBox\x[1].chm CHM: infected - 1, suspicious - 1 skipped
C:\Adam\Programs\mirc.6.14.with.keygen.By-.Neal3\keygen.zip/mirc614.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\Adam\Programs\mirc.6.14.with.keygen.By-.Neal3\keygen.zip/mirc614.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\Adam\Programs\mirc.6.14.with.keygen.By-.Neal3\keygen.zip ZIP: infected - 2 skipped
C:\Adam\Programs\mirc.6.14.with.keygen.By-.Neal3\mirc614.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\Adam\Programs\mirc.6.14.with.keygen.By-.Neal3\mirc614.exe mIRC: infected - 1 skipped
C:\Documents and Settings\Adam\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Adam\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\History\History.IE5\MSHist012007020720070208\index.dat Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Adam\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Adam\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\backup\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\mIRC\download\DivXPlayerPro64-Setup.exe/stream/data0006 Infected: Trojan.Win32.Zapchast skipped
C:\Program Files\mIRC\download\DivXPlayerPro64-Setup.exe/stream/data0007/stream/data0001 Infected: Trojan.Win32.Pakes skipped
C:\Program Files\mIRC\download\DivXPlayerPro64-Setup.exe/stream/data0007/stream Infected: Trojan.Win32.Pakes skipped
C:\Program Files\mIRC\download\DivXPlayerPro64-Setup.exe/stream/data0007 Infected: Trojan.Win32.Pakes skipped
C:\Program Files\mIRC\download\DivXPlayerPro64-Setup.exe/stream Infected: Trojan.Win32.Pakes skipped
C:\Program Files\mIRC\download\DivXPlayerPro64-Setup.exe NSIS: infected - 5 skipped
C:\Program Files\mIRC\download\RaidenFTPD.v2.4.2065-AGAiN\raidenftpd2.exe/data0013 Infected: not-a-virus:Server-FTP.Win32.Raiden skipped
C:\Program Files\mIRC\download\RaidenFTPD.v2.4.2065-AGAiN\raidenftpd2.exe/data0014 Infected: not-a-virus:Server-FTP.Win32.Raiden skipped
C:\Program Files\mIRC\download\RaidenFTPD.v2.4.2065-AGAiN\raidenftpd2.exe NSIS: infected - 2 skipped
C:\Program Files\mIRC\download\Webroot_Spy_Sweeper_5_Final.rar/Spy Sweeper 5 Final/keygen/keygen.exe Infected: not-a-virus:AdWare.Win32.180Solutions.as skipped
C:\Program Files\mIRC\download\Webroot_Spy_Sweeper_5_Final.rar RAR: infected - 1 skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\hsperfdata_SYSTEM\1500 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[dJonE]

"Adam" - 07-02-07 16:16:36 Service Pack 2
ComboFix 07-02-07 - Running from: "C:\Documents and Settings\Adam\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


Granting SeDebugPrivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\CMIntex
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Documents and Settings\Adam\Application Data\YMANTE~1
C:\qoobox\purity\Documents and Settings\Adam\Application Data\YMANTE~1\?ymantec
C:\qoobox\purity\WINDOWS\system32\ASEMBL~1


((((((((((((((((((((((((((((((( Files Created from 2007-01-07 to 2007-02-07 ))))))))))))))))))))))))))))))))))


2007-02-02 19:10 <DIR> d-------- C:\Program Files\Realtek AC97
2007-02-02 18:28 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-02-02 13:51 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-02-02 13:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com
2007-02-02 13:51 <DIR> d-------- C:\DOCUME~1\Adam\Application Data\SUPERAntiSpyware.com
2007-02-02 10:11 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-02 10:06 12,186,653 --------- C:\AVG7QT.DAT
2007-02-02 10:02 <DIR> d-------- C:\DOCUME~1\Adam\Application Data\AVG7
2007-02-02 10:01 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-02-02 10:01 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2007-02-02 10:01 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-02-02 10:01 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-02-02 10:01 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-02-02 10:01 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-02-02 10:01 <DIR> d-------- C:\Program Files\Grisoft
2007-02-02 10:01 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-02-02 10:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
2007-02-02 09:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Avg7
2007-01-27 18:13 <DIR> d-------- C:\DOCUME~1\Adam\Application Data\Viewpoint
2007-01-09 20:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-01-09 20:47 <DIR> d-------- C:\DOCUME~1\Adam\Application Data\MixMeister Technology
2007-01-08 19:32 <DIR> d-------- C:\Program Files\MixMeister Fusion
2007-01-07 14:04 <DIR> d-------- C:\Program Files\hkSFV


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver huy32 is present. A rootkit scan is required

2007-02-07 09:37 -------- d-------- C:\Documents and Settings\Adam\Application Data\avg7
2007-02-06 22:19 -------- d-------- C:\Documents and Settings\Adam\Application Data\adobe
2007-02-06 22:01 -------- d-------- C:\Documents and Settings\Adam\Application Data\macromedia
2007-02-06 22:00 -------- d-------- C:\Program Files\macromedia
2007-02-06 21:59 -------- d---s---- C:\Documents and Settings\Adam\Application Data\microsoft
2007-02-06 21:59 -------- d-------- C:\Program Files\quicktime
2007-02-06 17:54 -------- d-------- C:\Program Files\flashfxp
2007-02-04 06:21 -------- d-------- C:\Program Files\soulseek
2007-02-02 18:31 -------- d-------- C:\Program Files\winamp
2007-02-02 13:51 -------- d-------- C:\Documents and Settings\Adam\Application Data\superantispyware.com
2007-01-31 21:54 -------- d-------- C:\Program Files\ad-aware se personal
2007-01-27 18:13 -------- d-------- C:\Documents and Settings\Adam\Application Data\viewpoint
2007-01-26 12:32 -------- d-------- C:\Program Files\dc++
2007-01-26 10:37 -------- d-------- C:\Documents and Settings\Adam\Application Data\canon
2007-01-24 16:47 -------- d-------- C:\Program Files\mirc
2007-01-09 20:47 -------- d-------- C:\Documents and Settings\Adam\Application Data\mixmeister technology
2006-12-14 16:42 43848 --a------ C:\Documents and Settings\Adam\Application Data\gdipfontcachev1.dat
2006-12-13 08:46 -------- d-------- C:\Program Files\avg anti-spyware 7.5
2006-12-09 20:27 -------- d-------- C:\Program Files\virtualdj
2006-12-07 22:47 -------- d--h----- C:\Program Files\installshield installation information
2006-12-07 22:47 -------- d-------- C:\Program Files\nvidia corporation
2006-12-07 12:38 -------- d-------- C:\Program Files\coolpro2
2006-12-07 12:36 -------- d-------- C:\Documents and Settings\Adam\Application Data\syntrillium
2006-11-28 18:11 88064 --a------ C:\VundoFix.exe
2006-11-09 11:03 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-11-09 11:03 53 --a------ C:\WINDOWS\nqqnbo.dat
2006-11-09 11:03 126 --a------ C:\WINDOWS\vmjqw.dll
2006-11-09 11:03 1259 --a------ C:\WINDOWS\system32\tjqdf237.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ANR"="C:\\Program Files\\voice_record\\ANR.exe"
"MySpaceIM"="\"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe\""
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\control panel\load]
"forwas"=hex:15,26,db,fb,69
"cryptpa"=hex:b7,ef,dc,83,21


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ C:\Program Files\MSN\kyfevylaj.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ C:\Program Files\Common Files\hocys.html

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\i2ompmt

HKLM\SYSTEM\CurrentControlSet\Services\iaStoron

HKLM\SYSTEM\CurrentControlSet\Services\ImapierT

HKLM\SYSTEM\CurrentControlSet\Services\inetaccsvice

HKLM\SYSTEM\CurrentControlSet\Services\ini910us

HKLM\SYSTEM\CurrentControlSet\Services\Inportu

HKLM\SYSTEM\CurrentControlSet\Services\Ip6Fwppm

HKLM\SYSTEM\CurrentControlSet\Services\IpInIperDriver

HKLM\SYSTEM\CurrentControlSet\Services\IpNatp

HKLM\SYSTEM\CurrentControlSet\Services\IPSecervice

HKLM\SYSTEM\CurrentControlSet\Services\isapnpearch

HKLM\SYSTEM\CurrentControlSet\Services\kmixerss

HKLM\SYSTEM\CurrentControlSet\Services\lbrtfdcorkstation

HKLM\SYSTEM\CurrentControlSet\Services\ldapfdc

HKLM\SYSTEM\CurrentControlSet\Services\LiveUpdatevice

HKLM\SYSTEM\CurrentControlSet\Services\LmHostsate

HKLM\SYSTEM\CurrentControlSet\Services\mnmddnger

HKLM\SYSTEM\CurrentControlSet\Services\Modemvc

HKLM\SYSTEM\CurrentControlSet\Services\mouhidss

HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV5x

HKLM\SYSTEM\CurrentControlSet\Services\MSDTCb

HKLM\SYSTEM\CurrentControlSet\Services\MSDVC

HKLM\SYSTEM\CurrentControlSet\Services\MSKSSRVer

HKLM\SYSTEM\CurrentControlSet\Services\MSPQMOCK

HKLM\SYSTEM\CurrentControlSet\Services\MSTEEios

HKLM\SYSTEM\CurrentControlSet\Services\MupEE

HKLM\SYSTEM\CurrentControlSet\Services\NDISSFEC

HKLM\SYSTEM\CurrentControlSet\Services\Ndisuioi

HKLM\SYSTEM\CurrentControlSet\Services\NetBTOS

HKLM\SYSTEM\CurrentControlSet\Services\Netlogondm

HKLM\SYSTEM\CurrentControlSet\Services\Netmanon

HKLM\SYSTEM\CurrentControlSet\Services\Nla1394

HKLM\SYSTEM\CurrentControlSet\Services\NullSvc

HKLM\SYSTEM\CurrentControlSet\Services\nuvvid2n

HKLM\SYSTEM\CurrentControlSet\Services\nvvvid2

HKLM\SYSTEM\CurrentControlSet\Services\Parport4

HKLM\SYSTEM\CurrentControlSet\Services\ParVdmr

HKLM\SYSTEM\CurrentControlSet\Services\PCIVdm

HKLM\SYSTEM\CurrentControlSet\Services\PCIIdep

HKLM\SYSTEM\CurrentControlSet\Services\PDRELIE

HKLM\SYSTEM\CurrentControlSet\Services\perc2AME

HKLM\SYSTEM\CurrentControlSet\Services\PerfNetk

HKLM\SYSTEM\CurrentControlSet\Services\PerfOSt

HKLM\SYSTEM\CurrentControlSet\Services\pfcfProc

HKLM\SYSTEM\CurrentControlSet\Services\PSchedtedStorage

HKLM\SYSTEM\CurrentControlSet\Services\ql108020

HKLM\SYSTEM\CurrentControlSet\Services\ql12400

HKLM\SYSTEM\CurrentControlSet\Services\RasManp

HKLM\SYSTEM\CurrentControlSet\Services\Rasptioe

HKLM\SYSTEM\CurrentControlSet\Services\Rdbssi

HKLM\SYSTEM\CurrentControlSet\Services\RDPDDD

HKLM\SYSTEM\CurrentControlSet\Services\redbookgr

HKLM\SYSTEM\CurrentControlSet\Services\RpcLocatorstry

HKLM\SYSTEM\CurrentControlSet\Services\RpcSscator

HKLM\SYSTEM\CurrentControlSet\Services\RSVPs

HKLM\SYSTEM\CurrentControlSet\Services\SamSs23

HKLM\SYSTEM\CurrentControlSet\Services\SASENUMV

HKLM\SYSTEM\CurrentControlSet\Services\Secdrvle

HKLM\SYSTEM\CurrentControlSet\Services\SENSogon

HKLM\SYSTEM\CurrentControlSet\Services\serenuml

HKLM\SYSTEM\CurrentControlSet\Services\Serialm

HKLM\SYSTEM\CurrentControlSet\Services\SimbadWDetection

HKLM\SYSTEM\CurrentControlSet\Services\SLIPad

HKLM\SYSTEM\CurrentControlSet\Services\Sparrowb

HKLM\SYSTEM\CurrentControlSet\Services\Spoolerr

HKLM\SYSTEM\CurrentControlSet\Services\srooler

HKLM\SYSTEM\CurrentControlSet\Services\Srvervice

HKLM\SYSTEM\CurrentControlSet\Services\stisvcV

HKLM\SYSTEM\CurrentControlSet\Services\swenumip

HKLM\SYSTEM\CurrentControlSet\Services\SwPrvi

HKLM\SYSTEM\CurrentControlSet\Services\sym_hix

HKLM\SYSTEM\CurrentControlSet\Services\TapiSrvog

HKLM\SYSTEM\CurrentControlSet\Services\Tcpiprv

HKLM\SYSTEM\CurrentControlSet\Services\TDTCPE

HKLM\SYSTEM\CurrentControlSet\Services\Themesrvice

HKLM\SYSTEM\CurrentControlSet\Services\TosIder

HKLM\SYSTEM\CurrentControlSet\Services\TSDDDs

HKLM\SYSTEM\CurrentControlSet\Services\UdfsD

HKLM\SYSTEM\CurrentControlSet\Services\UPSphost

HKLM\SYSTEM\CurrentControlSet\Services\usbhubi

HKLM\SYSTEM\CurrentControlSet\Services\usbscant

HKLM\SYSTEM\CurrentControlSet\Services\ViaIdee

HKLM\SYSTEM\CurrentControlSet\Services\VSSSnap

HKLM\SYSTEM\CurrentControlSet\Services\W3SVCme

HKLM\SYSTEM\CurrentControlSet\Services\WDICAp

HKLM\SYSTEM\CurrentControlSet\Services\winmgmtnt

HKLM\SYSTEM\CurrentControlSet\Services\WmimPmSN

HKLM\SYSTEM\CurrentControlSet\Services\WS2IFSLv

HKLM\SYSTEM\CurrentControlSet\Services\wscsvcL

HKLM\SYSTEM\CurrentControlSet\Services\WZCSVCrv

scanning hidden autostart entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 90
hidden files: 0

********************************************************************

Completion time: 07-02-07 16:21:21
C:\ComboFix2.txt ... 06-11-28 18:07
C:\ComboFix3.txt ... 06-11-28 18:01

[Linkmaster]

Download rustbfix© by ejvindh
...and save it to your desktop.

Double click on rustbfix.exe
If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer
The reboot will probably take quite a while, and perhaps 2 reboots will be needed
But this will happen automatically
After the reboot 2 logfiles will open (C:\avenger.txt & C:\rustbfix\pelog.txt)

Post the contents of the C:\avenger.txt file and the C:\rustbfix\pelog.txt here

[dJonE]

Here are my logs:


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\eqtanggo

*******************

Script file located at: \??\C:\WINDOWS\system32\dmvvkseg.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver huy32 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.




************************* Rustock.b-fix -- By ejvindh *************************
Thu 02/08/2007 10:10:41.43

******************* Pre-run Status of system *******************

Rootkit driver huy32 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
:huy32.sys 70570
:[4 29
Total size: 70599 bytes.
Attempting to remove ADS...
system32: deleted 70599 bytes in 2 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************

[Linkmaster]

Go to Start, Control Panel, Add/Remove Programs and Uninstall the following : (if present)

mIRC

Do Not reboot if it asks

When finished uninstalling close Control Panel

Reboot to Safe mode
Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Open Windows Explorer, locate and Delete the following folders or files in RED : (if present)

C:\WINDOWS\system32\tjqdf237.sys
C:\WINDOWS\nqqnbo.dat
C:\WINDOWS\vmjqw.dll
C:\!KillBox
C:\Adam\Programs\mirc.6.14.with.keygen.By-.Neal3
C:\Program Files\mIRC

Close Windows Explorer

Run ATF Cleaner

Run ComboFix

Reboot to Normal Mode

Run Kaspersky Web Scanner

Post a fresh HijackThis log log, the ComboFix log and the Kaspersky Web Scanner log here

[dJonE]

My logs are below



KASPERSKY ONLINE SCANNER REPORT
Thursday, February 08, 2007 8:13:04 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/02/2007
Kaspersky Anti-Virus database records: 266193


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
E:\

Scan Statistics
Total number of scanned objects 94808
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the scan process 01:17:09

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Adam\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped

C:\Documents and Settings\Adam\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Adam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Adam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Adam\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Adam\Local Settings\History\History.IE5\MSHist012007020820070209\index.dat Object is locked skipped

C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Adam\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Adam\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Adam\UserData\index.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\temp\hsperfdata_SYSTEM\1592 Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


---------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 8:16:03 PM, on 2/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\FlashFXP\flashfxp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Adam\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://slickdeals.net/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ANR] C:\Program Files\voice_record\ANR.exe
O4 - HKCU\..\Run: [MySpaceIM] "C:\Program Files\MySpace\IM\MySpaceIM.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Padus, Inc. - (no file)



-------------------------------------------------------------------------------------------



"Adam" - 07-02-08 18:47:17 Service Pack 2
ComboFix 07-02-07 - Running from: "C:\Documents and Settings\Adam\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Documents and Settings\Adam\Application Data\YMANTE~1
C:\qoobox\purity\Documents and Settings\Adam\Application Data\YMANTE~1\?ymantec
C:\qoobox\purity\WINDOWS\system32\ASEMBL~1


((((((((((((((((((((((((((((((( Files Created from 2007-01-08 to 2007-02-08 ))))))))))))))))))))))))))))))))))


2007-02-08 18:37 <DIR> dr-h----- C:\$VAULT$.AVG
2007-02-08 10:13 <DIR> d-------- C:\avenger
2007-02-08 10:10 <DIR> d-------- C:\Rustbfix
2007-02-07 16:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-02-02 19:10 <DIR> d-------- C:\Program Files\Realtek AC97
2007-02-02 18:28 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-02-02 13:51 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-02-02 13:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com
2007-02-02 13:51 <DIR> d-------- C:\DOCUME~1\Adam\Application Data\SUPERAntiSpyware.com
2007-02-02 10:11 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-02 10:06 12,186,653 --------- C:\AVG7QT.DAT
2007-02-02 10:02 <DIR> d-------- C:\DOCUME~1\Adam\Application Data\AVG7
2007-02-02 10:01 839,936 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-02-02 10:01 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2007-02-02 10:01 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-02-02 10:01 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-02-02 10:01 27,776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-02-02 10:01 18,432 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-02-02 10:01 <DIR> d-------- C:\Program Files\Grisoft
2007-02-02 10:01 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-02-02 10:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
2007-02-02 09:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Avg7
2007-01-27 18:13 <DIR> d-------- C:\DOCUME~1\Adam\Application Data\Viewpoint
2007-01-09 20:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-01-09 20:47 <DIR> d-------- C:\DOCUME~1\Adam\Application Data\MixMeister Technology
2007-01-08 19:32 <DIR> d-------- C:\Program Files\MixMeister Fusion


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-07 22:20 -------- d-------- C:\Program Files\dc++
2007-02-07 22:14 -------- d-------- C:\Program Files\soulseek
2007-02-07 22:13 -------- d-------- C:\Program Files\flashfxp
2007-02-06 22:19 -------- d-------- C:\DOCUME~1\Adam\Application Data\adobe
2007-02-06 22:01 -------- d-------- C:\DOCUME~1\Adam\Application Data\macromedia
2007-02-06 22:00 -------- d-------- C:\Program Files\macromedia
2007-02-06 21:59 -------- d---s---- C:\DOCUME~1\Adam\Application Data\microsoft
2007-02-06 21:59 -------- d-------- C:\Program Files\quicktime
2007-02-02 18:31 -------- d-------- C:\Program Files\winamp
2007-01-31 21:54 -------- d-------- C:\Program Files\ad-aware se personal
2007-01-26 10:37 -------- d-------- C:\DOCUME~1\Adam\Application Data\canon
2007-01-07 14:07 -------- d-------- C:\Program Files\hksfv
2006-12-14 16:42 43848 --a------ C:\DOCUME~1\Adam\Application Data\gdipfontcachev1.dat
2006-12-13 08:46 -------- d-------- C:\Program Files\avg anti-spyware 7.5
2006-12-09 20:27 -------- d-------- C:\Program Files\virtualdj
2006-11-28 18:11 88064 --a------ C:\VundoFix.exe
2006-11-09 11:03 8464 --a------ C:\WINDOWS\system32\sporder.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ANR"="C:\\Program Files\\voice_record\\ANR.exe"
"MySpaceIM"="\"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe\""
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\control panel\load]
"forwas"=hex:15,26,db,fb,69
"cryptpa"=hex:b7,ef,dc,83,21


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ C:\Program Files\MSN\kyfevylaj.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ C:\Program Files\Common Files\hocys.html

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-08 18:49:42
C:\ComboFix2.txt ... 07-02-07 16:21
C:\ComboFix3.txt ... 06-11-28 18:07

[Linkmaster]

Delete this folder :

C:\qoobox

Empty your recycle bin !

Your logs seem to be OK now !!

Just one more thing :
**Turn off System Restore**
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
Check "Turn off System Restore"
Click Apply, then click OK and Reboot

**Turn ON System Restore**
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
UN-Check "Turn off System Restore"
Click Apply, then click OK and Reboot

How is your system running now ??

Here are a few recommendations for protecting your system and reducing your risk of infection again !!

** Windows Update **
It is very important to keep your system up to date with the latest Critical Updates to avoid unnecessary security risks
Visit Microsoft's Windows Update page at the very least monthly to check for updates !!

** Make Your Internet Explorer More Secure **
This can be done by following these simple instructions :
From within Internet Explorer click on the Tools menu and then click on Options
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
Change the Allow paste operations via script to Disable
When all these settings have been made, click on the OK button
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

** Use the Hosts File **
Every version of windows has a hosts file as part of them. Basically they are used to locate web pages
You can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is Optional
Download MVP Hosts© by WinHelp2002
Make sure you read the instructions on how to install the hosts file
Also read The Hosts File and what it can do for you tutorial
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps :
1) Click on Start
2) Click on Run
3) In the dialog box, type services.msc, then hit OK
4) Navigate to DNS Client and double click on it
6) On the dropdown box next to Startup type: and change the setting from automatic to manual
7) Click on Apply then OK

** Real Time Prevention **
SpywareBlaster© by Javacool Software :
*Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests
*Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
*Restrict the actions of potentially dangerous sites in Internet Explorer.
*Consumes no system resources
*Download, run, check for updates, download updates, select all, protect against checked. All done
*Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page
IESpyad© by EHowes : This will add several hundred Restricted Sites to the Restricted Site Zone in IE.

** File Cleaners (temp, prefetch, cookie, etc) **
2000/XP Only
ATF (Atribune Temp File) Cleaner© by Atribune
All Windows
CCleaner© by CCleaner.com

** Spyware Scanners **
You should run Spyware Removal Software on a regular basis along with your AntiVirus program
Here are some FREE Spyware Scanners for Home use, that will detect and remove trojans, dialers, malware, browser hijackers, tracking components and other forms of Spyware :
SUPERAntiSpyware Home© by SUPERAntiSpyware.com
Ad-aware SE© by Lavasoft
Spybot S&D© by Safer-Networking

** Firewalls **
If you have an "always on" internet connection, such as DSL or Cable, I recommend a Firewall.
A firewall will make your pc invisible to the outside world and will filter the outgoing and incoming traffic on your pc.
For a good idea of how vulnerable your system(s) are go to GRC
Scroll down to "Shields Up" Click on "Proceed" Then click on "Common Ports"to scan your ports.
Here are 3 good free Personal Firewalls :
Sunbelt Kerio Personal Firewall© by Sunbelt
Jetico Personal Firewall© by Jetico, Inc.
Comodo Personal Firewall© by Comodo Group (XP & 2000 only)

** Update Java **
Go to Start, Control Panel, Add/Remove Programs
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... ) and select Remove
Then Download and install the newest version :
JAVA SOFTWARE MANUAL DOWNLOAD

** Internet Safety **
A very helpful tutorial :
Simple and easy ways to keep your computer safe and secure on the Internet

Always keep your Antivirus, Spyware Removal Tools and other Security Tools current with the latest definitions and updates !!

Following these recommendations will help reduce your risk of future infections !!

Do you have any questions??

[dJonE]

no, there is no difference in my computers performance ...when i open "My Computer" ...it takes a long time to open...it opens and a flashlight appears in the middle of the screen indicating that its searching for files...also when i open my internet my homepage opens fine, but when i type in an address manually in the address bar it takes about 2 minutes to open (only the websites in my favorites open quickly)....and i also have no sound

[Linkmaster]

OK

First :

Right click on My Computer
Select Properties
Look in the bottom right and tell me how much Memory you have !

Please run Panda's ActiveScan and perform a full system scan.
Once you are on the Panda site click the Scan your PC button (be sure to disable your popup blocker first )
A new window will open...click the big Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
Click on Local Disks to start the scan
Click on see report Then click Save report

Post the Panda Active Scan report here !

[dJonE]

HERE YOU GO



Incident Status Location

Adware:adware/azesearch Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Adam\Cookies\[email protected][1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Adam\Cookies\adam@burstnet[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Adam\Desktop\SpyAxeFix\Process.exe

[Linkmaster]

One more scan :

Download SmitfraudFix© by S!Ri to your Desktop.

Double-click smitfraudfix.exe
Select option #1 - Search by typing 1 and press Enter
IMPORTANT: DO NOT run any other options until you are asked to do so!
This program will scan large amounts of files on your computer for known patterns so please be patient while it works
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you

When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed
Open the rapport.txt file
Copy and Paste the contents of the rapport.txt file here

[dJonE]

SmitFraudFix v2.141

Scan done at 23:25:16.68, Fri 02/09/2007
Run from C:\Documents and Settings\Adam\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Adam


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Adam\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Adam\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\MSN\\kyfevylaj.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Common Files\\hocys.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Edited by dJonE, 10 February 2007 - 01:26 AM.

[Linkmaster]

Right click on My Computer
Select Properties
Look in the bottom right and tell me how much Memory you have !

If you have hksfv installed :
Go to Start, Control Panel, Add/Remove Programs and Uninstall the following : (if present)

hksfv
AzeSearch

Do Not reboot if it asks

When finished uninstalling close Control Panel

Reboot

Let me know how its running ??

Edited by Linkmaster, 10 February 2007 - 05:35 AM.