Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Vundo Help (i think...) [RESOLVED]

Started by glover1 , Feb 03 2008 11:13 AM

  • This topic is locked This topic is locked

#1
glover1
Posted 03 February 2008 - 11:13 AM

glover1

    New Member

  • Member
  • Pip
  • 6 posts
Hi, ANY help would be greatly appreciated!!!!!

Several days ago my PC had a new screen saver (kids, you tube) since then a whole host of problems, mulitple I.E adds, banking user names deleted etc. Using Xp, NO anti-virus or firewall (yes you read that right :) ). Loaded AVAST, gave mulitplke warnings of trojans (win32:tratBHO) can't delete them. After some panic decided I need a firewall to try and see whats going on, most require SP2 so attempted to load that. Can't connect to any site involving SP2 or microsoft (other PC fine) Found name Vundo from search, very limited connection to sites involved with this. Eventully I arrived here. Tried VUNDOFIX deletes some but after rescanning;

c\windows\system32\qomnllk.dll keeps reappearing

I don't feel this PC belongs to me anymore, constant internet connection 'clicking' in background and keystrokes not right,

Hijackthis log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:09:13, on 03/02/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mrofinu572.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\BHROOT\BIN\NT611SVC.EXE
C:\BHROOT\BIN\monitor.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\PROGRA~1\COSIDS\BIN\TbMux32.exe
C:\ElsaWin\bin\LcSvrAdm.exe
C:\ElsaWin\bin\LcSvrDba.exe
C:\ElsaWin\bin\LcSvrHis.exe
C:\ElsaWin\bin\LcSvrPas.exe
c:\opt\MBCASE\pm\bin\mcp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\BHROOT\BIN\PORTMAP.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spnsrvnt.exe
C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
c:\opt\MBCASE\WIS\TBCD\tbmux32.exe
C:\PROGRA~1\JAVASOFT\JRE\132E6D~1.1\bin\java.exe
C:\BHROOT\BIN\DBMANG.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\ElsaWin\bin\LcSvrAuf.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\cmserver.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\lic_srv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394661A64DB7
C8F0287E55E246220D9E728F9FC17D446BC57D5375FB0FB68AD6
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RegistryCleanFixMFC] C:\Program Files\RegistryCleaner\registrycleaner2008.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E5} (ShowSetupObj5 Class) - http://whc-live-webc.../ShowSetup5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...shUKActivia.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game08.zylom....gamesplayer.cab
O16 - DPF: {C7DC40E0-6601-4530-9AFB-68506CAE2628} (InstallShield Setup Player 2K2) - http://qa.nsapp.ford...IDS44/setup.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...5/installer.exe
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://flashcasino....en/FlashAX2.cab
O18 - Protocol: vw-wi - {0F3C833F-FB28-40EA-8CB9-6A55B996C3F6} - C:\ElsaWin\bin\wiProt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: bh611 - Bell& Howell - C:\BHROOT\BIN\NT611SVC.EXE
O23 - Service: Bell & Howell Monitor Service (BHMonitorService) - Bell & Howell - C:\BHROOT\BIN\monitor.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: COSIDS_TB - TransAction Software, D 81737 Munich - C:\PROGRA~1\COSIDS\BIN\TbMux32.exe
O23 - Service: Bell & Howell Database Manager (dbmang) - Bell & Howell - C:\BHROOT\BIN\DBMANG.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: ELSA Administration Service (LcSvrAdm) - Volkswagen AG - C:\ElsaWin\bin\LcSvrAdm.exe
O23 - Service: ELSA Auftragsverwaltungs Service (LcSvrAuf) - Volkswagen AG - C:\ElsaWin\bin\LcSvrAuf.exe
O23 - Service: ELSA DBA Server (LcSvrDba) - Volkswagen AG - C:\ElsaWin\bin\LcSvrDba.exe
O23 - Service: ELSA Historie Server (LcSvrHis) - Volkswagen AG - C:\ElsaWin\bin\LcSvrHis.exe
O23 - Service: ELSA PASS Server (LcSvrPAS) - Volkswagen AG - C:\ElsaWin\bin\LcSvrPas.exe
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: ONC/RPC Portmapper (portmapper) - Bell & Howell - C:\BHROOT\BIN\PORTMAP.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SentinelSuperProNet Server (SuperProServer) - Rainbow Technologies - C:\WINDOWS\System32\spnsrvnt.exe
O23 - Service: TIS 2000 Apache Web Server - Unknown owner - C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
O23 - Service: TransBaseService - TransAction Software, D 81737 Munich - c:\opt\MBCASE\WIS\TBCD\tbmux32.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\IsoView\rterte.html

--
End of file - 9983 bytes



If anybody could point me in the right direction or offer any help it would be greatly appriciated. Anymore info need just let us know. Thanks in advance....
  • 0

Advertisements

#2
Rorschach112
Posted 03 February 2008 - 01:17 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
glover1
Posted 04 February 2008 - 04:15 AM

glover1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi, thanks for the assistance...

Combofix scan gave;

ComboFix 08-02.03.1 - John 2008-02-04 9:46:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.56 [GMT 0:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awvtt.dll
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\ystem~1
C:\Program Files\FunWebProducts
C:\Program Files\IsoView\rterte.html
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\network monitor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\pack.epk
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\huanxsr.dat
C:\WINDOWS\system32\huanxsr_nav.dat
C:\WINDOWS\system32\huanxsr_navps.dat
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qomnllk.dll
C:\WINDOWS\system32\ttvwa.ini
C:\WINDOWS\system32\ttvwa.ini2
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-03 15:06 . 2008-02-03 16:50 <DIR> d-------- C:\VundoFix Backups
2008-02-01 19:56 . 2008-02-01 19:56 <DIR> d-------- C:\Program Files\MagicISO
2008-01-31 21:18 . 2008-01-31 21:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-31 21:13 . 2008-01-31 21:13 <DIR> d-------- C:\WINDOWS\RegistryCleaner
2008-01-31 21:13 . 2008-01-31 21:13 <DIR> d-------- C:\Program Files\RegistryCleaner
2008-01-29 21:18 . 2007-12-04 12:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-29 21:18 . 2007-12-04 14:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-29 21:18 . 2007-12-04 14:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-29 21:18 . 2007-12-04 14:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-29 21:17 . 2008-01-29 21:17 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-29 21:17 . 2007-12-04 13:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-29 21:17 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-29 21:17 . 2007-12-04 14:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-29 21:17 . 2007-12-04 14:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-29 21:05 . 2008-01-29 21:05 <DIR> d-------- C:\Toolbar4Free Toolbar images
2008-01-29 20:51 . 2008-01-30 09:48 <DIR> d--hs---- C:\WINDOWS\Sm9obg
2008-01-29 20:50 . 2008-01-30 09:50 <DIR> d-------- C:\WINDOWS\system32\pie2
2008-01-29 20:50 . 2008-01-29 20:50 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-29 20:50 . 2008-01-29 20:50 <DIR> d-------- C:\WINDOWS\system32\ecw8
2008-01-29 20:50 . 2008-01-29 20:50 <DIR> d-------- C:\Temp\gTiis19
2008-01-29 20:50 . 2008-01-29 20:50 <DIR> d-------- C:\Temp\cXzz9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 09:52 --------- d-----w C:\Program Files\IsoView
2008-01-29 13:05 --------- d-----w C:\Program Files\cosids
2008-01-21 11:01 --------- d-----w C:\Documents and Settings\John\Application Data\AdobeUM
2007-12-19 15:35 --------- d-----w C:\Program Files\Google
2007-12-09 14:49 59,392 ----a-w C:\WINDOWS\derc32xz.exe
.
<pre>
----a-w			32,768 2004-09-29 19:44:54  C:\Documents and Settings\John\Desktop\Downloads\Carradiodecoders\Car Codes\FordLC .exe
----a-w			93,696 2004-09-29 19:44:52  C:\Documents and Settings\John\Desktop\Downloads\Carradiodecoders\Car Codes\More Becker\Becker4digit .exe
----a-w		   185,856 2004-09-29 19:44:54  C:\Documents and Settings\John\Desktop\Downloads\Carradiodecoders\Car Codes\More Blaupunkt\Blaupunkt Peugeot T1 Code Viewer .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90AA09E0-8B83-40C9-A945-235361DB53A8}]
C:\WINDOWS\System32\pmnlk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5E87E1C-CD5C-4BE3-846E-5E045403F3E2}]
C:\WINDOWS\System32\jkhhh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 14:08 1511453]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 12:00 13312]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-08 17:43 1953792]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 11:00 200704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 12:57 68856]
"RegistryCleanFixMFC"="C:\Program Files\RegistryCleaner\registrycleaner2008.exe" [2008-01-24 11:09 12079237]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-12-15 07:20 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-12-17 10:40 1241138]
"SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 14:18 135168]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 03:00 99840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-09 10:24 282624]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-03-31 12:00 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 12:57 68856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2004-06-15 07:59:24 1742384]
blueyonder Instant Support Tool.lnk - C:\Program Files\blueyonder IST\bin\matcli.exe [2005-05-10 16:01:20 204800]
MA111 Configuration Utility.lnk - C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe [2005-05-10 16:10:42 1157120]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2006-02-11 16:31:55 598016]

R0 xmasbus;xmasbus;C:\WINDOWS\System32\DRIVERS\xmasbus.sys [2003-12-21 17:24]
R0 xmasscsi;xmasscsi;C:\WINDOWS\System32\Drivers\xmasscsi.sys [2003-12-20 20:03]
R3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\System32\DRIVERS\loop.sys [2001-08-17 12:53]
S3 NETGEAR_MA111;NETGEAR 802.11b MA111 Driver;C:\WINDOWS\System32\DRIVERS\MA111nd5.sys [2004-02-26 09:25]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 00:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-04 09:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-01 10:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-01 11:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-01 12:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-02 13:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-02 14:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 15:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 16:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 17:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 18:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-01-05 01:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 19:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 20:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 21:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 22:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 23:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2007-09-01 18:32:13 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2007-09-01 18:32:13 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2007-09-01 18:32:13 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2007-09-01 18:32:13 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2007-09-01 18:32:13 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2007-09-01 18:32:13 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2007-12-04 08:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 10:00:48
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\BHROOT\BIN\NT611SVC.EXE
C:\BHROOT\BIN\monitor.exe
C:\PROGRA~1\COSIDS\BIN\TbMux32.exe
C:\ElsaWin\bin\LcSvrAdm.exe
C:\ElsaWin\bin\LcSvrDba.exe
C:\ElsaWin\bin\LcSvrHis.exe
C:\ElsaWin\bin\LcSvrPas.exe
c:\opt\MBCASE\pm\bin\mcp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\BHROOT\BIN\PORTMAP.EXE
C:\WINDOWS\System32\spnsrvnt.exe
C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
c:\opt\MBCASE\WIS\TBCD\tbmux32.exe
C:\PROGRA~1\JAVASOFT\JRE\132E6D~1.1\bin\java.exe
C:\BHROOT\BIN\DBMANG.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\ElsaWin\bin\LcSvrAuf.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\cmserver.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\lic_srv.exe
.
**************************************************************************
.
Completion time: 2008-02-04 10:10:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 10:10:11


Revised Hijackthis scan;


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:27, on 04/02/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\BHROOT\BIN\NT611SVC.EXE
C:\BHROOT\BIN\monitor.exe
C:\PROGRA~1\COSIDS\BIN\TbMux32.exe
C:\ElsaWin\bin\LcSvrAdm.exe
C:\ElsaWin\bin\LcSvrDba.exe
C:\ElsaWin\bin\LcSvrHis.exe
C:\ElsaWin\bin\LcSvrPas.exe
c:\opt\MBCASE\pm\bin\mcp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\BHROOT\BIN\PORTMAP.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spnsrvnt.exe
C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
c:\opt\MBCASE\WIS\TBCD\tbmux32.exe
C:\PROGRA~1\JAVASOFT\JRE\132E6D~1.1\bin\java.exe
C:\BHROOT\BIN\DBMANG.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\ElsaWin\bin\LcSvrAuf.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\cmserver.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\lic_srv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: (no name) - {90AA09E0-8B83-40C9-A945-235361DB53A8} - C:\WINDOWS\System32\pmnlk.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {D5E87E1C-CD5C-4BE3-846E-5E045403F3E2} - C:\WINDOWS\System32\jkhhh.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RegistryCleanFixMFC] C:\Program Files\RegistryCleaner\registrycleaner2008.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E5} (ShowSetupObj5 Class) - http://whc-live-webc.../ShowSetup5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...shUKActivia.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game08.zylom....gamesplayer.cab
O16 - DPF: {C7DC40E0-6601-4530-9AFB-68506CAE2628} (InstallShield Setup Player 2K2) - http://qa.nsapp.ford...IDS44/setup.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...5/installer.exe
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://flashcasino....en/FlashAX2.cab
O18 - Protocol: vw-wi - {0F3C833F-FB28-40EA-8CB9-6A55B996C3F6} - C:\ElsaWin\bin\wiProt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: bh611 - Bell& Howell - C:\BHROOT\BIN\NT611SVC.EXE
O23 - Service: Bell & Howell Monitor Service (BHMonitorService) - Bell & Howell - C:\BHROOT\BIN\monitor.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: COSIDS_TB - TransAction Software, D 81737 Munich - C:\PROGRA~1\COSIDS\BIN\TbMux32.exe
O23 - Service: Bell & Howell Database Manager (dbmang) - Bell & Howell - C:\BHROOT\BIN\DBMANG.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: ELSA Administration Service (LcSvrAdm) - Volkswagen AG - C:\ElsaWin\bin\LcSvrAdm.exe
O23 - Service: ELSA Auftragsverwaltungs Service (LcSvrAuf) - Volkswagen AG - C:\ElsaWin\bin\LcSvrAuf.exe
O23 - Service: ELSA DBA Server (LcSvrDba) - Volkswagen AG - C:\ElsaWin\bin\LcSvrDba.exe
O23 - Service: ELSA Historie Server (LcSvrHis) - Volkswagen AG - C:\ElsaWin\bin\LcSvrHis.exe
O23 - Service: ELSA PASS Server (LcSvrPAS) - Volkswagen AG - C:\ElsaWin\bin\LcSvrPas.exe
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: ONC/RPC Portmapper (portmapper) - Bell & Howell - C:\BHROOT\BIN\PORTMAP.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SentinelSuperProNet Server (SuperProServer) - Rainbow Technologies - C:\WINDOWS\System32\spnsrvnt.exe
O23 - Service: TIS 2000 Apache Web Server - Unknown owner - C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
O23 - Service: TransBaseService - TransAction Software, D 81737 Munich - c:\opt\MBCASE\WIS\TBCD\tbmux32.exe

--
End of file - 10561 bytes


Regards
  • 0

#4
Rorschach112
Posted 04 February 2008 - 07:25 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {90AA09E0-8B83-40C9-A945-235361DB53A8} - C:\WINDOWS\System32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {D5E87E1C-CD5C-4BE3-846E-5E045403F3E2} - C:\WINDOWS\System32\jkhhh.dll (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\jkhhh.dll
C:\WINDOWS\derc32xz.exe

Folder::
C:\WINDOWS\Sm9obg
C:\WINDOWS\system32\pie2
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\ecw8
C:\Temp\gTiis19
C:\Temp\cXzz9

RenV::
----a-w 32,768 2004-09-29 19:44:54 C:\Documents and Settings\John\Desktop\Downloads\Carradiodecoders\Car Codes\FordLC .exe
----a-w 93,696 2004-09-29 19:44:52 C:\Documents and Settings\John\Desktop\Downloads\Carradiodecoders\Car Codes\More Becker\Becker4digit .exe
----a-w 185,856 2004-09-29 19:44:54 C:\Documents and Settings\John\Desktop\Downloads\Carradiodecoders\Car Codes\More Blaupunkt\Blaupunkt Peugeot T1 Code Viewer .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • 0

#5
glover1
Posted 04 February 2008 - 09:06 AM

glover1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi, the new log is;


ComboFix 08-02.03.1 - John 2008-02-04 13:41:21.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.73 [GMT 0:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\derc32xz.exe
C:\WINDOWS\System32\jkhhh.dll
C:\WINDOWS\System32\pmnlk.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\cXzz9
C:\Temp\gTiis19
C:\Temp\gTiis19\lTig.log
C:\WINDOWS\derc32xz.exe
C:\WINDOWS\Sm9obg
C:\WINDOWS\system32\ecw8
C:\WINDOWS\system32\ecw8\renamd83122.exe
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\pie2

.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-04 13:29 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-04 13:29 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-04 12:26 . 2008-02-04 12:31 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-03 15:06 . 2008-02-03 16:50 <DIR> d-------- C:\VundoFix Backups
2008-02-01 19:56 . 2008-02-01 19:56 <DIR> d-------- C:\Program Files\MagicISO
2008-01-31 21:18 . 2008-01-31 21:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-31 21:13 . 2008-01-31 21:13 <DIR> d-------- C:\WINDOWS\RegistryCleaner
2008-01-31 21:13 . 2008-01-31 21:13 <DIR> d-------- C:\Program Files\RegistryCleaner
2008-01-29 21:18 . 2007-12-04 12:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-29 21:18 . 2007-12-04 14:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-29 21:18 . 2007-12-04 14:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-29 21:18 . 2007-12-04 14:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-29 21:17 . 2008-01-29 21:17 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-29 21:17 . 2007-12-04 13:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-29 21:17 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-29 21:17 . 2007-12-04 14:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-29 21:17 . 2007-12-04 14:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-29 21:05 . 2008-01-29 21:05 <DIR> d-------- C:\Toolbar4Free Toolbar images

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 09:52 --------- d-----w C:\Program Files\IsoView
2008-01-29 13:05 --------- d-----w C:\Program Files\cosids
2008-01-21 11:01 --------- d-----w C:\Documents and Settings\John\Application Data\AdobeUM
2007-12-19 15:35 --------- d-----w C:\Program Files\Google
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 14:08 1511453]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 12:00 13312]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-08 17:43 1953792]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 11:00 200704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 12:57 68856]
"RegistryCleanFixMFC"="C:\Program Files\RegistryCleaner\registrycleaner2008.exe" [2008-01-24 11:09 12079237]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-12-15 07:20 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-12-17 10:40 1241138]
"SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 14:18 135168]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 03:00 99840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-09 10:24 282624]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-03-31 12:00 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 12:57 68856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2004-06-15 07:59:24 1742384]
blueyonder Instant Support Tool.lnk - C:\Program Files\blueyonder IST\bin\matcli.exe [2005-05-10 16:01:20 204800]
MA111 Configuration Utility.lnk - C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe [2005-05-10 16:10:42 1157120]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2006-02-11 16:31:55 598016]

R0 xmasbus;xmasbus;C:\WINDOWS\System32\DRIVERS\xmasbus.sys [2003-12-21 17:24]
R0 xmasscsi;xmasscsi;C:\WINDOWS\System32\Drivers\xmasscsi.sys [2003-12-20 20:03]
R2 COSIDS_TB;COSIDS_TB;C:\PROGRA~1\COSIDS\BIN\TbMux32.exe [2001-11-20 14:37]
R2 LcSvrAdm;ELSA Administration Service;C:\ElsaWin\bin\LcSvrAdm.exe [2006-03-20 12:34]
R2 LcSvrDba;ELSA DBA Server;C:\ElsaWin\bin\LcSvrDba.exe [2006-03-20 12:16]
R2 LcSvrHis;ELSA Historie Server;C:\ElsaWin\bin\LcSvrHis.exe [2006-03-20 12:28]
R2 LcSvrPAS;ELSA PASS Server;C:\ElsaWin\bin\LcSvrPas.exe [2006-03-20 12:17]
R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;C:\ElsaWin\bin\LcSvrAuf.exe [2006-03-20 12:23]
R3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\System32\DRIVERS\loop.sys [2001-08-17 12:53]
S3 Boonty Games;Boonty Games;"C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe" [2006-12-09 19:17]
S3 NETGEAR_MA111;NETGEAR 802.11b MA111 Driver;C:\WINDOWS\System32\DRIVERS\MA111nd5.sys [2004-02-26 09:25]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 00:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-04 09:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-01 10:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-04 11:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-04 12:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-04 13:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-02 14:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 15:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 16:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 17:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 18:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-01-05 01:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 19:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 20:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 21:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 22:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2008-02-03 23:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2007-09-01 18:32:13 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2007-09-01 18:32:13 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2007-09-01 18:32:13 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2007-09-01 18:32:13 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2007-09-01 18:32:13 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2007-09-01 18:32:13 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
"2007-12-04 08:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 13:46:10
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-04 13:59:47
ComboFix-quarantined-files.txt 2008-02-04 13:59:42
ComboFix2.txt 2008-02-04 10:10:18


Regards
  • 0

#6
Rorschach112
Posted 04 February 2008 - 09:16 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\System32\jRmh2o5c.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At23.job


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.



Also post a new HijackThis log and tell me how your PC is running
  • 0

#7
glover1
Posted 05 February 2008 - 03:49 AM

glover1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi, here's the combofix log;

ComboFix 08-02.03.1 - John 2008-02-04 21:32:46.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.75 [GMT 0:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\System32\jRmh2o5c.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-04 13:29 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-04 13:29 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-04 12:26 . 2008-02-04 12:31 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-03 15:06 . 2008-02-03 16:50 <DIR> d-------- C:\VundoFix Backups
2008-02-01 19:56 . 2008-02-01 19:56 <DIR> d-------- C:\Program Files\MagicISO
2008-01-31 21:18 . 2008-01-31 21:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-31 21:13 . 2008-01-31 21:13 <DIR> d-------- C:\WINDOWS\RegistryCleaner
2008-01-31 21:13 . 2008-01-31 21:13 <DIR> d-------- C:\Program Files\RegistryCleaner
2008-01-29 21:18 . 2007-12-04 12:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-29 21:18 . 2007-12-04 14:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-29 21:18 . 2007-12-04 14:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-29 21:18 . 2007-12-04 14:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-29 21:17 . 2008-01-29 21:17 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-29 21:17 . 2007-12-04 13:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-29 21:17 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-29 21:17 . 2007-12-04 14:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-29 21:17 . 2007-12-04 14:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-29 21:05 . 2008-01-29 21:05 <DIR> d-------- C:\Toolbar4Free Toolbar images

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 09:52 --------- d-----w C:\Program Files\IsoView
2008-01-29 13:05 --------- d-----w C:\Program Files\cosids
2008-01-21 11:01 --------- d-----w C:\Documents and Settings\John\Application Data\AdobeUM
2007-12-19 15:35 --------- d-----w C:\Program Files\Google
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 14:08 1511453]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 12:00 13312]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-08 17:43 1953792]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 11:00 200704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 12:57 68856]
"RegistryCleanFixMFC"="C:\Program Files\RegistryCleaner\registrycleaner2008.exe" [2008-01-24 11:09 12079237]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-12-15 07:20 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-12-17 10:40 1241138]
"SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 14:18 135168]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 03:00 99840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-09 10:24 282624]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-03-31 12:00 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 12:57 68856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2004-06-15 07:59:24 1742384]
blueyonder Instant Support Tool.lnk - C:\Program Files\blueyonder IST\bin\matcli.exe [2005-05-10 16:01:20 204800]
MA111 Configuration Utility.lnk - C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe [2005-05-10 16:10:42 1157120]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2006-02-11 16:31:55 598016]

R0 xmasbus;xmasbus;C:\WINDOWS\System32\DRIVERS\xmasbus.sys [2003-12-21 17:24]
R0 xmasscsi;xmasscsi;C:\WINDOWS\System32\Drivers\xmasscsi.sys [2003-12-20 20:03]
R2 COSIDS_TB;COSIDS_TB;C:\PROGRA~1\COSIDS\BIN\TbMux32.exe [2001-11-20 14:37]
R2 LcSvrAdm;ELSA Administration Service;C:\ElsaWin\bin\LcSvrAdm.exe [2006-03-20 12:34]
R2 LcSvrDba;ELSA DBA Server;C:\ElsaWin\bin\LcSvrDba.exe [2006-03-20 12:16]
R2 LcSvrHis;ELSA Historie Server;C:\ElsaWin\bin\LcSvrHis.exe [2006-03-20 12:28]
R2 LcSvrPAS;ELSA PASS Server;C:\ElsaWin\bin\LcSvrPas.exe [2006-03-20 12:17]
R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;C:\ElsaWin\bin\LcSvrAuf.exe [2006-03-20 12:23]
R3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\System32\DRIVERS\loop.sys [2001-08-17 12:53]
S3 Boonty Games;Boonty Games;"C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe" [2006-12-09 19:17]
S3 NETGEAR_MA111;NETGEAR 802.11b MA111 Driver;C:\WINDOWS\System32\DRIVERS\MA111nd5.sys [2004-02-26 09:25]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2008-02-03 23:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\jRmh2o5c.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 21:37:45
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-04 21:56:27
ComboFix-quarantined-files.txt 2008-02-04 21:56:22
ComboFix2.txt 2008-02-04 13:59:47
ComboFix3.txt 2008-02-04 10:10:18






Here's the Superspyware log;


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/05/2008 at 09:00 AM

Application Version : 3.9.1008

Core Rules Database Version : 3394
Trace Rules Database Version: 1386

Scan type : Complete Scan
Total Scan Time : 10:51:38

Memory items scanned : 491
Memory threats detected : 0
Registry items scanned : 6250
Registry threats detected : 0
File items scanned : 672644
File threats detected : 568

Adware.Tracking Cookie
C:\Documents and Settings\John\Cookies\john@indexstats[1].txt
C:\Documents and Settings\John\Cookies\john@mediaplex[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@revsci[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@atwola[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@link[1].txt
C:\Documents and Settings\John\Cookies\john@doubleclick[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@dealtime[2].txt
C:\Documents and Settings\John\Cookies\john@192[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@adrevolver[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@hitbox[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@advertising[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@a[1].txt
C:\Documents and Settings\John\Cookies\john@rambler[1].txt
C:\Documents and Settings\John\Cookies\john@tacoda[1].txt
C:\Documents and Settings\John\Cookies\john@adviva[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@tribalfusion[2].txt
C:\Documents and Settings\John\Cookies\john@2o7[1].txt
C:\Documents and Settings\John\Cookies\john@kanoodle[1].txt
C:\Documents and Settings\John\Cookies\john@adrevolver[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@burstnet[1].txt
C:\Documents and Settings\John\Cookies\john@fastclick[2].txt
C:\Documents and Settings\John\Cookies\john@indextools[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@adrevolver[3].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@adultadworld[1].txt
C:\Documents and Settings\John\Cookies\john@casalemedia[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@cgi-bin[8].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@adtech[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@atdmt[2].txt
C:\Documents and Settings\John\Cookies\john@estat[1].txt
C:\Documents and Settings\John\Cookies\john@virginmega[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@bizrate[2].txt
C:\Documents and Settings\John\Cookies\john@serving-sys[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@5555428[2].txt
C:\Documents and Settings\John\Cookies\john@statcounter[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@247realmedia[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@propertyfinder[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@apmebf[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@adserver[2].txt
C:\Documents and Settings\John\Cookies\john@questionmarket[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@clicktorrent[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@cgi-bin[15].txt
C:\Documents and Settings\John\Cookies\john@cancerbacup[1].txt
C:\Documents and Settings\John\Cookies\john@adserver[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@roi[2].txt
C:\Documents and Settings\John\Cookies\john@overture[1].txt
C:\Documents and Settings\John\Cookies\john@tripod[1].txt
C:\Documents and Settings\John\Cookies\john@bluestreak[2].txt
C:\Documents and Settings\John\Cookies\john@roiservice[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@realmedia[2].txt
C:\Documents and Settings\John\Cookies\john@s[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@qksrv[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@trustedantivirus[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@hotlog[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@nextstat[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@cgi-bin[10].txt
C:\Documents and Settings\John\Cookies\john@specificclick[2].txt
C:\Documents and Settings\John\Cookies\john@bizadverts[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@clickpress[1].txt
C:\Documents and Settings\John\Cookies\john@smileycentral[1].txt
C:\Documents and Settings\John\Cookies\john@local[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@windowsmedia[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@opsi[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@adrevenue[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@revenue[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@stockex[1].txt
C:\Documents and Settings\John\Cookies\john@adlegend[2].txt
C:\Documents and Settings\John\Cookies\john@zedo[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@uk[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@mediamatters[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@next[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@cgi-bin[7].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@tradedoubler[2].txt
C:\Documents and Settings\John\Cookies\john@adbrite[2].txt
C:\Documents and Settings\John\Cookies\john@keywordmax[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@mywebsearch[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@57952390[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@ad[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@cgi-bin[11].txt
C:\Documents and Settings\John\Cookies\john@virginmedia[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@ukshop[1].txt
C:\Documents and Settings\John\Cookies\john@panasonic[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@cgi-bin[12].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@91329241[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@toplist[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@empiredirect[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@partypoker[1].txt
C:\Documents and Settings\John\Cookies\john@cgi-bin[3].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@clickbank[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@webstat[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@test[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@valueclick[3].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@findmypast[2].txt
C:\Documents and Settings\John\Cookies\john@yadro[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@bupa[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@valueclick[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@60543646[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@ici-paints[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@uk[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@clicksor[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@corp-site[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@pro-market[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@ufindus[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@web-stat[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@superstats[1].txt
C:\Documents and Settings\John\Cookies\john@cgi-bin[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@myoffers[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@dulux-uk[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@advertpro[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@cgi-bin[1].txt
C:\Documents and Settings\John\Cookies\john@duluxtrade-uk[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@pacificpoker[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@work[2].txt
C:\Documents and Settings\John\Cookies\john@p[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@tdstats[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@diy[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@ddc-uk[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@adecn[1].txt
C:\Documents and Settings\John\Cookies\john@1062428943[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@maxserving[1].txt
C:\Documents and Settings\John\Cookies\john@renault-uk[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@888[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@S142201[2].txt
C:\Documents and Settings\John\Cookies\john@dcsgoplte64xo24eg5ijloz0x_4d4t[1].txt
C:\Documents and Settings\John\Cookies\john@azjmp[1].txt
C:\Documents and Settings\John\Cookies\john@bestsellerantivirus[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@1062668208[1].txt
C:\Documents and Settings\John\Cookies\john@commission-junction[2].txt
C:\Documents and Settings\John\Cookies\john@dcs8a1rrculeroaqmbjq87oq1_4s7l[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@ebookers[1].txt
C:\Documents and Settings\John\Cookies\john@avsystemcare[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@288_[2].txt
C:\Documents and Settings\John\Cookies\john@cpvfeed[2].txt
C:\Documents and Settings\John\Cookies\john@greatgamesexperiment[2].txt
C:\Documents and Settings\John\Cookies\john@cgi-bin[9].txt
C:\Documents and Settings\John\Cookies\john@renault-group[1].txt
C:\Documents and Settings\John\Cookies\john@nextag[2].txt
C:\Documents and Settings\John\Cookies\john@catalog[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@gamersbanner[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@new-pcp[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@opsi[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@xiti[1].txt
C:\Documents and Settings\John\Cookies\john@porntube[1].txt
C:\Documents and Settings\John\Cookies\john@1068980963[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@cassava[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@gomyhit[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@1072704879[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@adultfriendfinder[2].txt
C:\Documents and Settings\John\Cookies\john@288_[3].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@10599399[2].txt
C:\Documents and Settings\John\Cookies\john@1068531627[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@mediamax[2].txt
C:\Documents and Settings\John\Cookies\john@1069160648[1].txt
C:\Documents and Settings\John\Cookies\john@xxxgames[1].txt
C:\Documents and Settings\John\Cookies\john@1069551092[1].txt
C:\Documents and Settings\John\Cookies\john@1055750528[1].txt
C:\Documents and Settings\John\Cookies\john@zango[1].txt
C:\Documents and Settings\John\Cookies\john@inteletrack[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@1071339778[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@cgi-bin[13].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@cgi-bin[4].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@ex=1_[2].txt
C:\Documents and Settings\John\Cookies\john@magiclickgames[1].txt
C:\Documents and Settings\John\Cookies\john@92123149[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@linksynergy[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@uk[3].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@S109821[1].txt
C:\Documents and Settings\John\Cookies\john@1064175057[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@25420556[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@sexygames[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@hentaicounter[2].txt
C:\Documents and Settings\John\Cookies\john@adult-sex-games[1].txt
C:\Documents and Settings\John\Cookies\john@1071856944[1].txt
C:\Documents and Settings\John\Cookies\john@wysistat[2].txt
C:\Documents and Settings\John\Cookies\john@findarticles[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@1072647350[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@a[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@da-tracking[2].txt
C:\Documents and Settings\John\Cookies\john@hornygamer[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@spamblockerutility[2].txt
C:\Documents and Settings\John\Cookies\john@sexy[bleep]games[2].txt
C:\Documents and Settings\John\Cookies\john@focalex[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@34292599[2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@ig[3].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@1072697808[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@advertlets[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@1064271475[1].txt
C:\Documents and Settings\John\Cookies\john@1070508194[1].txt
C:\Documents and Settings\John\Cookies\john@dcshd6bmw100004jlsko7l3di_8w3s[1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\John\Cookies\john@1068292427[1].txt
C:\Documents and Settings\John\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[2].txt
C:\Documents and Settings\John\Cookies\[email protected][2].txt
C:\Documents and Settings\John\Cookies\john@banners[1].txt
C:\Documents and Settings\John\Cookies\john@media[1].txt
C:\Documents and Settings\John\Cookies\john@pointroll[1].txt
C:\Documents and Settings\John\Cookies\john@track[1].txt
C:\Documents and Settings\John\Cookies\john@track[3].txt

Browser Hijacker.Favorites
C:\Documents and Settings\John\Favorites\Pharmacy\http--www.allcures.com-images-header-Head_Banner_home.gif.url
C:\Documents and Settings\John\Favorites\Pharmacy

Adware.ClickSpring/Outer Info Network
C:\DOCUMENTS AND SETTINGS\JOHN\DESKTOP\OIUNINSTALLER.EXE

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1281OINADMIN.EXE.VIR

Adware.k8l
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISOVIEW\RTERTE.HTML.VIR

Trojan.Unclassified/17PHolmes-A
C:\QOOBOX\QUARANTINE\C\WINDOWS\MROFINU1000106.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F3CAB467-0DFF-45C7-AD76-A5067FF759EA}\RP969\A0135700.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F3CAB467-0DFF-45C7-AD76-A5067FF759EA}\RP970\A0135923.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F3CAB467-0DFF-45C7-AD76-A5067FF759EA}\RP975\A0136185.EXE

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ECW8\RENAMD83122.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\TTC-4444.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINSTALL_NMON.VBS.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F3CAB467-0DFF-45C7-AD76-A5067FF759EA}\RP970\A0135702.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F3CAB467-0DFF-45C7-AD76-A5067FF759EA}\RP975\A0136181.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F3CAB467-0DFF-45C7-AD76-A5067FF759EA}\RP975\A0136184.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F3CAB467-0DFF-45C7-AD76-A5067FF759EA}\RP976\A0136258.EXE

Trojan.Unclassifed/AffiliateBundle
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QOMNLLK.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F3CAB467-0DFF-45C7-AD76-A5067FF759EA}\RP973\A0136119.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F3CAB467-0DFF-45C7-AD76-A5067FF759EA}\RP973\A0136121.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F3CAB467-0DFF-45C7-AD76-A5067FF759EA}\RP975
  • 0

#8
Rorschach112
Posted 05 February 2008 - 08:08 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\System32\jRmh2o5c.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also post a new HijackThis log and tell me how your PC is running
  • 0

#9
glover1
Posted 05 February 2008 - 02:16 PM

glover1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi, PC seems to be running fine, can't see any problems with it now. Heres the two logs you requested.

ComboFix 08-02.03.1 - John 2008-02-05 19:42:20.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.78 [GMT 0:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\System32\jRmh2o5c.exe
C:\WINDOWS\Tasks\At24.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Tasks\At24.job

.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-04 22:02 . 2008-02-05 09:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-04 22:02 . 2008-02-04 22:02 <DIR> d-------- C:\Documents and Settings\John\Application Data\SUPERAntiSpyware.com
2008-02-04 22:02 . 2008-02-04 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-04 22:01 . 2008-02-04 22:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-04 13:29 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-04 13:29 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-03 15:06 . 2008-02-03 16:50 <DIR> d-------- C:\VundoFix Backups
2008-02-01 19:56 . 2008-02-01 19:56 <DIR> d-------- C:\Program Files\MagicISO
2008-01-31 21:18 . 2008-01-31 21:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-31 21:13 . 2008-01-31 21:13 <DIR> d-------- C:\WINDOWS\RegistryCleaner
2008-01-31 21:13 . 2008-01-31 21:13 <DIR> d-------- C:\Program Files\RegistryCleaner
2008-01-29 21:18 . 2007-12-04 12:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-29 21:18 . 2007-12-04 14:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-29 21:18 . 2007-12-04 14:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-29 21:18 . 2007-12-04 14:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-29 21:17 . 2008-01-29 21:17 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-29 21:17 . 2007-12-04 13:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-29 21:17 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-29 21:17 . 2007-12-04 14:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-29 21:17 . 2007-12-04 14:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-29 21:05 . 2008-01-29 21:05 <DIR> d-------- C:\Toolbar4Free Toolbar images

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 09:52 --------- d-----w C:\Program Files\IsoView
2008-01-29 13:05 --------- d-----w C:\Program Files\cosids
2008-01-21 11:01 --------- d-----w C:\Documents and Settings\John\Application Data\AdobeUM
2007-12-19 15:35 --------- d-----w C:\Program Files\Google
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 14:08 1511453]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 12:00 13312]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-08 17:43 1953792]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 11:00 200704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 12:57 68856]
"RegistryCleanFixMFC"="C:\Program Files\RegistryCleaner\registrycleaner2008.exe" [2008-01-24 11:09 12079237]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-12-15 07:20 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-12-17 10:40 1241138]
"SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 14:18 135168]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 03:00 99840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-09 10:24 282624]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-03-31 12:00 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 12:57 68856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2004-06-15 07:59:24 1742384]
blueyonder Instant Support Tool.lnk - C:\Program Files\blueyonder IST\bin\matcli.exe [2005-05-10 16:01:20 204800]
MA111 Configuration Utility.lnk - C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe [2005-05-10 16:10:42 1157120]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2006-02-11 16:31:55 598016]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 xmasbus;xmasbus;C:\WINDOWS\System32\DRIVERS\xmasbus.sys [2003-12-21 17:24]
R0 xmasscsi;xmasscsi;C:\WINDOWS\System32\Drivers\xmasscsi.sys [2003-12-20 20:03]
R2 COSIDS_TB;COSIDS_TB;C:\PROGRA~1\COSIDS\BIN\TbMux32.exe [2001-11-20 14:37]
R2 LcSvrAdm;ELSA Administration Service;C:\ElsaWin\bin\LcSvrAdm.exe [2006-03-20 12:34]
R2 LcSvrDba;ELSA DBA Server;C:\ElsaWin\bin\LcSvrDba.exe [2006-03-20 12:16]
R2 LcSvrHis;ELSA Historie Server;C:\ElsaWin\bin\LcSvrHis.exe [2006-03-20 12:28]
R2 LcSvrPAS;ELSA PASS Server;C:\ElsaWin\bin\LcSvrPas.exe [2006-03-20 12:17]
R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;C:\ElsaWin\bin\LcSvrAuf.exe [2006-03-20 12:23]
R3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\System32\DRIVERS\loop.sys [2001-08-17 12:53]
S3 Boonty Games;Boonty Games;"C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe" [2006-12-09 19:17]
S3 NETGEAR_MA111;NETGEAR 802.11b MA111 Driver;C:\WINDOWS\System32\DRIVERS\MA111nd5.sys [2004-02-26 09:25]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 19:48:07
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-05 20:05:54
ComboFix-quarantined-files.txt 2008-02-05 20:05:48
ComboFix2.txt 2008-02-04 21:56:28
ComboFix3.txt 2008-02-04 13:59:47
ComboFix4.txt 2008-02-04 10:10:18






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:12:53, on 05/02/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\BHROOT\BIN\NT611SVC.EXE
C:\BHROOT\BIN\monitor.exe
C:\PROGRA~1\COSIDS\BIN\TbMux32.exe
C:\ElsaWin\bin\LcSvrAdm.exe
C:\ElsaWin\bin\LcSvrDba.exe
C:\ElsaWin\bin\LcSvrHis.exe
C:\ElsaWin\bin\LcSvrPas.exe
c:\opt\MBCASE\pm\bin\mcp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\BHROOT\BIN\PORTMAP.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spnsrvnt.exe
C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
c:\opt\MBCASE\WIS\TBCD\tbmux32.exe
C:\PROGRA~1\JAVASOFT\JRE\132E6D~1.1\bin\java.exe
C:\BHROOT\BIN\DBMANG.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\ElsaWin\bin\LcSvrAuf.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\cmserver.exe
C:\WINDOWS\system32\cmd.exe
C:\opt\MBCASE\pm\bin\lic_srv.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.2.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RegistryCleanFixMFC] C:\Program Files\RegistryCleaner\registrycleaner2008.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E5} (ShowSetupObj5 Class) - http://whc-live-webc.../ShowSetup5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...shUKActivia.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game08.zylom....gamesplayer.cab
O16 - DPF: {C7DC40E0-6601-4530-9AFB-68506CAE2628} (InstallShield Setup Player 2K2) - http://qa.nsapp.ford...IDS44/setup.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...5/installer.exe
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://flashcasino....en/FlashAX2.cab
O18 - Protocol: vw-wi - {0F3C833F-FB28-40EA-8CB9-6A55B996C3F6} - C:\ElsaWin\bin\wiProt.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: bh611 - Bell& Howell - C:\BHROOT\BIN\NT611SVC.EXE
O23 - Service: Bell & Howell Monitor Service (BHMonitorService) - Bell & Howell - C:\BHROOT\BIN\monitor.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: COSIDS_TB - TransAction Software, D 81737 Munich - C:\PROGRA~1\COSIDS\BIN\TbMux32.exe
O23 - Service: Bell & Howell Database Manager (dbmang) - Bell & Howell - C:\BHROOT\BIN\DBMANG.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: konfig - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: ELSA Administration Service (LcSvrAdm) - Volkswagen AG - C:\ElsaWin\bin\LcSvrAdm.exe
O23 - Service: ELSA Auftragsverwaltungs Service (LcSvrAuf) - Volkswagen AG - C:\ElsaWin\bin\LcSvrAuf.exe
O23 - Service: ELSA DBA Server (LcSvrDba) - Volkswagen AG - C:\ElsaWin\bin\LcSvrDba.exe
O23 - Service: ELSA Historie Server (LcSvrHis) - Volkswagen AG - C:\ElsaWin\bin\LcSvrHis.exe
O23 - Service: ELSA PASS Server (LcSvrPAS) - Volkswagen AG - C:\ElsaWin\bin\LcSvrPas.exe
O23 - Service: license - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: mcp - Unknown owner - c:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: ONC/RPC Portmapper (portmapper) - Bell & Howell - C:\BHROOT\BIN\PORTMAP.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SentinelSuperProNet Server (SuperProServer) - Rainbow Technologies - C:\WINDOWS\System32\spnsrvnt.exe
O23 - Service: TIS 2000 Apache Web Server - Unknown owner - C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
O23 - Service: TransBaseService - TransAction Software, D 81737 Munich - c:\opt\MBCASE\WIS\TBCD\tbmux32.exe

--
End of file - 10343 bytes



Regards..............
  • 0

#10
Rorschach112
Posted 05 February 2008 - 06:49 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

You can delete the tools that we used


Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#11
glover1
Posted 07 February 2008 - 03:54 AM

glover1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi, thanks for all your assistance in this matter. The computer is now running fine. Its great to see that somebody actually knows what their doing and is willing to help people. Donation on its way. Once again many thanks.........
  • 0

#12
Rorschach112
Posted 07 February 2008 - 07:37 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP