Karl`s PC Help Forums

hijackthis log
au98 - 30-1-2008 at 00:12

Any help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:11 PM, on 1/29/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
E:WINDOWSSystem32smss.exe
E:WINDOWSsystem32winlogon.exe
E:WINDOWSsystem32services.exe
E:WINDOWSsystem32lsass.exe
E:WINDOWSSystem32Ati2evxx.exe
E:WINDOWSsystem32svchost.exe
E:WINDOWSSystem32svchost.exe
E:Program FilesAheadInCDInCDsrv.exe
E:WINDOWSsystem32ZoneLabsvsmon.exe
E:Program FilesLavasoftAd-Aware 2007aawservice.exe
E:WINDOWSsystem32spoolsv.exe
E:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
E:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe
E:PROGRA~1GrisoftAVGFRE~1avgemc.exe
E:Program FilesCommon FilesMotiveMcciCMService.exe
E:WINDOWSSystem32svchost.exe
E:WINDOWSsystem32Ati2evxx.exe
E:WINDOWSExplorer.EXE
E:PROGRA~1GrisoftAVGFRE~1avgcc.exe
E:Program FilesJavajre1.5.0_11binjusched.exe
E:Program FilesYahoo!Search ProtectionSearchProtection.exe
E:Program FilesAT&TInternet Security WizardISW.exe
E:Program FilesBellsouthHelpCenter40bbinsprtcmd.exe
E:Program FilesMessengermsmsgs.exe
E:Program FilesHPDigital Imagingbinhpqtra08.exe
E:Program FilesHPDigital Imagingbinhpqgalry.exe
E:WINDOWSsystem32winlogon.exe
E:WINDOWSsystem32Ati2evxx.exe
E:Program FilesInternet ExplorerIEXPLORE.EXE
E:SecurityHiJack ThisHiJackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.att.net/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com/
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R3 - URLSearchHook: Atlanta_Braves - {59b69dba-fa12-4a55-9b87-8ea71bc03108} - E:Program FilesAtlanta_BravestbAtl1.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:PROGRA~1Yahoo!CompanionInstallscpnyt.dll
F2 - REG:system.ini: UserInit=E:WINDOWSSystem32userinit.exe,msmsgs.exe,winwork.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:PROGRA~1Yahoo!CompanionInstallscpnyt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: (no name) - {1037CEC5-2507-1DD9-531B-5200BBCC8BBA} - E:WINDOWSSystem32uwtnbclt.dll
O2 - BHO: (no name) - {331549FF-0AAA-46ED-9A2E-BCB3A801906F} - E:WINDOWSSystem32ssqpm.dll (file missing)
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - E:PROGRA~1BLSTOO~1BLSTOO~1.DLL
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - E:PROGRA~1COMCAS~1COMCAS~1.DLL
O2 - BHO: Atlanta_Braves - {59b69dba-fa12-4a55-9b87-8ea71bc03108} - E:Program FilesAtlanta_BravestbAtl1.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:Program FilesYahoo!Commonyiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:Program FilesJavajre1.5.0_11binssv.dll
O2 - BHO: BndBlock5 BHO Class - {82EA1A55-9CBC-404b-9D0C-E8BFB7EAAE9B} - E:Program FilesQdrDriveQdrDrive10.dll
O2 - BHO: (no name) - {A61544B7-F792-44D9-91D9-737F628709D3} - E:WINDOWSSystem32sstqr.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:program filesgooglegoogletoolbar4.dll
O2 - BHO: (no name) - {B6532491-6B06-427E-863E-70356BA05D7E} - E:WINDOWSSystem32awvtu.dll (file missing)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - E:Program FilesZoneAlarmSBbar1.binSPYBLOCK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:WINDOWSSystem32msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:program filesgooglegoogletoolbar4.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - E:PROGRA~1COMCAS~1COMCAS~1.DLL
O3 - Toolbar: Atlanta_Braves - {59b69dba-fa12-4a55-9b87-8ea71bc03108} - E:Program FilesAtlanta_BravestbAtl1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:PROGRA~1Yahoo!CompanionInstallscpnyt.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - E:PROGRA~1BLSTOO~1BLSTOO~1.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - E:Program FilesZoneAlarmSBbar1.binSPYBLOCK.DLL
O4 - HKLM..Run: [ATIPTA] E:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 - HKLM..Run: [Google Desktop Search] "E:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe" /startup
O4 - HKLM..Run: [AVG7_CC] E:PROGRA~1GrisoftAVGFRE~1avgcc.exe /STARTUP
O4 - HKLM..Run: [SunJavaUpdateSched] "E:Program FilesJavajre1.5.0_11binjusched.exe"
O4 - HKLM..Run: [YSearchProtection] "E:Program FilesYahoo!Search ProtectionSearchProtection.exe"
O4 - HKLM..Run: [ISW.exe] "E:Program FilesAT&TInternet Security WizardISW.exe" /AUTORUN
O4 - HKLM..Run: [HelpCenter4.1] E:Program FilesBellsouthHelpCenter40bbinsprtcmd.exe /P HelpCenter4.1
O4 - HKLM..Run: [ZoneAlarm Client] "E:Program FilesZone LabsZoneAlarmzlclient.exe"
O4 - HKCU..Run: [MSMSGS] "E:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [NBJ] "E:Program FilesAheadNero BackItUpNBJ.exe"
O4 - HKUSS-1-5-19..Run: [AVG7_Run] E:PROGRA~1GrisoftAVGFRE~1avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [AVG7_Run] E:PROGRA~1GrisoftAVGFRE~1avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-21-796845957-1450960922-725345543-1004..Run: [MSMSGS] "E:Program FilesMessengermsmsgs.exe" /background (User 'Jason')
O4 - HKUSS-1-5-21-796845957-1450960922-725345543-1004..Run: [YSearchProtection] E:Program FilesYahoo!Search ProtectionSearchProtection.exe (User 'Jason')
O4 - HKUSS-1-5-21-796845957-1450960922-725345543-1004..Run: [Ascs] "E:WINDOWSFNTS~1ati2evxx.exe" -vt yazb (User 'Jason')
O4 - HKUSS-1-5-21-796845957-1450960922-725345543-1004..Run: [QdrModule12] "E:Program FilesQdrModuleQdrModule12.exe" (User 'Jason')
O4 - HKUSS-1-5-21-796845957-1450960922-725345543-1004..Run: [Jhx] E:WINDOWS??crosoftl?gonui.exe (User 'Jason')
O4 - HKUSS-1-5-21-796845957-1450960922-725345543-1004..Run: [Dot1XCfg] E:Program FilesDot1XCfgDot1XCfg.exe (User 'Jason')
O4 - HKUSS-1-5-21-796845957-1450960922-725345543-1004..Run: [QdrPack12] "E:Program FilesQdrPackQdrPack12.exe" (User 'Jason')
O4 - HKUSS-1-5-18..Run: [AVG7_Run] E:PROGRA~1GrisoftAVGFRE~1avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [AVG7_Run] E:PROGRA~1GrisoftAVGFRE~1avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:Program FilesHPDigital Imagingbinhpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = E:Program FilesHPDigital Imagingbinhpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:Program FilesJavajre1.5.0_11binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:Program FilesJavajre1.5.0_11binssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:Program FilesYahoo!Commonyiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O16 - DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} (EARTPatch8X Class) - http://files.ea.com/downloads/rtpatch/v4/EARTP8X.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - E:Program FilesYahoo!CommonYinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26bba9f8a7414e35d506/netzip/RdxIE601.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - AppInit_DLLs: E:PROGRA~1GoogleGOOGLE~3GOEC62~1.DLL
O20 - Winlogon Notify: fccdeef - fccdeef.dll (file missing)
O20 - Winlogon Notify: khfebay - khfebay.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:Program FilesLavasoftAd-Aware 2007aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:WINDOWSSystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:WINDOWSsystem32ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:Program FilesGrisoftAVG Anti-Spyware 7.5guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:PROGRA~1GrisoftAVGFRE~1avgemc.exe
O23 - Service: GoogleDesktopManager - Unknown owner - E:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - E:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:Program FilesAheadInCDInCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - E:Program FilesAheadInCDInCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:Program FilesiPodbiniPodService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - E:Program FilesCommon FilesMotiveMcciCMService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:WINDOWSsystem32ZoneLabsvsmon.exe

--
End of file - 11023 bytes


Daz - 30-1-2008 at 03:52

Pancake is our resident expert on HJT logs, he'll pop in at some point to give you his expert knowledge...

Hang in there though, because it looks to me like you've got one or two issues that need taking care of, other than just a general tidy up... (But I'm no expert, so will refrain from advising further...)

Welcome to KF btw... Enjoy your stay.

w_kf.gif


Pancake - 31-1-2008 at 00:02

First thing I want you to do before we do any cleaning is to download Service Pack 1.

http://www.microsoft.com/windowsxp/downloads/updates/sp1/network.mspx.


au98 - 31-1-2008 at 03:56

I decided to go with a fresh windows install. It had been a few years anyway. This looks much better. Thanks for the help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:48 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
C:Program FilesLavasoftAd-Aware 2007aawservice.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:PROGRA~1GrisoftAVG7avgcc.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:PROGRA~1GrisoftAVG7avgamsvr.exe
C:PROGRA~1GrisoftAVG7avgupsvc.exe
C:PROGRA~1GrisoftAVG7avgemc.exe
D:SecurityHiJack ThisHiJackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVG7avgcc.exe /STARTUP
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKUSS-1-5-19..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201744241036
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201747129639
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Aware 2007aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSSystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:WINDOWSsystem32ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgemc.exe

--
End of file - 3172 bytes


Pancake - 31-1-2008 at 05:02

Ok thats fine....:D Just incase its left some of the old stuff in the system let run this...


Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: It is important that it is saved directly to your desktop

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.



Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall




Caution...Never run and remove files using ComboFix without being supervised by a security analyst

.


au98 - 31-1-2008 at 11:22

ComboFix 08-01-31.4 - Eric 2008-01-31 5:19:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.712 [GMT -6:00]
Running from: D:SecurityComboFix.exe
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:Documents and SettingsAll UsersApplication DataMicrosoftNetworkDownloaderqmgr0.dat
C:Documents and SettingsAll UsersApplication DataMicrosoftNetworkDownloaderqmgr1.dat

----- BITS: Possible infected sites -----

hxxp://au.download.window
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-30 22:22 . 2007-07-09 07:16 582,656 -----c--- C:WINDOWSsystem32dllcacherpcrt4.dll
2008-01-30 22:02 . 2007-08-13 18:54 33,792 --a--c--- C:WINDOWSsystem32dllcachecustsat.dll
2008-01-30 21:36 . 2008-01-30 21:36 <DIR> d-------- C:Documents and SettingsAll UsersApplication DataATI MMC
2008-01-30 21:34 . 2008-01-30 21:34 <DIR> d-------- C:Documents and SettingsLocalServiceApplication DataAVG7
2008-01-30 21:34 . 2008-01-30 21:39 <DIR> d-------- C:Documents and SettingsEricApplication DataAVG7
2008-01-30 21:34 . 2008-01-30 21:34 499,712 --a------ C:WINDOWSsystem32msvcp71.dll
2008-01-30 21:34 . 2008-01-30 21:34 348,160 --a------ C:WINDOWSsystem32msvcr71.dll
2008-01-30 21:33 . 2008-01-30 21:33 <DIR> d-------- C:Documents and SettingsAll UsersApplication DataGrisoft
2008-01-30 21:33 . 2008-01-31 03:00 <DIR> d-------- C:Documents and SettingsAll UsersApplication Dataavg7
2008-01-30 21:20 . 2008-01-30 21:20 <DIR> d-------- C:WINDOWSprovisioning
2008-01-30 21:20 . 2008-01-30 21:20 <DIR> d-------- C:WINDOWSpeernet
2008-01-30 21:19 . 2008-01-30 21:19 <DIR> d-------- C:WINDOWSServicePackFiles
2008-01-30 21:16 . 2005-06-28 10:21 22,752 --a------ C:WINDOWSsystem32spupdsvc.exe
2008-01-30 21:14 . 2008-01-30 21:14 <DIR> d-------- C:WINDOWSEHome
2008-01-30 21:11 . 2004-08-04 00:56 11,776 --------- C:WINDOWSsystem32spnpinst.exe
2008-01-30 21:11 . 2004-08-02 14:20 7,208 --------- C:WINDOWSsystem32secupd.sig
2008-01-30 21:11 . 2004-08-02 14:20 4,569 --------- C:WINDOWSsystem32secupd.dat
2008-01-30 20:54 . 2008-01-31 05:18 <DIR> d-------- C:Documents and SettingsAll UsersApplication DataSpybot - Search & Destroy
2008-01-30 20:51 . 2008-01-30 20:51 <DIR> d-------- C:Program FilesLavasoft
2008-01-30 20:51 . 2008-01-30 20:51 <DIR> d-------- C:Program FilesCommon FilesWise Installation Wizard
2008-01-30 20:51 . 2008-01-30 20:51 <DIR> d-------- C:Documents and SettingsAll UsersApplication DataLavasoft
2008-01-30 20:49 . 2008-01-30 20:49 0 --a------ C:WINDOWSativpsrm.bin
2008-01-30 20:47 . 2007-12-20 21:05 593,920 --------- C:WINDOWSsystem32ati2sgag.exe
2008-01-30 20:30 . 2004-08-04 01:56 614,912 --a------ C:WINDOWSsystem32h323msp.dll
2008-01-30 20:30 . 2004-08-04 01:56 331,264 --a------ C:WINDOWSsystem32ipnathlp.dll
2008-01-30 20:30 . 2004-08-04 01:56 265,728 --a------ C:WINDOWSsystem32h323.tsp
2008-01-30 20:30 . 2004-08-04 01:56 77,312 --a------ C:WINDOWSsystem32browser.dll
2008-01-30 20:30 . 2007-03-08 09:36 40,960 --a------ C:WINDOWSsystem32mf3216.dll
2008-01-30 20:29 . 2008-01-30 20:29 <DIR> d-------- C:Program FilesATI Multimedia
2008-01-30 20:27 . 2008-01-30 20:27 <DIR> d-------- C:Program FilesWindows Media Components
2008-01-30 20:26 . 2008-01-30 20:26 <DIR> d---s---- C:WINDOWSsystem32Microsoft
2008-01-30 20:26 . 2008-01-30 20:26 <DIR> d-------- C:Program FilesCommon FilesCyberLink
2008-01-30 20:26 . 2008-01-30 20:29 <DIR> d-------- C:Program FilesCommon FilesATI
2008-01-30 20:25 . 2008-01-30 20:47 <DIR> d--h----- C:Program FilesInstallShield Installation Information
2008-01-30 20:25 . 2008-01-30 20:25 <DIR> d-------- C:Program FilesATI Technologies
2008-01-30 20:24 . 2008-01-30 20:26 <DIR> d-------- C:Program FilesCommon FilesInstallShield
2008-01-30 20:21 . 2008-01-30 20:41 <DIR> d--h-c--- C:WINDOWS$xpsp1hfm$
2008-01-30 20:21 . 2004-01-09 23:11 26,112 --a------ C:WINDOWSsystem32xpsp1hfm.exe
2007-12-20 21:53 . 2007-12-20 21:53 2,843,136 --a------ C:WINDOWSsystem32driversati2mtag.sys
2007-12-20 21:09 . 2007-12-20 21:09 368,640 --a------ C:WINDOWSsystem32ATIDEMGX.dll
2007-12-20 21:08 . 2007-12-20 21:08 272,384 --a------ C:WINDOWSsystem32ati2dvag.dll
2007-12-20 21:02 . 2007-12-20 21:02 307,200 --a------ C:WINDOWSsystem32atiiiexx.dll
2007-12-20 20:59 . 2007-12-20 20:59 147,456 --a------ C:WINDOWSsystem32atipdlxx.dll
2007-12-20 20:59 . 2007-12-20 20:59 122,880 --a------ C:WINDOWSsystem32Oemdspif.dll
2007-12-20 20:59 . 2007-12-20 20:59 43,520 --a------ C:WINDOWSsystem32ati2edxx.dll
2007-12-20 20:59 . 2007-12-20 20:59 26,112 --a------ C:WINDOWSsystem32Ati2mdxx.exe
2007-12-20 20:58 . 2007-12-20 20:58 122,880 --a------ C:WINDOWSsystem32ati2evxx.dll
2007-12-20 20:57 . 2007-12-20 20:57 512,000 --a------ C:WINDOWSsystem32ati2evxx.exe
2007-12-20 20:56 . 2007-12-20 20:56 53,248 --a------ C:WINDOWSsystem32ATIDDC.DLL
2007-12-20 20:53 . 2007-12-20 20:53 9,826,304 --a------ C:WINDOWSsystem32atioglx2.dll
2007-12-20 20:47 . 2007-12-20 20:47 3,120,640 --a------ C:WINDOWSsystem32ati3duag.dll
2007-12-20 20:36 . 2007-12-20 20:36 1,661,696 --a------ C:WINDOWSsystem32ativvaxx.dll
2007-12-20 20:35 . 2007-12-20 20:35 3,107,788 --a------ C:WINDOWSsystem32ativvaxx.dat
2007-12-20 20:35 . 2007-12-20 20:35 3,107,788 --a------ C:WINDOWSsystem32ativva5x.dat
2007-12-20 20:35 . 2007-12-20 20:35 887,724 --a------ C:WINDOWSsystem32ativva6x.dat
2007-12-20 20:24 . 2007-12-20 20:24 46,080 --a------ C:WINDOWSsystem32amdpcom32.dll
2007-12-20 20:20 . 2007-12-20 20:20 5,435,392 --a------ C:WINDOWSsystem32atioglxx.dll
2007-12-20 20:20 . 2007-12-20 20:20 385,024 --a------ C:WINDOWSsystem32atikvmag.dll
2007-12-20 20:18 . 2007-12-20 20:18 17,408 --a------ C:WINDOWSsystem32atitvo32.dll
2007-12-20 20:17 . 2007-12-20 20:17 49,152 --a------ C:WINDOWSsystem32driversati2erec.dll
2007-12-20 20:15 . 2007-12-20 20:15 159,744 --a------ C:WINDOWSsystem32atiok3x2.dll
2007-12-20 20:11 . 2007-12-20 20:11 499,712 --a------ C:WINDOWSsystem32ati2cqag.dll
2007-12-14 11:32 . 2007-12-14 11:32 12,632 --a------ C:WINDOWSsystem32lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 02:27 --------- d--h--w C:Program FilesUninstall Information
2008-01-31 02:21 --------- d-----w C:Documents and SettingsEricApplication DataU3
2008-01-31 01:42 --------- d-----w C:Program Filesmicrosoft frontpage
2007-11-07 09:26 721,920 ----a-w C:WINDOWSsystem32lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:WINDOWSsystem32quartz.dll
2007-10-27 23:39 230,912 ----a-w C:WINDOWSsystem32wmasf.dll
2007-10-10 23:56 824,832 ----a-w C:WINDOWSsystem32wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"MSMSGS"="C:Program FilesMessengermsmsgs.exe" [2004-10-13 10:241694208]
"ATI Launchpad"=""
"SpybotSD TeaTimer"="C:Program FilesSpybot - Search & DestroyTeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"AVG7_CC"="C:PROGRA~1GrisoftAVG7avgcc.exe" [2008-01-31 05:06 579072]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"AVG7_Run"="C:PROGRA~1GrisoftAVG7avgw.exe" [2008-01-30 21:51 219136]


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 05:20:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-31 5:20:54
ComboFix-quarantined-files.txt 2008-01-31 11:20:40
.
2008-01-31 07:07:00 --- E O F ---


au98 - 31-1-2008 at 11:23

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:24:33 AM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
C:Program FilesLavasoftAd-Aware 2007aawservice.exe
C:WINDOWSsystem32spoolsv.exe
C:PROGRA~1GrisoftAVG7avgupsvc.exe
C:WINDOWSsystem32ctfmon.exe
C:PROGRA~1GrisoftAVG7avgamsvr.exe
C:PROGRA~1GrisoftAVG7avgemc.exe
C:WINDOWSexplorer.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesGrisoftAVG7avgcc.exe
C:Program FilesInternet Exploreriexplore.exe
D:SecurityHiJack ThisHiJackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.att.net/s/commoditynews.dll?method=search&type=weather&searchText=39056&_lid=132&_lnm=SrchfrmHmPg
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVG7avgcc.exe /STARTUP
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKUSS-1-5-19..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201744241036
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201747129639
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Aware 2007aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSSystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:WINDOWSsystem32ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgemc.exe

--
End of file - 4207 bytes


Pancake - 31-1-2008 at 21:28

Before we do any cleaning we need to download the installation package from Microsoft so that it can be used to install the Recovery Console on your computer.The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. No validation required! Please select the download link below that's appropriate for your Operating System then download and save the setup package to your desktop. If necessary, change the language version to match your installation. Do NOT change the name of the downloaded file!



[color="Blue"] Microsoft Windows XP Home Edition[/color]
[B]Service Pack 1[/B]
http://www.microsoft.com/downloads/details.aspx?FamilyID=FBE5E4FC-695F-43E5-AF05-719F45C382A4

[B]Service Pack 2[/B]
http://www.microsoft.com/downloads/details.aspx?FamilyId=15491F07-99F7-4A2D-983D-81C2137FF464

[color="blue"]Microsoft Windows XP Professional [/color]
Without Service Packs

http://www.microsoft.com/downloads/details.aspx?FamilyID=55820EDB-5039-4955-BCB7-4FED408EA73F

[B]Service Pack 1[/B]
http://www.microsoft.com/downloads/details.aspx?FamilyID=83F53BE9-28FA-40E8-8EC2-631504EF5E26

[B]Service Pack 2[/B]
http://www.microsoft.com/downloads/details.aspx?FamilyId=535D248D-5E10-49B5-B80C-0A0205368124



Download the file & save it as it's originally named, next to the ComboFix.exe.


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it.

[bad img]http://i100.photobucket.com/albums/m7/dasaki/CFScript.gif[/bad img]


Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

[color=RED]Please do not reboot your machine until we have reviewed the log.[/color]


au98 - 31-1-2008 at 23:16

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:CMDCONSBOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


Pancake - 31-1-2008 at 23:56

Ok good.Just need to do one online check and we are done.Due to the composition and layout of this site my colors and gifs dont show up.


Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Answer Yes, when prompted to install an ActiveX component.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


au98 - 1-2-2008 at 00:57

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 31, 2008 6:59:03 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/01/2008
Kaspersky Anti-Virus database records: 542685
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:
C:
D:
E:

Scan Statistics:
Total number of scanned objects: 34385
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:23:44

Infected Object Name / Virus Name / Last Action
C:Documents and SettingsAll UsersApplication Dataavg7Logemc.log Object is locked skipped
C:Documents and SettingsAll UsersApplication DataGrisoftAvg7Dataavg7log.log Object is locked skipped
C:Documents and SettingsAll UsersApplication DataGrisoftAvg7Dataavg7log.log.lck Object is locked skipped
C:Documents and SettingsAll UsersApplication DataMicrosoftNetworkDownloaderqmgr0.dat Object is locked skipped
C:Documents and SettingsAll UsersApplication DataMicrosoftNetworkDownloaderqmgr1.dat Object is locked skipped
C:Documents and SettingsEricCookiesindex.dat Object is locked skipped
C:Documents and SettingsEricLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat Object is locked skipped
C:Documents and SettingsEricLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat.LOG Object is locked skipped
C:Documents and SettingsEricLocal SettingsHistoryHistory.IE5index.dat Object is locked skipped
C:Documents and SettingsEricLocal SettingsTemp~DFD15B.tmp Object is locked skipped
C:Documents and SettingsEricLocal SettingsTemp~DFD166.tmp Object is locked skipped
C:Documents and SettingsEricLocal SettingsTemporary Internet FilesAntiPhishingB3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:Documents and SettingsEricLocal SettingsTemporary Internet FilesContent.IE5index.dat Object is locked skipped
C:Documents and SettingsEricNTUSER.DAT Object is locked skipped
C:Documents and SettingsEricNTUSER.DAT.LOG Object is locked skipped
C:Documents and SettingsLocalServiceCookiesindex.dat Object is locked skipped
C:Documents and SettingsLocalServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat Object is locked skipped
C:Documents and SettingsLocalServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat.LOG Object is locked skipped
C:Documents and SettingsLocalServiceLocal SettingsHistoryHistory.IE5index.dat Object is locked skipped
C:Documents and SettingsLocalServiceLocal SettingsTemporary Internet FilesContent.IE5index.dat Object is locked skipped
C:Documents and SettingsLocalServiceNTUSER.DAT Object is locked skipped
C:Documents and SettingsLocalServicentuser.dat.LOG Object is locked skipped
C:Documents and SettingsNetworkServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat Object is locked skipped
C:Documents and SettingsNetworkServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat.LOG Object is locked skipped
C:Documents and SettingsNetworkServiceNTUSER.DAT Object is locked skipped
C:Documents and SettingsNetworkServicentuser.dat.LOG Object is locked skipped
C:System Volume InformationMountPointManagerRemoteDatabase Object is locked skipped
C:System Volume Information_restore{BD647E03-2251-49F8-BC2F-4A6D8B5AB595}RP33change.log Object is locked skipped
C:WINDOWSDebugPASSWD.LOG Object is locked skipped
C:WINDOWSSchedLgU.Txt Object is locked skipped
C:WINDOWSSoftwareDistributionEventCache{57B063C0-FD41-4F5E-BD71-8F0A01273E00}.bin Object is locked skipped
C:WINDOWSSoftwareDistributionReportingEvents.log Object is locked skipped
C:WINDOWSsystem32CatRoot2edb.log Object is locked skipped
C:WINDOWSsystem32CatRoot2tmp.edb Object is locked skipped
C:WINDOWSsystem32configAppEvent.Evt Object is locked skipped
C:WINDOWSsystem32configdefault Object is locked skipped
C:WINDOWSsystem32configdefault.LOG Object is locked skipped
C:WINDOWSsystem32configInternet.evt Object is locked skipped
C:WINDOWSsystem32configSAM Object is locked skipped
C:WINDOWSsystem32configSAM.LOG Object is locked skipped
C:WINDOWSsystem32configSecEvent.Evt Object is locked skipped
C:WINDOWSsystem32configSECURITY Object is locked skipped
C:WINDOWSsystem32configSECURITY.LOG Object is locked skipped
C:WINDOWSsystem32configsoftware Object is locked skipped
C:WINDOWSsystem32configsoftware.LOG Object is locked skipped
C:WINDOWSsystem32configSysEvent.Evt Object is locked skipped
C:WINDOWSsystem32configsystem Object is locked skipped
C:WINDOWSsystem32configsystem.LOG Object is locked skipped
C:WINDOWSsystem32h323log.txt Object is locked skipped
C:WINDOWSsystem32wbemRepositoryFSINDEX.BTR Object is locked skipped
C:WINDOWSsystem32wbemRepositoryFSINDEX.MAP Object is locked skipped
C:WINDOWSsystem32wbemRepositoryFSMAPPING.VER Object is locked skipped
C:WINDOWSsystem32wbemRepositoryFSMAPPING1.MAP Object is locked skipped
C:WINDOWSsystem32wbemRepositoryFSMAPPING2.MAP Object is locked skipped
C:WINDOWSsystem32wbemRepositoryFSOBJECTS.DATA Object is locked skipped
C:WINDOWSsystem32wbemRepositoryFSOBJECTS.MAP Object is locked skipped
C:WINDOWSWindowsUpdate.log Object is locked skipped
D:System Volume InformationMountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


Pancake - 1-2-2008 at 01:10

Ok thats great.You are all done.All clean.

This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below and click OK.

Quote:


ComboFix /u


au98 - 1-2-2008 at 02:26

Thank you very much.


Pancake - 1-2-2008 at 02:50

Your welcome..