Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan Downloader.XS [RESOLVED]

Started by ~Mix , Mar 11 2008 05:19 PM

Page 3 of 5
1
2
3
4
5

This topic is locked

#31
harrythook

Posted 26 March 2008 - 08:48 PM

Trusted Helper

Retired Staff
2,618 posts

Hey ~Mix,
First off, if you cannot trust you machine in the hands of others, keep them away. I am working on a little research project and found that all it takes is one little click to destroy a machine

Lets get this in place:
Download the HostsXpert 3.7 - Hosts File Manager.

Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Next, boot into safe mode.
You will need to restart your computer to get to safe mode.
On restart you need to tap F8 continually, and select safe mode.
Run Combofix from there (if you do not see the icon, click start, search, files and folder, type in Combofix)

Run that, save then copy and paste into your next reply.
I am under a very heavy workload for tonight and tommorow, so hang in there, I am working on it.
Lets see what happens after the Hosts file is installed.

Harry

#32
~Mix

Posted 27 March 2008 - 03:15 PM

Member

Topic Starter
Member
77 posts

Harry, The Person That Is Getting On My Computer Is A Family Member That Doesn't Really Care If The Computer Has A Virus... So I'm Not Sure What To Do...
I Will Not Be At My Computer This Weekend And Maybe Into Next Week..
Here Is The Combofix Log:

ComboFix 08-03-22.1 - Owner 2008-03-27 16:41:24.10 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.208 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\2search\
C:\Program Files\Accoona\
C:\Program Files\AVSystemCare\
C:\Program Files\bravesentry\
C:\Program Files\ClientMan\
C:\Program Files\Common Files\cpush\
C:\Program Files\Common Files\drivecleaner free\
C:\Program Files\Common Files\KeenValue\
C:\Program Files\Common Files\sogou pxp\
C:\Program Files\Common Files\WinSoftware\
C:\Program Files\CSBB\
C:\Program Files\dialers\
C:\Program Files\DriveCleaner Free\
C:\Program Files\e2g\
C:\Program Files\HbTools\
C:\Program Files\Hotbar\
C:\Program Files\install provider\
C:\Program Files\instant access\
C:\Program Files\ipwindows\
C:\Program Files\kuaiso toolsbar\
C:\Program Files\media-codec\
C:\Program Files\mmediacodec\
C:\Program Files\MyWebSearch\
C:\Program Files\newdotnet\
C:\Program Files\p4p\
C:\Program Files\PestTrap\
C:\Program Files\purityscan\
C:\Program Files\regifast\
C:\Program Files\seekmo\
C:\Program Files\SideFind\
C:\Program Files\spamblockerutility\
C:\Program Files\spysheriff\
C:\Program Files\starware\
C:\Program Files\SurfAccuracy\
C:\Program Files\surfsidekick 3\
C:\Program Files\toolbar888\
C:\Program Files\web buying\
C:\Program Files\webhancer\
C:\Program Files\WhenUSearch\
C:\WINDOWS\mc\
C:\WINDOWS\mslagent\
C:\WINDOWS\wincomp\
C:\WINDOWS\winmgts\
C:\WINDOWS\wintrim\
C:\WINDOWS\system32\nkunpack.dll . . . . failed to delete
C:\WINDOWS\system32\nuclabdll.dll . . . . failed to delete
C:\WINDOWS\system32\obbn13t.dll . . . . failed to delete
C:\WINDOWS\system32\openglss.dll . . . . failed to delete
C:\WINDOWS\system32\printpnp.dll . . . . failed to delete
C:\WINDOWS\system32\prw76sks.sys . . . . failed to delete
C:\WINDOWS\system32\prwsks.dll . . . . failed to delete
C:\WINDOWS\system32\psksds.dll . . . . failed to delete
C:\WINDOWS\system32\rdrVR2.dll . . . . failed to delete
C:\WINDOWS\system32\rsdapi.dll . . . . failed to delete
C:\WINDOWS\system32\satau320.dll . . . . failed to delete
C:\WINDOWS\system32\satdll.dll . . . . failed to delete
C:\WINDOWS\system32\satmmc.dll . . . . failed to delete
C:\WINDOWS\system32\sdcard98.dll . . . . failed to delete
C:\WINDOWS\system32\se500mdm.dll . . . . failed to delete
C:\WINDOWS\system32\se633mxx.dll . . . . failed to delete
C:\WINDOWS\system32\sks2drvr.sys . . . . failed to delete
C:\WINDOWS\system32\sksdll.dll . . . . failed to delete
C:\WINDOWS\system32\tcpG4T.dll . . . . failed to delete
C:\WINDOWS\system32\tcpGDC.dll . . . . failed to delete
C:\WINDOWS\system32\tcpwrk.dll . . . . failed to delete
C:\WINDOWS\system32\wincom32.sys . . . . failed to delete
C:\WINDOWS\system32\wndtx1.dll . . . . failed to delete
C:\WINDOWS\system32\xcdmfree.dll . . . . failed to delete
C:\WINDOWS\system32\zopenssl.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-25 22:09 . 2008-03-27 02:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-03-23 17:56 . 2008-03-25 15:58 <DIR> d-------- C:\VundoFix Backups
2008-03-23 17:03 . 2008-03-23 17:03 <DIR> d-------- C:\_OTMoveIt
2008-03-22 20:08 . 2008-03-22 20:08 <DIR> dr-hs---- C:\WINDOWS\voiceip.dll
2008-03-22 20:08 . 2008-03-22 20:08 <DIR> dr-hs---- C:\WINDOWS\mssvr.exe
2008-03-21 21:03 . 2008-03-21 21:03 3,631 --a------ C:\7D.tmp
2008-03-09 15:57 . 2008-03-09 15:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 15:57 . 2008-03-09 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-09 15:42 . 2008-03-09 15:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-09 14:35 . 2008-03-09 14:35 13,056 --a------ C:\WINDOWS\avisynthex32.dll
2008-03-09 10:18 . 2008-03-27 16:48 25 --a------ C:\WINDOWS\win.ini
2008-03-08 23:53 . 2008-03-09 14:40 <DIR> d-------- C:\Program Files\No Trace
2008-03-08 23:43 . 2008-03-08 23:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-08 23:43 . 2008-03-09 05:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-08 23:27 . 2008-03-08 23:27 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-08 15:10 . 2008-03-08 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-08 08:54 . 2008-03-09 01:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-27 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-23 17:15 --------- d--h--w C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-08 17:31 --------- d-----w C:\Program Files\Setup NetZero
2008-03-08 16:42 --------- d-----w C:\Program Files\SpywareGuard
2008-03-08 01:52 --------- d-----w C:\Program Files\Mungyodance
2008-03-08 00:23 --------- d-----w C:\Program Files\StepMania
2008-02-20 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-20 10:23 --------- d-----w C:\Program Files\Lavasoft
2008-02-20 10:21 --------- d--h--w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-02-20 10:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
.

((((((((((((((((((((((((((((( snapshot@2008-03-09_15.03.07.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 18:08 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-07 19:01 43008]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11 4670968]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"Spyware Vanisher"="C:\spywarevanisher-full\SpywareVanisher.exe" [2006-12-24 14:13 4114432]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" [2006-05-19 11:29 1286144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04 135168]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24 32768]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 18:07 90112 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 11:32 7204864]
"nwiz"="nwiz.exe" [2005-09-18 11:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 11:32 86016]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58 1773568]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-29 21:57 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"D-Link Air Utility"="C:\Program Files\D-Link\Air Utility\AirCFG.exe" [2003-06-26 18:13 2695168]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 15:05 185632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-08 15:15 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-08 15:10 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2005-10-29 21:55:21 2168360]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-12-05 22:54:45 124912]
HP Parallel Port Test.lnk - C:\SCANJET\PrecisionScan\hpppt.exe [2007-04-12 23:42:44 107008]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\StepMania CVS\\Program\\StepMania.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R1 papycpu;papycpu;C:\WINDOWS\system32\drivers\papycpu.sys [1998-10-06 10:36]
R2 NIOC;NIOC Service;C:\WINDOWS\system32\NIOC.SYS [2002-09-27 18:21]
S0 epstwnt;epstwnt;C:\WINDOWS\system32\Drivers\epstwnt.mpd [1998-03-30 02:18]
S2 SHARSHTL;Shuttle Sharer;C:\WINDOWS\system32\Drivers\sharshtl.sys [1998-03-30 02:18]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 20:50:21 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 16:47:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Recguard = %WINDIR%\SMINST\RECGUARD.EXE?
Reminder = %WINDIR%\Creator\Remind_XP.exe?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\epstwnt]
"ImagePath"="System32\Drivers\epstwnt.mpd"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-03-27 16:56:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-27 20:56:51
ComboFix2.txt 2008-03-26 02:19:36
ComboFix3.txt 2008-03-25 20:54:07
ComboFix4.txt 2008-03-25 20:31:24
ComboFix5.txt 2008-03-23 20:17:40
.
2007-12-19 01:38:33 --- E O F ---

#33
harrythook

Posted 30 March 2008 - 08:45 PM

Trusted Helper

Retired Staff
2,618 posts

Hiya ~mix, hope ya had a good weekend

Lets run combo again, but we need to stop all your protection apps for now.
We will restart them as we go, I understand you are not the only user of this machine

Tea Timer
First:

Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
Choose Exit Spybot S&D Resident

Second:

Open Spybot S&D
Click Mode, check Advanced Mode
Go To Left Panel, Click Tools, then also in left panel, click Resident
If your firewall raises a question, say OK
Uncheck the box labeled Resident Tea-Timer and OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.

We will re-enable it when done here

Lets give this another try, I would like you to download combofix again.
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Harry

#34
~Mix

Posted 02 April 2008 - 08:52 PM

Member

Topic Starter
Member
77 posts

Harry, I Had A Very Good Weekend!, You? Also Where's The System Tray At? I Got The Second Part Done...
Also I Was Wondering If It Would Be Okay To Send Files (By IM) To Other Computers Or Would That Send The Virus Out To The Other Computer? Also Is It Okay To Log Onto Normal Log Ins Like Myspace Type Thing Or E-Mail? Also I'm Getting A BHO Thing That States Each Time I Open A New Window That Comcast Wants To Change Something To Version 2 Should I Allow It Because The Change In The Before Box There Was Nothing There And In The After Box There Would Be The Version 2 Thing?

ComboFix 08-04-02.1 - Owner 2008-04-02 22:21:50.11 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\2search\
C:\Program Files\Accoona\
C:\Program Files\AVSystemCare\
C:\Program Files\bravesentry\
C:\Program Files\ClientMan\
C:\Program Files\Common Files\cpush\
C:\Program Files\Common Files\drivecleaner free\
C:\Program Files\Common Files\KeenValue\
C:\Program Files\Common Files\sogou pxp\
C:\Program Files\Common Files\WinSoftware\
C:\Program Files\CSBB\
C:\Program Files\dialers\
C:\Program Files\DriveCleaner Free\
C:\Program Files\e2g\
C:\Program Files\HbTools\
C:\Program Files\Hotbar\
C:\Program Files\install provider\
C:\Program Files\instant access\
C:\Program Files\ipwindows\
C:\Program Files\kuaiso toolsbar\
C:\Program Files\media-codec\
C:\Program Files\mmediacodec\
C:\Program Files\MyWebSearch\
C:\Program Files\newdotnet\
C:\Program Files\p4p\
C:\Program Files\PerfectCleaner\
C:\Program Files\PestTrap\
C:\Program Files\purityscan\
C:\Program Files\regifast\
C:\Program Files\seekmo\
C:\Program Files\SideFind\
C:\Program Files\spamblockerutility\
C:\Program Files\spysheriff\
C:\Program Files\starware\
C:\Program Files\SurfAccuracy\
C:\Program Files\surfsidekick 3\
C:\Program Files\toolbar888\
C:\Program Files\web buying\
C:\Program Files\webhancer\
C:\Program Files\WhenUSearch\
C:\WINDOWS\mc\
C:\WINDOWS\mslagent\
C:\WINDOWS\wincomp\
C:\WINDOWS\winmgts\
C:\WINDOWS\wintrim\
C:\WINDOWS\system32\nkunpack.dll . . . . failed to delete
C:\WINDOWS\system32\nuclabdll.dll . . . . failed to delete
C:\WINDOWS\system32\obbn13t.dll . . . . failed to delete
C:\WINDOWS\system32\openglss.dll . . . . failed to delete
C:\WINDOWS\system32\printpnp.dll . . . . failed to delete
C:\WINDOWS\system32\prw76sks.sys . . . . failed to delete
C:\WINDOWS\system32\prwsks.dll . . . . failed to delete
C:\WINDOWS\system32\psksds.dll . . . . failed to delete
C:\WINDOWS\system32\rdrVR2.dll . . . . failed to delete
C:\WINDOWS\system32\rsdapi.dll . . . . failed to delete
C:\WINDOWS\system32\satau320.dll . . . . failed to delete
C:\WINDOWS\system32\satdll.dll . . . . failed to delete
C:\WINDOWS\system32\satmmc.dll . . . . failed to delete
C:\WINDOWS\system32\sdcard98.dll . . . . failed to delete
C:\WINDOWS\system32\se500mdm.dll . . . . failed to delete
C:\WINDOWS\system32\se633mxx.dll . . . . failed to delete
C:\WINDOWS\system32\sks2drvr.sys . . . . failed to delete
C:\WINDOWS\system32\sksdll.dll . . . . failed to delete
C:\WINDOWS\system32\tcpG4T.dll . . . . failed to delete
C:\WINDOWS\system32\tcpGDC.dll . . . . failed to delete
C:\WINDOWS\system32\tcpwrk.dll . . . . failed to delete
C:\WINDOWS\system32\wincom32.sys . . . . failed to delete
C:\WINDOWS\system32\wndtx1.dll . . . . failed to delete
C:\WINDOWS\system32\xcdmfree.dll . . . . failed to delete
C:\WINDOWS\system32\zopenssl.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

2008-03-27 16:37 . 2004-08-27 05:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-03-27 16:37 . 2005-10-29 21:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-03-27 16:37 . 2005-10-29 22:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-03-27 16:37 . 2006-11-05 14:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-03-25 22:09 . 2008-03-27 02:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-03-23 17:56 . 2008-03-25 15:58 <DIR> d-------- C:\VundoFix Backups
2008-03-23 17:03 . 2008-03-23 17:03 <DIR> d-------- C:\_OTMoveIt
2008-03-22 20:08 . 2008-03-22 20:08 <DIR> dr-hs---- C:\WINDOWS\voiceip.dll
2008-03-22 20:08 . 2008-03-22 20:08 <DIR> dr-hs---- C:\WINDOWS\mssvr.exe
2008-03-21 21:03 . 2008-03-21 21:03 3,631 --a------ C:\7D.tmp
2008-03-09 15:57 . 2008-03-09 15:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 15:57 . 2008-03-09 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-09 15:42 . 2008-03-09 15:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-09 14:35 . 2008-03-09 14:35 13,056 --a------ C:\WINDOWS\avisynthex32.dll
2008-03-09 10:18 . 2008-04-02 22:31 25 --a------ C:\WINDOWS\win.ini
2008-03-08 23:53 . 2008-03-09 14:40 <DIR> d-------- C:\Program Files\No Trace
2008-03-08 23:43 . 2008-03-08 23:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-08 23:43 . 2008-03-09 05:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-08 23:27 . 2008-03-08 23:27 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-08 15:10 . 2008-03-08 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-08 08:54 . 2008-03-09 01:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 20:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-28 03:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-28 01:41 --------- d-----w C:\Program Files\SpywareGuard
2008-03-23 17:15 --------- d--h--w C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-08 17:31 --------- d-----w C:\Program Files\Setup NetZero
2008-03-08 01:52 --------- d-----w C:\Program Files\Mungyodance
2008-03-08 00:23 --------- d-----w C:\Program Files\StepMania
2008-02-20 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-20 10:23 --------- d-----w C:\Program Files\Lavasoft
2008-02-20 10:21 --------- d--h--w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-02-20 10:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
.

((((((((((((((((((((((((((((( snapshot@2008-03-09_15.03.07.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 18:08 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-07 19:01 43008]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11 4670968]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248]
"Spyware Vanisher"="C:\spywarevanisher-full\SpywareVanisher.exe" [2006-12-24 14:13 4114432]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"CheckNetworkConnection"="C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" [2006-05-19 11:29 1286144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04 135168]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24 32768]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 18:07 90112 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 11:32 7204864]
"nwiz"="nwiz.exe" [2005-09-18 11:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 11:32 86016]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58 1773568]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-29 21:57 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"D-Link Air Utility"="C:\Program Files\D-Link\Air Utility\AirCFG.exe" [2003-06-26 18:13 2695168]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 15:05 185632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-08 15:15 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-08 15:10 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2005-10-29 21:55:21 2168360]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-12-05 22:54:45 124912]
HP Parallel Port Test.lnk - C:\SCANJET\PrecisionScan\hpppt.exe [2007-04-12 23:42:44 107008]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\StepMania CVS\\Program\\StepMania.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R1 papycpu;papycpu;C:\WINDOWS\system32\drivers\papycpu.sys [1998-10-06 10:36]
R2 MMIndexer;Media Manager Indexer;C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe [1997-07-15 01:00]
R2 NIOC;NIOC Service;C:\WINDOWS\system32\NIOC.SYS [2002-09-27 18:21]
R2 WZCBDLService;WZCBDL Service;"C:\Program Files\WZCBDL Service\WZCBDLS.exe" [2002-03-19 12:15]
S0 epstwnt;epstwnt;C:\WINDOWS\system32\Drivers\epstwnt.mpd [1998-03-30 02:18]
S2 SHARSHTL;Shuttle Sharer;C:\WINDOWS\system32\Drivers\sharshtl.sys [1998-03-30 02:18]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-03 02:33:28 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 22:31:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Recguard = %WINDIR%\SMINST\RECGUARD.EXE?
Reminder = %WINDIR%\Creator\Remind_XP.exe?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\epstwnt]
"ImagePath"="System32\Drivers\epstwnt.mpd"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2008-04-02 22:43:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-03 02:43:30
ComboFix2.txt 2008-03-27 20:56:56
ComboFix3.txt 2008-03-26 02:19:36
ComboFix4.txt 2008-03-25 20:54:07
ComboFix5.txt 2008-03-25 20:31:24
Pre-Run: 68,399,493,120 bytes free
Post-Run: 68,387,643,392 bytes free
.
2007-12-19 01:38:33 --- E O F ---

Edited by ~Mix, 02 April 2008 - 10:02 PM.

#35
harrythook

Posted 03 April 2008 - 04:23 AM

Trusted Helper

Retired Staff
2,618 posts

Unfortunatly my work has consumed a lot of time, I will be responding tonight or tommorow morning.

Sorry for the delay

Harry

#36
harrythook

Posted 03 April 2008 - 05:25 PM

Trusted Helper

Retired Staff
2,618 posts

Hey mix,
One last tool to run.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Post the results, we working on it

Harry

#37
~Mix

Posted 03 April 2008 - 06:35 PM

Member

Topic Starter
Member
77 posts

Harry, Here Are The Logs...
Also Yesterday I Did Remove Two Trojans.. Also There Is A File Now On My Desktop Called "HostsXpert" (Image Below)

SDFix: Version 1.165

Run by Owner on Thu 04/03/2008 at 08:08 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\TASKKILL.EXE - Deleted

Could Not Remove C:\csrss.exe
Could Not Remove C:\winstall.exe
Could Not Remove C:\WINDOWS\csrss.exe
Could Not Remove C:\WINDOWS\explore.exe
Could Not Remove C:\WINDOWS\iexplorer.exe
Could Not Remove C:\WINDOWS\lsasss.exe
Could Not Remove C:\WINDOWS\services.exe
Could Not Remove C:\WINDOWS\svchost.exe
Could Not Remove C:\WINDOWS\system32\alsys.exe
Could Not Remove C:\WINDOWS\system32\atmtd.dll
Could Not Remove C:\WINDOWS\system32\atmtd.dll._
Could Not Remove C:\WINDOWS\system32\bho.dll
Could Not Remove C:\WINDOWS\system32\bootconf.exe
Could Not Remove C:\WINDOWS\system32\e1.dll
Could Not Remove C:\WINDOWS\system32\ezStub.exe
Could Not Remove C:\WINDOWS\system32\iexplore.exe
Could Not Remove C:\WINDOWS\system32\iexplorer.exe
Could Not Remove C:\WINDOWS\system32\internet.exe
Could Not Remove C:\WINDOWS\system32\ipv6mons.dll
Could Not Remove C:\WINDOWS\system32\msclt.exe
Could Not Remove C:\WINDOWS\system32\msmsgs.exe
Could Not Remove C:\WINDOWS\system32\mstc.exe
Could Not Remove C:\WINDOWS\system32\msupdate.exe
Could Not Remove C:\WINDOWS\system32\mswins.exe
Could Not Remove C:\WINDOWS\system32\nordsys.exe
Could Not Remove C:\WINDOWS\system32\ppl.exe
Could Not Remove C:\WINDOWS\system32\remote.exe
Could Not Remove C:\WINDOWS\system32\rundll.exe
Could Not Remove C:\WINDOWS\system32\rx.exe
Could Not Remove C:\WINDOWS\system32\scvhost32.exe
Could Not Remove C:\WINDOWS\system32\se.exe
Could Not Remove C:\WINDOWS\system32\server.exe
Could Not Remove C:\WINDOWS\system32\svchost32.exe
Could Not Remove C:\WINDOWS\system32\svhost.exe
Could Not Remove C:\WINDOWS\system32\svshost.exe
Could Not Remove C:\WINDOWS\system32\sys.exe
Could Not Remove C:\WINDOWS\system32\taskgmr.exe
Could Not Remove C:\WINDOWS\system32\update.exe
Could Not Remove C:\WINDOWS\system32\wgareg.exe
Could Not Remove C:\WINDOWS\system32\wgavm.exe
Could Not Remove C:\WINDOWS\system32\win32.exe
Could Not Remove C:\WINDOWS\system32\windll.exe
Could Not Remove C:\WINDOWS\system32\windowz.exe
Could Not Remove C:\WINDOWS\system32\winhost.exe
Could Not Remove C:\WINDOWS\system32\winsvc.exe
Could Not Remove C:\WINDOWS\system32\winsys32.exe
Could Not Remove C:\WINDOWS\system32\winupd.exe
Could Not Remove C:\WINDOWS\system32\winxp.exe
Could Not Remove C:\WINDOWS\system32\zlbw.dll
Could Not Remove C:\WINDOWS\winlogon.exe
Could Not Remove C:\WINDOWS\winserv.exe
Could Not Remove C:\WINDOWS\xpupdate.exe
Could Not Remove C:\WINDOWS\system32\wincom32.sys

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 20:17:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\StepMania CVS\\Program\\StepMania.exe"="C:\\Program Files\\StepMania CVS\\Program\\StepMania.exe:*:Enabled:StepMania"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

C:\csrss.exe Found
C:\winstall.exe Found
C:\WINDOWS\csrss.exe Found
C:\WINDOWS\explore.exe Found
C:\WINDOWS\iexplorer.exe Found
C:\WINDOWS\lsasss.exe Found
C:\WINDOWS\services.exe Found
C:\WINDOWS\svchost.exe Found
C:\WINDOWS\system32\alsys.exe Found
C:\WINDOWS\system32\atmtd.dll Found
C:\WINDOWS\system32\atmtd.dll._ Found
C:\WINDOWS\system32\bho.dll Found
C:\WINDOWS\system32\bootconf.exe Found
C:\WINDOWS\system32\e1.dll Found
C:\WINDOWS\system32\ezStub.exe Found
C:\WINDOWS\system32\iexplore.exe Found
C:\WINDOWS\system32\iexplorer.exe Found
C:\WINDOWS\system32\internet.exe Found
C:\WINDOWS\system32\ipv6mons.dll Found
C:\WINDOWS\system32\msclt.exe Found
C:\WINDOWS\system32\msmsgs.exe Found
C:\WINDOWS\system32\mstc.exe Found
C:\WINDOWS\system32\msupdate.exe Found
C:\WINDOWS\system32\mswins.exe Found
C:\WINDOWS\system32\nordsys.exe Found
C:\WINDOWS\system32\ppl.exe Found
C:\WINDOWS\system32\remote.exe Found
C:\WINDOWS\system32\rundll.exe Found
C:\WINDOWS\system32\rx.exe Found
C:\WINDOWS\system32\scvhost32.exe Found
C:\WINDOWS\system32\se.exe Found
C:\WINDOWS\system32\server.exe Found
C:\WINDOWS\system32\svchost32.exe Found
C:\WINDOWS\system32\svhost.exe Found
C:\WINDOWS\system32\svshost.exe Found
C:\WINDOWS\system32\sys.exe Found
C:\WINDOWS\system32\taskgmr.exe Found
C:\WINDOWS\system32\update.exe Found
C:\WINDOWS\system32\wgareg.exe Found
C:\WINDOWS\system32\wgavm.exe Found
C:\WINDOWS\system32\win32.exe Found
C:\WINDOWS\system32\windll.exe Found
C:\WINDOWS\system32\windowz.exe Found
C:\WINDOWS\system32\winhost.exe Found
C:\WINDOWS\system32\winsvc.exe Found
C:\WINDOWS\system32\winsys32.exe Found
C:\WINDOWS\system32\winupd.exe Found
C:\WINDOWS\system32\winxp.exe Found
C:\WINDOWS\system32\zlbw.dll Found
C:\WINDOWS\winlogon.exe Found
C:\WINDOWS\winserv.exe Found
C:\WINDOWS\xpupdate.exe Found
C:\WINDOWS\system32\wincom32.sys Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 20 Mar 2008 236 ...HR --- "C:\Program Files\dealhelper.com inc"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 5 Nov 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 4 Nov 2006 722 A..H. --- "C:\Documents and Settings\Owner\.limewire\fileurns.bak"
Tue 19 Feb 2008 4,506,256 A..H. --- "C:\Documents and Settings\Owner\.limewire\.NetworkShare\LimeWireWin4.16.6.exe"
Thu 20 Mar 2008 274 A..HR --- "C:\_OTMoveIt\MovedFiles\03232008_170318\Program Files\adwareremovergold.com"
Thu 20 Mar 2008 274 A..HR --- "C:\_OTMoveIt\MovedFiles\03232008_170318\Program Files\bulletproofsoft.com"
Thu 20 Mar 2008 228 A..HR --- "C:\_OTMoveIt\MovedFiles\03232008_170318\Program Files\gator.com"
Thu 20 Mar 2008 274 A..HR --- "C:\_OTMoveIt\MovedFiles\03232008_170318\Program Files\malwarewipe.com"
Thu 20 Mar 2008 274 A..HR --- "C:\_OTMoveIt\MovedFiles\03232008_170318\Program Files\malwaresweeper.com"
Thu 20 Mar 2008 274 A..HR --- "C:\_OTMoveIt\MovedFiles\03232008_170318\Program Files\pcprivacysoftware.com"
Fri 7 Sep 2007 5,436 A..H. --- "C:\Documents and Settings\Owner\Application Data\Google\GoogleEarth\myplaces.kml.tmp"
Thu 26 Aug 2004 439 A..H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\brndlog.bak"
Tue 5 Dec 2006 72,704 ..SHR --- "C:\_OTMoveIt\MovedFiles\03252008_220029\Program Files\Malware Immunizer\MI.exe"
Sat 29 Oct 2005 10,134 A..HR --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe"
Sat 29 Oct 2005 49,152 A..HR --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE"
Sat 29 Oct 2005 45,056 A..HR --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE"
Sat 29 Oct 2005 45,056 A..HR --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe"
Thu 28 Sep 2006 6,302 A.SH. --- "C:\Documents and Settings\Owner\Application Data\Roxio\Dragon\DiscInfoCache\TSSTcorp_CDW_DVD_TS-H492C_GA01_300_DICV018_DRGV20100BC.TMP"
Tue 9 Oct 2007 1,214,488 A..H. --- "C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:05 PM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\spywarevanisher-full\SpywareVanisher.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\SCANJET\PrecisionScan\hpppt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-full\SpywareVanisher.exe -FastScan
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=b43127dc-3fb1-45ae-96f2-4935118d933d
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Parallel Port Test.lnk = C:\SCANJET\PrecisionScan\hpppt.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.co...aploader_v5.cab
O21 - SSODL: flammei - {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

--
End of file - 10619 bytes

Attached Files

Thing.bmp 137.58KB 206 downloads

Edited by ~Mix, 03 April 2008 - 06:41 PM.

#38
harrythook

Posted 03 April 2008 - 07:29 PM

Trusted Helper

Retired Staff
2,618 posts

Ok mix,
I see something that need to be researched, I am working on that now.
The hosts file and funkytoad are ok, part of the tools we are running.

The way this is getting reloaded is really starting to get me mad

#39
harrythook

Posted 03 April 2008 - 08:11 PM

Trusted Helper

Retired Staff
2,618 posts

Ok mix,
This is going to be a complicated fix, I need to work on it for a bit.
As to your earlier questions, I suggest you leave this machine disconnected from the internet other than to check here. Whatever is going on needs not be spread around to your friends or anyone else. Please bear with me, hang in there.
Harry

#40
~Mix

Posted 04 April 2008 - 08:15 PM

Member

Topic Starter
Member
77 posts

Harry, While I Was Disconnected I Found Like Over 100 Hidden Files In My "My Programs" Folder That I Didn't Install And One Folder That Will Not Delete Call "xerox" And An Inside Folder "nwwia" With Nothing In It, Also I Found Some Profiles That I Didn't Make Like "Administrator" And "Default User" And For A While My "Documents And Settings" Folder Was Hidden... I Will Reconnect Later...

#41
harrythook

Posted 05 April 2008 - 05:04 AM

Trusted Helper

Retired Staff
2,618 posts

Hey mix,
You should be logged on with administrative rights under your name, so that the tools we use work properly.
When you boot into safe mode, is there the option to log in as administrator?

Lets try this:
Avenger2

If you have any questions or comments about this tool, please see the discussion in this topic:

http://www.geekstogo...showtopic=99483

1. Please download The Avenger2 by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to delete:
C:\csrss.exe 
C:\winstall.exe 
C:\WINDOWS\csrss.exe 
C:\WINDOWS\explore.exe 
C:\WINDOWS\iexplorer.exe 
C:\WINDOWS\lsasss.exe 
C:\WINDOWS\services.exe 
C:\WINDOWS\svchost.exe 
C:\WINDOWS\system32\alsys.exe 
C:\WINDOWS\system32\atmtd.dll 
C:\WINDOWS\system32\atmtd.dll._ 
C:\WINDOWS\system32\bho.dll 
C:\WINDOWS\system32\bootconf.exe 
C:\WINDOWS\system32\e1.dll 
C:\WINDOWS\system32\ezStub.exe 
C:\WINDOWS\system32\iexplore.exe 
C:\WINDOWS\system32\iexplorer.exe 
C:\WINDOWS\system32\internet.exe 
C:\WINDOWS\system32\ipv6mons.dll 
C:\WINDOWS\system32\msclt.exe 
C:\WINDOWS\system32\msmsgs.exe 
C:\WINDOWS\system32\mstc.exe 
C:\WINDOWS\system32\msupdate.exe 
C:\WINDOWS\system32\mswins.exe 
C:\WINDOWS\system32\nordsys.exe 
C:\WINDOWS\system32\ppl.exe 
C:\WINDOWS\system32\remote.exe 
C:\WINDOWS\system32\rundll.exe 
C:\WINDOWS\system32\rx.exe 
C:\WINDOWS\system32\scvhost32.exe 
C:\WINDOWS\system32\se.exe 
C:\WINDOWS\system32\server.exe 
C:\WINDOWS\system32\svchost32.exe 
C:\WINDOWS\system32\svhost.exe 
C:\WINDOWS\system32\svshost.exe 
C:\WINDOWS\system32\sys.exe 
C:\WINDOWS\system32\taskgmr.exe 
C:\WINDOWS\system32\update.exe 
C:\WINDOWS\system32\wgareg.exe 
C:\WINDOWS\system32\wgavm.exe 
C:\WINDOWS\system32\win32.exe 
C:\WINDOWS\system32\windll.exe
C:\WINDOWS\system32\windowz.exe 
C:\WINDOWS\system32\winhost.exe 
C:\WINDOWS\system32\winsvc.exe 
C:\WINDOWS\system32\winsys32.exe 
C:\WINDOWS\system32\winupd.exe 
C:\WINDOWS\system32\winxp.exe 
C:\WINDOWS\system32\zlbw.dll 
C:\WINDOWS\winlogon.exe 
C:\WINDOWS\winserv.exe 
C:\WINDOWS\xpupdate.exe 
C:\WINDOWS\system32\wincom32.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

#42
~Mix

Posted 05 April 2008 - 11:05 AM

Member

Topic Starter
Member
77 posts

Harry, I Think The Files Part Should Be Changed To Folders As I Was Looking At The Log...
Also After The Scan There Was An Error About "No Disk"
(4 Trojans Deleted Last Night)

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: "C:\csrss.exe" is a folder, not a file!
Deletion of file "C:\csrss.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\winstall.exe" is a folder, not a file!
Deletion of file "C:\winstall.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\csrss.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\csrss.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\explore.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\explore.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\iexplorer.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\iexplorer.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\lsasss.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\lsasss.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\services.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\services.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\svchost.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\svchost.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\alsys.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\alsys.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\atmtd.dll" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\atmtd.dll" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\atmtd.dll._" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\atmtd.dll._" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\bho.dll" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\bho.dll" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\bootconf.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\bootconf.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\e1.dll" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\e1.dll" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\ezStub.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\ezStub.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\iexplore.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\iexplore.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\iexplorer.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\iexplorer.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\internet.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\internet.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\ipv6mons.dll" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\ipv6mons.dll" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\msclt.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\msclt.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\msmsgs.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\msmsgs.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\mstc.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\mstc.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\msupdate.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\msupdate.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\mswins.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\mswins.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\nordsys.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\nordsys.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\ppl.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\ppl.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\remote.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\remote.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\rundll.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\rundll.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\rx.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\rx.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\scvhost32.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\scvhost32.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\se.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\se.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\server.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\server.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\svchost32.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\svchost32.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\svhost.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\svhost.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\svshost.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\svshost.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\sys.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\sys.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\taskgmr.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\taskgmr.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\update.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\update.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\wgareg.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\wgareg.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\wgavm.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\wgavm.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\win32.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\win32.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\windll.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\windll.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\windowz.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\windowz.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\winhost.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\winhost.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\winsvc.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\winsvc.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\winsys32.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\winsys32.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\winupd.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\winupd.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\winxp.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\winxp.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\zlbw.dll" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\zlbw.dll" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\winlogon.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\winlogon.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\winserv.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\winserv.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\xpupdate.exe" is a folder, not a file!
Deletion of file "C:\WINDOWS\xpupdate.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\system32\wincom32.sys" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\wincom32.sys" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:30 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\spywarevanisher-full\SpywareVanisher.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\SCANJET\PrecisionScan\hpppt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-full\SpywareVanisher.exe -FastScan
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=b43127dc-3fb1-45ae-96f2-4935118d933d
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Parallel Port Test.lnk = C:\SCANJET\PrecisionScan\hpppt.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.co...aploader_v5.cab
O21 - SSODL: flammei - {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

--
End of file - 10651 bytes

Edited by ~Mix, 05 April 2008 - 11:12 AM.

#43
harrythook

Posted 05 April 2008 - 01:12 PM

Trusted Helper

Retired Staff
2,618 posts

Alright mix, lets give this a shot:
all the instructions are the same, just use the script in this post

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Folders to delete:
C:\csrss.exe 
C:\winstall.exe 
C:\WINDOWS\csrss.exe 
C:\WINDOWS\explore.exe 
C:\WINDOWS\iexplorer.exe 
C:\WINDOWS\lsasss.exe 
C:\WINDOWS\services.exe 
C:\WINDOWS\svchost.exe 
C:\WINDOWS\system32\alsys.exe 
C:\WINDOWS\system32\atmtd.dll 
C:\WINDOWS\system32\atmtd.dll._ 
C:\WINDOWS\system32\bho.dll 
C:\WINDOWS\system32\bootconf.exe 
C:\WINDOWS\system32\e1.dll 
C:\WINDOWS\system32\ezStub.exe 
C:\WINDOWS\system32\iexplore.exe 
C:\WINDOWS\system32\iexplorer.exe 
C:\WINDOWS\system32\internet.exe 
C:\WINDOWS\system32\ipv6mons.dll 
C:\WINDOWS\system32\msclt.exe 
C:\WINDOWS\system32\msmsgs.exe 
C:\WINDOWS\system32\mstc.exe 
C:\WINDOWS\system32\msupdate.exe 
C:\WINDOWS\system32\mswins.exe 
C:\WINDOWS\system32\nordsys.exe 
C:\WINDOWS\system32\ppl.exe 
C:\WINDOWS\system32\remote.exe 
C:\WINDOWS\system32\rundll.exe 
C:\WINDOWS\system32\rx.exe 
C:\WINDOWS\system32\scvhost32.exe 
C:\WINDOWS\system32\se.exe 
C:\WINDOWS\system32\server.exe 
C:\WINDOWS\system32\svchost32.exe 
C:\WINDOWS\system32\svhost.exe 
C:\WINDOWS\system32\svshost.exe 
C:\WINDOWS\system32\sys.exe 
C:\WINDOWS\system32\taskgmr.exe 
C:\WINDOWS\system32\update.exe 
C:\WINDOWS\system32\wgareg.exe 
C:\WINDOWS\system32\wgavm.exe 
C:\WINDOWS\system32\win32.exe 
C:\WINDOWS\system32\windll.exe
C:\WINDOWS\system32\windowz.exe 
C:\WINDOWS\system32\winhost.exe 
C:\WINDOWS\system32\winsvc.exe 
C:\WINDOWS\system32\winsys32.exe 
C:\WINDOWS\system32\winupd.exe 
C:\WINDOWS\system32\winxp.exe 
C:\WINDOWS\system32\zlbw.dll 
C:\WINDOWS\winlogon.exe 
C:\WINDOWS\winserv.exe 
C:\WINDOWS\xpupdate.exe 
C:\WINDOWS\system32\wincom32.sys

Right click on the window under Input script here:, and select Paste.
You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

#44
~Mix

Posted 05 April 2008 - 02:42 PM

Member

Topic Starter
Member
77 posts

Harry, Here Are The Log Files!

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\csrss.exe" deleted successfully.
Folder "C:\winstall.exe" deleted successfully.
Folder "C:\WINDOWS\csrss.exe" deleted successfully.
Folder "C:\WINDOWS\explore.exe" deleted successfully.
Folder "C:\WINDOWS\iexplorer.exe" deleted successfully.
Folder "C:\WINDOWS\lsasss.exe" deleted successfully.
Folder "C:\WINDOWS\services.exe" deleted successfully.
Folder "C:\WINDOWS\svchost.exe" deleted successfully.
Folder "C:\WINDOWS\system32\alsys.exe" deleted successfully.
Folder "C:\WINDOWS\system32\atmtd.dll" deleted successfully.
Folder "C:\WINDOWS\system32\atmtd.dll._" deleted successfully.
Folder "C:\WINDOWS\system32\bho.dll" deleted successfully.
Folder "C:\WINDOWS\system32\bootconf.exe" deleted successfully.
Folder "C:\WINDOWS\system32\e1.dll" deleted successfully.
Folder "C:\WINDOWS\system32\ezStub.exe" deleted successfully.
Folder "C:\WINDOWS\system32\iexplore.exe" deleted successfully.
Folder "C:\WINDOWS\system32\iexplorer.exe" deleted successfully.
Folder "C:\WINDOWS\system32\internet.exe" deleted successfully.
Folder "C:\WINDOWS\system32\ipv6mons.dll" deleted successfully.
Folder "C:\WINDOWS\system32\msclt.exe" deleted successfully.
Folder "C:\WINDOWS\system32\msmsgs.exe" deleted successfully.
Folder "C:\WINDOWS\system32\mstc.exe" deleted successfully.
Folder "C:\WINDOWS\system32\msupdate.exe" deleted successfully.
Folder "C:\WINDOWS\system32\mswins.exe" deleted successfully.
Folder "C:\WINDOWS\system32\nordsys.exe" deleted successfully.
Folder "C:\WINDOWS\system32\ppl.exe" deleted successfully.
Folder "C:\WINDOWS\system32\remote.exe" deleted successfully.
Folder "C:\WINDOWS\system32\rundll.exe" deleted successfully.
Folder "C:\WINDOWS\system32\rx.exe" deleted successfully.
Folder "C:\WINDOWS\system32\scvhost32.exe" deleted successfully.
Folder "C:\WINDOWS\system32\se.exe" deleted successfully.
Folder "C:\WINDOWS\system32\server.exe" deleted successfully.
Folder "C:\WINDOWS\system32\svchost32.exe" deleted successfully.
Folder "C:\WINDOWS\system32\svhost.exe" deleted successfully.
Folder "C:\WINDOWS\system32\svshost.exe" deleted successfully.
Folder "C:\WINDOWS\system32\sys.exe" deleted successfully.
Folder "C:\WINDOWS\system32\taskgmr.exe" deleted successfully.
Folder "C:\WINDOWS\system32\update.exe" deleted successfully.
Folder "C:\WINDOWS\system32\wgareg.exe" deleted successfully.
Folder "C:\WINDOWS\system32\wgavm.exe" deleted successfully.
Folder "C:\WINDOWS\system32\win32.exe" deleted successfully.
Folder "C:\WINDOWS\system32\windll.exe" deleted successfully.
Folder "C:\WINDOWS\system32\windowz.exe" deleted successfully.
Folder "C:\WINDOWS\system32\winhost.exe" deleted successfully.
Folder "C:\WINDOWS\system32\winsvc.exe" deleted successfully.
Folder "C:\WINDOWS\system32\winsys32.exe" deleted successfully.
Folder "C:\WINDOWS\system32\winupd.exe" deleted successfully.
Folder "C:\WINDOWS\system32\winxp.exe" deleted successfully.
Folder "C:\WINDOWS\system32\zlbw.dll" deleted successfully.
Folder "C:\WINDOWS\winlogon.exe" deleted successfully.
Folder "C:\WINDOWS\winserv.exe" deleted successfully.
Folder "C:\WINDOWS\xpupdate.exe" deleted successfully.
Folder "C:\WINDOWS\system32\wincom32.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:15 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\spywarevanisher-full\SpywareVanisher.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\SCANJET\PrecisionScan\hpppt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-full\SpywareVanisher.exe -FastScan
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=b43127dc-3fb1-45ae-96f2-4935118d933d
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Parallel Port Test.lnk = C:\SCANJET\PrecisionScan\hpppt.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.co...aploader_v5.cab
O21 - SSODL: flammei - {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

--
End of file - 10650 bytes

#45
harrythook

Posted 06 April 2008 - 07:23 AM

Trusted Helper

Retired Staff
2,618 posts

Ok mix,
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O21 - SSODL: flammei - {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\Bat

After that, Reboot.

Run Combofix again, fresh HJT log and lets see where we stand. Depending on the results of that log we can get rid of some programs to speed you up.

Harry