1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Active] Unable to remove Rootkit.Agent. Please help!

Discussion in 'Spyware, Adware, Viruses and Malware Removal' started by missmcmonkeymcbean, Jan 17, 2010.

  1. missmcmonkeymcbean

    missmcmonkeymcbean Techie7 New Member

    Hi

    I've run Malwarebytes and its managed to remove quite a few of the infections that were on my computer already (including System Defender and Antivirus Pro 2010) but now it keeps showing Rootkit.Agent and however many times I select to remove it, its still there when the computer is restarted. I also have problems with Internet Explorer, when I select a link on google, it redirects me to random webpages. Lastly, I did have problems with changing the desktop background image, it was disabled for a while but I think its ok now (not sure if that is relevant or not).

    Please can you give me some instructions on how to remove the Rootkit.Agent and any other lingering infection/virus/worm on my pc as I seem to have had them all recently!

    This is the log from Malwarebytes:

    Malwarebytes' Anti-Malware 1.44
    Database version: 3581
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    17/01/2010 11:38:26
    mbam-log-2010-01-17 (11-38-10).txt

    Scan type: Quick Scan
    Objects scanned: 113369
    Time elapsed: 7 minute(s), 47 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\drivers\nqnnxw.sys (Rootkit.Agent) -> No action taken.

    thanks
     
  2. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    The log says "No action taken", so you either posted the log from before fixes, or you didn't apply any fix.
    Please, re-do.
     
  3. missmcmonkeymcbean

    missmcmonkeymcbean Techie7 New Member

    Hi
    Here's the log redone. I have run this quite a few times and after restarting and running malwarebytes again, the virus is still there. thanks!

    Malwarebytes' Anti-Malware 1.44
    Database version: 3581
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    17/01/2010 19:34:09
    mbam-log-2010-01-17 (19-34-09).txt

    Scan type: Quick Scan
    Objects scanned: 113347
    Time elapsed: 6 minute(s), 59 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\drivers\nqnnxw.sys (Rootkit.Agent) -> Delete on reboot.
     
  4. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Please download ComboFix from Here or Here to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    NOTE. If Combofix asks you to install Recovery Console, please allow it.


    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. missmcmonkeymcbean

    missmcmonkeymcbean Techie7 New Member

    Heres the log from ComboFix:

    ComboFix 10-01-16.04 - Becky 17/01/2010 20:03:38.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1575 [GMT 0:00]
    Running from: c:\documents and settings\Becky\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\Becky\LOCALS~1\Temp\tmp1.tmp
    c:\documents and settings\All Users\Documents\obegohuva.bat
    c:\documents and settings\All Users\Documents\ysod.reg
    c:\documents and settings\Becky\Application Data\iniasd.txt
    c:\documents and settings\Becky\Application Data\SystemProc
    c:\documents and settings\Becky\Local Settings\Application Data\wyva.vbs
    c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
    c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
    c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
    c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
    c:\recycler\S-1-5-21-2792737836-4270530095-701979231-1003
    C:\s
    C:\VDM20.tmp
    C:\VDM21.tmp
    C:\VDM24.tmp
    C:\VDM25.tmp
    c:\windows\dyto.bat
    c:\windows\nuva.inf
    c:\windows\odabo.scr
    c:\windows\run.log
    c:\windows\system32\18467.exe
    c:\windows\system32\drivers\nqnnxw.sys
    c:\windows\system32\xa.tmp
    c:\windows\tugapu.dll
    c:\windows\xezihujapa.dll
    D:\Autorun.inf

    c:\windows\system32\proquota.exe was missing
    Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_SSHNAS
    -------\Legacy_nqnnxw
    -------\Service_nqnnxw


    ((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
    .

    2010-01-17 20:17 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
    2010-01-17 20:17 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
    2010-01-17 10:40 . 2010-01-17 10:53 -------- d-----w- C:\$AVG
    2010-01-17 10:39 . 2010-01-17 10:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-01-17 10:39 . 2010-01-17 10:39 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-01-17 10:39 . 2010-01-17 10:39 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-01-17 10:39 . 2010-01-17 10:39 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-01-17 10:39 . 2010-01-17 10:41 -------- d-----w- c:\windows\system32\drivers\Avg
    2010-01-17 10:39 . 2010-01-17 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
    2010-01-17 10:39 . 2010-01-17 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
    2010-01-17 01:46 . 2010-01-17 01:51 -------- d-----w- c:\program files\The Serpent of Isis
    2010-01-17 00:29 . 2010-01-17 00:29 -------- d-----w- c:\documents and settings\Becky\Application Data\Playrix Entertainment
    2010-01-16 17:35 . 2010-01-16 17:35 -------- d-----w- c:\documents and settings\Becky\Local Settings\Application Data\Threat Expert
    2010-01-16 17:30 . 2009-11-10 10:26 767952 ----a-w- c:\windows\BDTSupport.dll
    2010-01-16 17:30 . 2009-11-10 10:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
    2010-01-16 17:30 . 2009-11-10 10:28 165840 ----a-w- c:\windows\PCTBDRes.dll
    2010-01-16 17:30 . 2009-11-10 10:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
    2010-01-16 17:30 . 2009-10-28 01:36 1152444 ----a-w- c:\windows\UDB.zip
    2010-01-16 17:30 . 2008-11-26 12:08 131 ----a-w- c:\windows\IDB.zip
    2010-01-16 17:27 . 2009-10-30 11:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2010-01-16 17:27 . 2009-11-09 11:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2010-01-16 17:27 . 2009-10-06 16:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2010-01-16 17:27 . 2009-09-03 09:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2010-01-16 17:27 . 2010-01-16 17:31 -------- d-----w- c:\program files\Common Files\PC Tools
    2010-01-16 17:27 . 2010-01-16 17:41 -------- d-----w- c:\program files\Spyware Doctor
    2010-01-16 17:27 . 2010-01-16 17:27 -------- d-----w- c:\documents and settings\Becky\Application Data\PC Tools
    2010-01-16 17:27 . 2010-01-16 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2010-01-16 12:21 . 2010-01-16 12:21 118256 ----a-w- c:\windows\system32\-jEtVCPJab.exe
    2010-01-12 23:17 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2010-01-01 18:40 . 2010-01-01 18:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2009-12-29 00:59 . 2009-12-29 00:59 -------- d-sh--w- c:\documents and settings\All Users\Application Data\WSQLBJAID_APDM
    2009-12-29 00:56 . 2009-12-29 00:59 -------- d-sh--w- c:\documents and settings\All Users\Application Data\394514d
    2009-12-23 23:20 . 2009-12-23 23:20 -------- d-----w- c:\documents and settings\Becky\Application Data\blg
    2009-12-23 23:20 . 2009-12-23 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\blg

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-17 20:25 . 2008-02-07 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
    2010-01-17 20:20 . 2009-05-30 13:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-01-17 14:44 . 2006-08-01 17:43 6448 ----a-w- c:\documents and settings\Becky\Application Data\wklnhst.dat
    2010-01-17 10:39 . 2010-01-17 10:47 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
    2010-01-17 10:39 . 2010-01-17 10:47 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
    2010-01-17 10:39 . 2010-01-17 10:47 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
    2010-01-17 10:39 . 2010-01-17 10:47 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
    2010-01-17 10:39 . 2010-01-17 10:47 2033432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
    2010-01-17 10:39 . 2010-01-17 10:47 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
    2010-01-17 10:39 . 2008-08-17 15:21 -------- d-----w- c:\program files\AVG
    2010-01-17 10:26 . 2009-10-08 20:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-17 10:26 . 2010-01-01 11:39 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-01-17 01:41 . 2009-05-30 13:45 -------- d-----w- c:\program files\bfgclient
    2010-01-17 01:41 . 2010-01-17 01:40 3054384 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
    2010-01-17 01:40 . 2009-05-30 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
    2010-01-09 11:27 . 2008-10-05 10:25 -------- d-----w- c:\program files\DNA
    2010-01-07 19:17 . 2009-11-30 20:11 -------- d-----w- c:\program files\iPod
    2010-01-07 19:13 . 2008-08-22 22:50 -------- d-----w- c:\documents and settings\Becky\Application Data\Apple Computer
    2010-01-07 19:12 . 2009-02-11 21:10 -------- d-----w- c:\program files\Bonjour
    2010-01-07 16:07 . 2009-10-08 20:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 16:07 . 2009-10-08 20:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-06 20:07 . 2010-01-06 20:07 143264 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\serpent-of-isis_s1_l1_gF2816T1L1_d757478336.exe
    2010-01-06 20:07 . 2010-01-06 20:07 2997384 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe
    2010-01-01 10:55 . 2010-01-01 10:55 152576 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
    2010-01-01 10:55 . 2009-11-29 21:32 79488 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2010-01-01 10:18 . 2009-06-15 20:07 -------- d-----w- c:\program files\PokerStars.NET
    2009-12-25 22:58 . 2009-02-11 21:22 -------- d-----w- c:\program files\iTunes
    2009-12-09 22:58 . 2009-12-09 22:57 -------- d-----w- c:\documents and settings\Becky\Application Data\TitanicMystery
    2009-12-09 22:57 . 2009-11-15 22:14 -------- d-----w- c:\program files\1912 - Titanic Mystery
    2009-11-30 20:49 . 2009-11-30 20:49 34980 ---ha-w- c:\windows\system32\mlfcache.dat
    2009-11-30 20:11 . 2009-11-30 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    2009-11-30 20:11 . 2008-08-22 22:48 -------- d-----w- c:\program files\Common Files\Apple
    2009-11-30 20:09 . 2009-11-30 20:08 -------- d-----w- c:\program files\QuickTime
    2009-11-30 20:02 . 2009-11-30 20:02 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
    2009-11-30 20:00 . 2009-02-11 21:09 -------- d-----w- c:\program files\Safari
    2009-11-30 19:57 . 2009-11-30 19:57 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
    2009-11-25 13:01 . 2010-01-17 11:05 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
    2009-11-22 21:30 . 2009-11-22 21:30 -------- d-----w- c:\documents and settings\Becky\Application Data\Big Fish Games
    2009-11-21 15:51 . 2004-09-10 01:08 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
    2009-10-29 07:45 . 2004-09-10 08:09 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-10-21 05:38 . 2004-09-10 01:09 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 05:38 . 2004-09-10 01:09 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
    2009-10-08 19:23 . 2009-10-08 19:23 19993 ----a-w- c:\program files\Common Files\noleb.pif
    2009-10-08 19:23 . 2009-10-08 19:23 16598 ----a-w- c:\program files\Common Files\iwimyq.com
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-15 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DSLAGENTEXE"="dslagent.exe USB" [X]
    "Ptipbmf"="ptipbmf.dll" [2004-10-07 118784]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-25 7122944]
    "nwiz"="nwiz.exe" [2005-10-25 1519616]
    "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]
    "CHotkey"="mHotkey.exe" [2001-12-26 472576]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-25 98394]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-25 688218]
    "StillMnt"="Bs350u2r.exe" [2004-10-28 36864]
    "SoundMan"="SOUNDMAN.EXE" [2004-11-25 77824]
    "AlcWzrd"="ALCWZRD.EXE" [2004-11-25 2747392]
    "RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-09-22 1695744]
    "GSICONEXE"="gsicon.exe" [2003-05-14 90112]
    "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-07-15 26112]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-17 2033432]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-6-15 1208320]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"= 1 (0x1)
    "NoActiveDesktopChanges"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-01-17 10:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
    "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
    "c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
    "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
    "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\Anno 1701\\Anno1701.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Firefly Studios\\CivCity Rome\\CivCity Rome.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "%windir%\\system32\\drivers\\svchost.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [16/01/2010 17:27 207792]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [17/01/2010 10:39 333192]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [17/01/2010 10:39 360584]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/01/2010 10:39 285392]
    R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [16/01/2010 17:30 112592]
    R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\slazldrv.sys [25/11/2004 19:57 223112]
    S1 dhf725d;dhf725d;c:\windows\system32\drivers\dhf725d.sys --> c:\windows\system32\drivers\dhf725d.sys [?]
    S1 dij959b;dij959b;c:\windows\system32\drivers\dij959b.sys --> c:\windows\system32\drivers\dij959b.sys [?]
    S1 dqe051b;dqe051b;c:\windows\system32\drivers\dqe051b.sys --> c:\windows\system32\drivers\dqe051b.sys [?]
    S1 hpib857;hpib857;c:\windows\system32\drivers\hpib857.sys --> c:\windows\system32\drivers\hpib857.sys [?]
    S1 ianbf43;ianbf43;c:\windows\system32\drivers\ianbf43.sys --> c:\windows\system32\drivers\ianbf43.sys [?]
    S1 kplcaf3;kplcaf3;c:\windows\system32\drivers\kplcaf3.sys --> c:\windows\system32\drivers\kplcaf3.sys [?]
    S1 opff50c;opff50c;c:\windows\system32\drivers\opff50c.sys --> c:\windows\system32\drivers\opff50c.sys [?]
    S1 pns57f9;pns57f9;c:\windows\system32\drivers\pns57f9.sys --> c:\windows\system32\drivers\pns57f9.sys [?]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [16/01/2010 17:27 359624]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 12:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    HKLM-Run-lphcrjlj0eg2p - c:\windows\system32\lphcrjlj0eg2p.exe
    AddRemove-AOL YGP Screensaver - c:\program files\Common Files\AOL\Screensaver\uninst_ygpss.exe
    AddRemove-Usenet.to_is1 - c:\program files\Usenet.to\unins000.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2010-01-17 20:21
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x8A8A5618]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xba96cf28
    \Driver\ACPI -> ACPI.sys @ 0xba75fcb8
    \Driver\atapi -> atapi.sys @ 0xba5c0852
    IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
    \Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
    NDIS: 802.11g MiniPCI Wireless Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0xba45cbd4
    PacketIndicateHandler -> NDIS.sys @ 0xba468a21
    SendHandler -> NDIS.sys @ 0xba45cd44
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-2634387147-1957605736-1916086949-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:c8,29,84,9b,e8,1c,11,d0,f9,09,56,a1,09,3c,ce,39,4e,59,fe,f7,e5,2b,ec,
    3f,79,c2,82,06,d9,dd,4a,34,be,cf,04,0f,9d,9b,43,18,7a,c0,cd,69,74,14,45,d9,\
    "??"=hex:ab,a1,2d,ae,71,47,97,9c,5d,99,9b,e7,bc,07,f6,26
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1016)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(1076)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(2656)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\windows\system32\CTsvcCDA.EXE
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Kontiki\KService.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\system32\slserv.exe
    c:\windows\system32\UAService7.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\windows\mHotkey.exe
    c:\windows\SOUNDMAN.EXE
    c:\windows\Bs350u2\StillMnt.exe
    c:\windows\system32\gsicon.exe
    c:\windows\system32\dslagent.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Windows Live\Contacts\wlcomm.exe
    .
    **************************************************************************
    .
    Completion time: 2010-01-17 20:31:24 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-01-17 20:31

    Pre-Run: 10,082,344,960 bytes free
    Post-Run: 10,657,013,760 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - B2E26E90101F1F795CB21B28EDF0C8E7

    What comes next?
     
  6. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    While I'm reviewing Combofix log...

    Download HijackThis:
    HijackThis - Trend Micro USA
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
  7. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.


    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    KillAll::
    
    File::
    c:\windows\system32\-jEtVCPJab.exe
    c:\program files\Common Files\noleb.pif
    c:\program files\Common Files\iwimyq.com
    c:\windows\system32\drivers\pns57f 9.sys
    c:\windows\system32\drivers\opff50 c.sys
    c:\windows\system32\drivers\kplcaf 3.sys
    c:\windows\system32\drivers\ianbf4 3.sys
    c:\windows\system32\drivers\hpib85 7.sys
    c:\windows\system32\drivers\dqe051 b.sys
    c:\windows\system32\drivers\dij959 b.sys
    c:\windows\system32\drivers\dhf725 d.sys
    
    
    Folder::
    
    Driver::
    dhf725d
    dij959b
    dqe051b
    hpib857
    ianbf43
    kplcaf3
    opff50c
    pns57f9
    
    
    Registry::
    
    RegLockDel::
    
    MBR::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  8. missmcmonkeymcbean

    missmcmonkeymcbean Techie7 New Member

    HijackThis log:



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:03:06, on 17/01/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Kontiki\KService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\mHotkey.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
    C:\WINDOWS\Bs350u2\StillMnt.exe
    C:\WINDOWS\system32\gsicon.exe
    C:\WINDOWS\system32\dslagent.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
    O2 - BHO:  - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files\BfgBar\bfg.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: Big Fish Games Toolbar - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files\BfgBar\bfg.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [StillMnt] Bs350u2r.exe /StartStillMnt
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 9882 bytes
     
  9. missmcmonkeymcbean

    missmcmonkeymcbean Techie7 New Member

    ok, ive done the above and run both combofix and hijackthis again. here are the logs:

    ComboFix 10-01-16.04 - Becky 17/01/2010 21:17:49.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1583 [GMT 0:00]
    Running from: c:\documents and settings\Becky\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Becky\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    FILE ::
    "c:\program files\Common Files\iwimyq.com"
    "c:\program files\Common Files\noleb.pif"
    "c:\windows\system32\-jEtVCPJab.exe"
    "c:\windows\system32\drivers\dhf725 d.sys"
    "c:\windows\system32\drivers\dij959 b.sys"
    "c:\windows\system32\drivers\dqe051 b.sys"
    "c:\windows\system32\drivers\hpib85 7.sys"
    "c:\windows\system32\drivers\ianbf4 3.sys"
    "c:\windows\system32\drivers\kplcaf 3.sys"
    "c:\windows\system32\drivers\opff50 c.sys"
    "c:\windows\system32\drivers\pns57f 9.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Common Files\iwimyq.com
    c:\program files\Common Files\noleb.pif
    c:\windows\system32\-jEtVCPJab.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_HPIB857
    -------\Service_dhf725d
    -------\Service_dij959b
    -------\Service_dqe051b
    -------\Service_hpib857
    -------\Service_ianbf43
    -------\Service_kplcaf3
    -------\Service_opff50c
    -------\Service_pns57f9


    ((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
    .

    2010-01-17 21:02 . 2010-01-17 21:02 -------- d-----w- c:\program files\Trend Micro
    2010-01-17 20:17 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
    2010-01-17 20:17 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
    2010-01-17 10:40 . 2010-01-17 10:53 -------- d-----w- C:\$AVG
    2010-01-17 10:39 . 2010-01-17 10:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-01-17 10:39 . 2010-01-17 10:39 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-01-17 10:39 . 2010-01-17 10:39 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-01-17 10:39 . 2010-01-17 10:39 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-01-17 10:39 . 2010-01-17 10:41 -------- d-----w- c:\windows\system32\drivers\Avg
    2010-01-17 10:39 . 2010-01-17 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
    2010-01-17 10:39 . 2010-01-17 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
    2010-01-17 01:46 . 2010-01-17 01:51 -------- d-----w- c:\program files\The Serpent of Isis
    2010-01-17 00:29 . 2010-01-17 00:29 -------- d-----w- c:\documents and settings\Becky\Application Data\Playrix Entertainment
    2010-01-16 17:35 . 2010-01-16 17:35 -------- d-----w- c:\documents and settings\Becky\Local Settings\Application Data\Threat Expert
    2010-01-16 17:30 . 2009-11-10 10:26 767952 ----a-w- c:\windows\BDTSupport.dll
    2010-01-16 17:30 . 2009-11-10 10:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
    2010-01-16 17:30 . 2009-11-10 10:28 165840 ----a-w- c:\windows\PCTBDRes.dll
    2010-01-16 17:30 . 2009-11-10 10:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
    2010-01-16 17:30 . 2009-10-28 01:36 1152444 ----a-w- c:\windows\UDB.zip
    2010-01-16 17:30 . 2008-11-26 12:08 131 ----a-w- c:\windows\IDB.zip
    2010-01-16 17:27 . 2009-10-30 11:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2010-01-16 17:27 . 2009-11-09 11:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2010-01-16 17:27 . 2009-10-06 16:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2010-01-16 17:27 . 2009-09-03 09:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2010-01-16 17:27 . 2010-01-16 17:31 -------- d-----w- c:\program files\Common Files\PC Tools
    2010-01-16 17:27 . 2010-01-16 17:41 -------- d-----w- c:\program files\Spyware Doctor
    2010-01-16 17:27 . 2010-01-16 17:27 -------- d-----w- c:\documents and settings\Becky\Application Data\PC Tools
    2010-01-16 17:27 . 2010-01-16 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2010-01-12 23:17 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2010-01-01 18:40 . 2010-01-01 18:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2009-12-29 00:59 . 2009-12-29 00:59 -------- d-sh--w- c:\documents and settings\All Users\Application Data\WSQLBJAID_APDM
    2009-12-29 00:56 . 2009-12-29 00:59 -------- d-sh--w- c:\documents and settings\All Users\Application Data\394514d
    2009-12-23 23:20 . 2009-12-23 23:20 -------- d-----w- c:\documents and settings\Becky\Application Data\blg
    2009-12-23 23:20 . 2009-12-23 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\blg

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-17 21:36 . 2008-02-07 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
    2010-01-17 21:32 . 2009-05-30 13:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-01-17 14:44 . 2006-08-01 17:43 6448 ----a-w- c:\documents and settings\Becky\Application Data\wklnhst.dat
    2010-01-17 10:39 . 2010-01-17 10:47 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
    2010-01-17 10:39 . 2010-01-17 10:47 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
    2010-01-17 10:39 . 2010-01-17 10:47 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
    2010-01-17 10:39 . 2010-01-17 10:47 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
    2010-01-17 10:39 . 2010-01-17 10:47 2033432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
    2010-01-17 10:39 . 2010-01-17 10:47 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
    2010-01-17 10:39 . 2008-08-17 15:21 -------- d-----w- c:\program files\AVG
    2010-01-17 10:26 . 2009-10-08 20:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-17 10:26 . 2010-01-01 11:39 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-01-17 01:41 . 2009-05-30 13:45 -------- d-----w- c:\program files\bfgclient
    2010-01-17 01:41 . 2010-01-17 01:40 3054384 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
    2010-01-17 01:40 . 2009-05-30 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
    2010-01-09 11:27 . 2008-10-05 10:25 -------- d-----w- c:\program files\DNA
    2010-01-07 19:17 . 2009-11-30 20:11 -------- d-----w- c:\program files\iPod
    2010-01-07 19:13 . 2008-08-22 22:50 -------- d-----w- c:\documents and settings\Becky\Application Data\Apple Computer
    2010-01-07 19:12 . 2009-02-11 21:10 -------- d-----w- c:\program files\Bonjour
    2010-01-07 16:07 . 2009-10-08 20:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 16:07 . 2009-10-08 20:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-06 20:07 . 2010-01-06 20:07 143264 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\serpent-of-isis_s1_l1_gF2816T1L1_d757478336.exe
    2010-01-06 20:07 . 2010-01-06 20:07 2997384 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe
    2010-01-01 10:55 . 2010-01-01 10:55 152576 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
    2010-01-01 10:55 . 2009-11-29 21:32 79488 ----a-w- c:\documents and settings\Becky\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2010-01-01 10:18 . 2009-06-15 20:07 -------- d-----w- c:\program files\PokerStars.NET
    2009-12-25 22:58 . 2009-02-11 21:22 -------- d-----w- c:\program files\iTunes
    2009-12-09 22:58 . 2009-12-09 22:57 -------- d-----w- c:\documents and settings\Becky\Application Data\TitanicMystery
    2009-12-09 22:57 . 2009-11-15 22:14 -------- d-----w- c:\program files\1912 - Titanic Mystery
    2009-11-30 20:49 . 2009-11-30 20:49 34980 ---ha-w- c:\windows\system32\mlfcache.dat
    2009-11-30 20:11 . 2009-11-30 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    2009-11-30 20:11 . 2008-08-22 22:48 -------- d-----w- c:\program files\Common Files\Apple
    2009-11-30 20:09 . 2009-11-30 20:08 -------- d-----w- c:\program files\QuickTime
    2009-11-30 20:02 . 2009-11-30 20:02 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
    2009-11-30 20:00 . 2009-02-11 21:09 -------- d-----w- c:\program files\Safari
    2009-11-30 19:57 . 2009-11-30 19:57 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
    2009-11-25 13:01 . 2010-01-17 11:05 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
    2009-11-22 21:30 . 2009-11-22 21:30 -------- d-----w- c:\documents and settings\Becky\Application Data\Big Fish Games
    2009-11-21 15:51 . 2004-09-10 01:08 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
    2009-10-29 07:45 . 2004-09-10 08:09 916480 ------w- c:\windows\system32\wininet.dll
    2009-10-21 05:38 . 2004-09-10 01:09 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 05:38 . 2004-09-10 01:09 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-01-17_20.22.10 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-01-17 21:32 . 2010-01-17 21:32 16384 c:\windows\Temp\Perflib_Perfdata_3b4.dat
    + 2010-01-17 21:32 . 2010-01-17 21:32 16384 c:\windows\Temp\Perflib_Perfdata_310.dat
    - 2004-09-10 01:56 . 2010-01-17 20:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2004-09-10 01:56 . 2010-01-17 21:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-09-30 21:09 . 2010-01-17 20:01 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
    + 2009-09-30 21:09 . 2010-01-17 21:14 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
    + 2004-09-10 01:56 . 2010-01-17 21:14 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
    - 2004-09-10 01:56 . 2010-01-17 20:01 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
    - 2004-09-10 01:56 . 2010-01-17 20:01 262144 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2004-09-10 01:56 . 2010-01-17 21:14 262144 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-15 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DSLAGENTEXE"="dslagent.exe USB" [X]
    "Ptipbmf"="ptipbmf.dll" [2004-10-07 118784]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-25 7122944]
    "nwiz"="nwiz.exe" [2005-10-25 1519616]
    "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]
    "CHotkey"="mHotkey.exe" [2001-12-26 472576]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-25 98394]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-25 688218]
    "StillMnt"="Bs350u2r.exe" [2004-10-28 36864]
    "SoundMan"="SOUNDMAN.EXE" [2004-11-25 77824]
    "AlcWzrd"="ALCWZRD.EXE" [2004-11-25 2747392]
    "RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-09-22 1695744]
    "GSICONEXE"="gsicon.exe" [2003-05-14 90112]
    "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-07-15 26112]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-17 2033432]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-6-15 1208320]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"= 1 (0x1)
    "NoActiveDesktopChanges"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-01-17 10:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
    "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
    "c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
    "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
    "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\Anno 1701\\Anno1701.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Firefly Studios\\CivCity Rome\\CivCity Rome.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "%windir%\\system32\\drivers\\svchost.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [16/01/2010 17:27 207792]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [17/01/2010 10:39 333192]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [17/01/2010 10:39 360584]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/01/2010 10:39 285392]
    R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [16/01/2010 17:30 112592]
    R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\slazldrv.sys [25/11/2004 19:57 223112]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [16/01/2010 17:27 359624]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 12:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove--jEtVCPJab - c:\windows\system32\-jEtVCPJab.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2010-01-17 21:33
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x8A8A8618]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xba96cf28
    \Driver\ACPI -> ACPI.sys @ 0xba75fcb8
    \Driver\atapi -> atapi.sys @ 0xba6e1852
    IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
    \Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
    NDIS: 802.11g MiniPCI Wireless Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0xba56bbd4
    PacketIndicateHandler -> NDIS.sys @ 0xba577a21
    SendHandler -> NDIS.sys @ 0xba56bd44
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-2634387147-1957605736-1916086949-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:c8,29,84,9b,e8,1c,11,d0,f9,09,56,a1,09,3c,ce,39,4e,59,fe,f7,e5,2b,ec,
    3f,79,c2,82,06,d9,dd,4a,34,be,cf,04,0f,9d,9b,43,18,7a,c0,cd,69,74,14,45,d9,\
    "??"=hex:ab,a1,2d,ae,71,47,97,9c,5d,99,9b,e7,bc,07,f6,26
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1004)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(1068)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(768)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\windows\system32\CTsvcCDA.EXE
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Kontiki\KService.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\system32\slserv.exe
    c:\windows\system32\UAService7.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\windows\SOUNDMAN.EXE
    c:\windows\system32\gsicon.exe
    c:\windows\system32\dslagent.exe
    c:\windows\Bs350u2\StillMnt.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Windows Live\Contacts\wlcomm.exe
    .
    **************************************************************************
    .
    Completion time: 2010-01-17 21:42:31 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-01-17 21:42
    ComboFix2.txt 2010-01-17 20:31

    Pre-Run: 10,648,952,832 bytes free
    Post-Run: 10,610,450,432 bytes free

    - - End Of File - - 35B8C5226F4E16292EC10A1AFAD8DE01


    and hijackthis:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:43:18, on 17/01/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Kontiki\KService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
    C:\WINDOWS\system32\gsicon.exe
    C:\WINDOWS\system32\dslagent.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\WINDOWS\Bs350u2\StillMnt.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
    O2 - BHO:  - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files\BfgBar\bfg.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: Big Fish Games Toolbar - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files\BfgBar\bfg.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [StillMnt] Bs350u2r.exe /StartStillMnt
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 9616 bytes

    thanks for all your help on this.
     
  10. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Restart computer.

    =====================================================

    Please download The Avenger by Swandog46 to your Desktop.
    - Right click on the Avenger.zip folder and select Extract All...
    - Follow the prompts and extract the avenger folder to your desktop

    Double click on avenger.exe.
    Click OK in pop-up window.

    Avenger window will open.

    Click on Execute button.
    Click OK in two consecutive pop-up windows.

    Your computer will re-boot now.

    Upon re-boot, Notepad window will open.
    Select all text, copy it, and paste it into next reply.

    NOTE. If the log doesn't open on reboot, open Avenger again, and go File>Open Log File.
     
  11. missmcmonkeymcbean

    missmcmonkeymcbean Techie7 New Member

    ok, run avenger and on restarting the computer I got a message saying:

    Windows - No Disk
    Exception Processing Message c0000013 parameters 75b6bf7c 4 75b6bf7c 75b6bf7c

    I pressed cancel. (i had to press cancel about 5 times) - never had this message before.

    and the log from avenger was:



    Logfile of The Avenger Version 2.0, (c) by Swandog46
    Swandog46's Public Anti-Malware Tools

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!


    Completed script processing.

    *******************

    Finished! Terminate.
     
  12. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:


    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases

    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt before clicking on the Save button. Then post it here.
     
  13. missmcmonkeymcbean

    missmcmonkeymcbean Techie7 New Member

    Hi
    This is the logfile from Kaspersky. Its saying there's nothing there but whenever I click a link on google, I'm still being redirected to random sites. Is this something to do with internet explorer rather than a virus?


    Tuesday, January 19, 2010
    Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Tuesday, January 19, 2010 17:58:49
    Records in database: 3334144


    Scan settings
    scan using the following database extended
    Scan archives yes
    Scan e-mail databases yes

    Scan area My Computer
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\

    Scan statistics
    Objects scanned 172122
    Threats found 0
    Infected objects found 0
    Suspicious objects found 0
    Scan duration 04:52:47

    No threats found. Scanned area is clean.
    Selected area has been scanned.
     
  14. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Unless you willingly installed Kontiki Player....
    Go Start>Control Panel>Add\Remove ("Programs and Features" in Vista), and uninstall Sky Anytime (if present).
    Download, and run KClean.exe: http://static.sky.com/kclean/KClean.exe to remove Kontiki from your computer.
    NOTE: Kontiki is know resource hog.

    ===============================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    - O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE


    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    - O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    - O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    - O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    - O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    - O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    - O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background


    5. Click on Fix checked button.

    6. Restart computer.

    7. Post new HijackThis log.
     
  15. missmcmonkeymcbean

    missmcmonkeymcbean Techie7 New Member

    did the above.
    new hijackthis log:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:31:26, on 21/01/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\WINDOWS\mHotkey.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
    C:\WINDOWS\system32\gsicon.exe
    C:\WINDOWS\system32\dslagent.exe
    C:\WINDOWS\Bs350u2\StillMnt.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
    O2 - BHO:  - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files\BfgBar\bfg.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: Big Fish Games Toolbar - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files\BfgBar\bfg.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [StillMnt] Bs350u2r.exe /StartStillMnt
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 8925 bytes
     
  16. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Your computer is clean [​IMG]

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): Safe Browsing Tool | WOT Web of Trust. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: How did I get infected?

    9. Please, let me know, how is your computer doing.
     
  17. missmcmonkeymcbean

    missmcmonkeymcbean Techie7 New Member

    Good news that the system is clean but I'm still getting redirected to random websites when I click on google links. is this something to do with internet explorer rather than a virus then? I also get the odd pop up even though I've selected to stop them...
     
  18. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    OK. I wasn't aware of redirection being still present.

    Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

    * Doubleclick mbr.exe and follow prompts.
    * A black DOS window will quickly appear then disappear.
    * When mbr.exe is finished it will create a log on your desktop.
    * Copy and paste contents of that log (mbr.log) file to your next reply.
     
  19. missmcmonkeymcbean

    missmcmonkeymcbean Techie7 New Member

    sorry, i should have mentioned it in the previous post.

    log for mbr:

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
     
  20. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    OK.
    Download Kenco.exe to your desktop

    • Close all windows and run the program.
    • It wont take long to run.
    • Kenco will reboot the system if it finds anything.
    • Post the log it gives you ( it will be saved in the same place as Kenco.exe).