MSN MSIE Wont connect, virus. OH NOES!

54 answers Last reply
More about msie wont connect virus noes
  1. ok for some reason my original post doesnt show....


    Hello there, computer geek in trouble. I have a computer that has recieved a nasty virus on sunday that none of my scanners can seem to pick up

    I noticed the computer was loading TONS of oho0f.exe 's in task manager and i have never seen these before. figuring they were viral i closed some and they would keep loading back up. i could find nothing online about them so i started scanning. eventually i found i had abcjump and some other redirector that was preventing my research on this problem, and eventually msie and msn would not connect to the internet. (i did find 16-20 trojans although, all that seemed to have sneaked by my mcafee scanner) however steam, and icq would, and the scanners i was using could still get updates.
    I installed NOD, adaware, malwarebytes, ive ran cccleaner, trend micro security center, in addition to mcaffee... and still cannot find a name or even a hit on this virus. icq worked for a while, and now wont. im using a swedish version of firefox, and it works fine. ftp is still good too. when i boot the computer it says something about a drive not being available and i dont have access to it, also i cant eliminate anything from msconfig as its saying i dont have administrator access (i am the admin) and when i try to do
    sfc /scannow it freezes.

    when i run kasperskys online scanner, i get BSOD IRQL not less or equal than crash. also my dvd burner isnt showing as a burner anymore.

    ive also ran all the scans in safemode,

    here is hijack this info
  2. Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:07:22 PM, on 7/15/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\vVX6000.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\UltraMon\UltraMon.exe
    C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
    C:\Program Files\UltraMon\UltraMonTaskbar.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\PROGRA~1\CACHEM~1\CachemanXP.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\TUProgSt.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\ICQ6\ICQ.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe,
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
    O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
    O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
    O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
    O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
    O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
    O4 - Global Startup: UltraMon.lnk = ?
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214961248968
    O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 - AppInit_DLLs: c:\windows\system32\ragutali.dll,C:\WINDOWS\system32\bazisomi.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AODService - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Maxtor Scheduler2 Service (MaxSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
    O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

    --
    End of file - 12324 bytes
  3. --------[ EVEREST Ultimate Edition ]------------------------------------------------------------------------------------

    Version EVEREST v4.60.1500
    Benchmark Module 2.3.237.0
    Homepage http://www.lavalys.com/
    Report Type Report Wizard
    Computer PIMP-6BVMACV9YE
    Generator kev
    Operating System Microsoft Windows XP Professional 5.1.2600 (WinXP Retail)
    Date 2009-07-15
    Time 21:08


    --------[ Summary ]-----------------------------------------------------------------------------------------------------

    Computer:
    Computer Type ACPI Multiprocessor PC
    Operating System Microsoft Windows XP Professional
    OS Service Pack Service Pack 3
    Internet Explorer 7.0.5730.13 (IE 7.0)
    DirectX 4.09.00.0904 (DirectX 9.0c)
    Computer Name PIMP-6BVMACV9YE
    User Name kev
    Logon Domain PIMP-6BVMACV9YE
    Date / Time 2009-07-15 / 21:08

    Motherboard:
    CPU Type DualCore AMD Athlon 4050e, 2100 MHz (10.5 x 200)
    Motherboard Name Asus M3A (3 PCI, 2 PCI-E x1, 1 PCI-E x16, 4 DDR2 DIMM, Audio, Gigabit LAN)
    Motherboard Chipset AMD 770, AMD Hammer
    System Memory 3072 MB (DDR2-800 DDR2 SDRAM)
    DIMM1: Kingston 2G-UDIMM 2 GB DDR2-800 DDR2 SDRAM (5-5-5-18 @ 400 MHz) (4-4-4-12 @ 266 MHz) (3-3-3-9 @ 200 MHz)
    DIMM3: Kingston KTC1G-UDIMM 1 GB DDR2-800 DDR2 SDRAM (5-5-5-18 @ 400 MHz) (4-4-4-12 @ 266 MHz) (3-3-3-9 @ 200 MHz)
    BIOS Type AMI (05/12/08)
    Communication Port Communications Port (COM1)

    Display:
    Video Adapter ATI Radeon HD 3600 Series (512 MB)
    Video Adapter ATI Radeon HD 3600 Series (512 MB)
    Video Adapter NVIDIA GeForce FX 5200 (Microsoft Corporation) (128 MB)
    3D Accelerator ATI Radeon HD 3650 (RV635)
    3D Accelerator nVIDIA GeForce FX 5200
    Monitor Acer AL1916 [19" LCD] (1541323)
    Monitor LG L1932TQ (Digital) / Flatron T930B (160934684)
    Monitor Plug and Play Monitor [NoDB] (170116843009)

    Multimedia:
    Audio Adapter ATI Radeon HDMI @ ATI RV635 - High Definition Audio Controller
    Audio Adapter Creative SB Live! Value (CT4830) Sound Card
    Audio Adapter Realtek ALC883 @ ATI SB600 - High Definition Audio Controller

    Storage:
    IDE Controller AMD PCI IDE Controller
    IDE Controller AMD SATA Controller(Native IDE Mode)
    Storage Controller AN18LKI5 IDE Controller
    Storage Controller VAXSCSI Controller
    Disk Drive ST31000528AS
    Disk Drive ST3250410AS (250 GB, 7200 RPM, SATA-II)
    Optical Drive HL-DT-ST DVDRAM GH20NS10 (DVD+R9:10x, DVD-R9:10x, DVD+RW:20x/8x, DVD-RW:20x/6x, DVD-RAM:12x, DVD-ROM:16x, CD:48x/32x/48x DVD+RW/DVD-RW/DVD-RAM)
    Optical Drive IQ2548T JGG054J SCSI CdRom Device
    Optical Drive QNS G96VC5UF SCSI CdRom Device
    SMART Hard Disks Status Unknown

    Partitions:
    C: (NTFS) 232.9 GB (153.4 GB free)
    H: (NTFS) 931.5 GB (731.8 GB free)
    Total Size 1164.4 GB (885.3 GB free)

    Input:
    Keyboard HID Keyboard Device
    Mouse Microsoft USB IntelliMouse Optical (IntelliPoint)

    Network:
    Primary IP Address 192.168.1.100
    Primary MAC Address 00-0C-41-62-48-44
    Network Adapter Atheros L1 Gigabit Ethernet 10/100/1000Base-T Controller (192.168.1.103)
    Network Adapter Wireless-G PCI Adapter (192.168.1.100)

    Peripherals:
    Printer HP Deskjet F4100 series
    Printer Microsoft XPS Document Writer
    Printer Send To OneNote 2007
    Printer WebEx Document Loader
    USB1 Controller ATI SB600 - OCHI USB Controller
    USB1 Controller ATI SB600 - OCHI USB Controller
    USB1 Controller ATI SB600 - OCHI USB Controller
    USB1 Controller ATI SB600 - OCHI USB Controller
    USB1 Controller ATI SB600 - OCHI USB Controller
    USB2 Controller ATI SB600 - EHCI USB 2.0 Controller
    USB Device C-Media USB Sound Device
    USB Device Generic USB Hub
    USB Device Microsoft LifeCam VX-6000 #6
    USB Device Microsoft LifeCam VX-6000.
    USB Device Microsoft USB IntelliMouse Optical
    USB Device USB Composite Device
    USB Device USB Composite Device
    USB Device USB Composite Device
    USB Device USB Human Interface Device
    USB Device USB Human Interface Device
    USB Device USB Human Interface Device

    DMI:
    DMI BIOS Vendor American Megatrends Inc.
    DMI BIOS Version 0901
    DMI System Manufacturer System manufacturer
    DMI System Product System Product Name
    DMI System Version System Version
    DMI System Serial Number System Serial Number
    DMI System UUID 40CA3B7A-08AEDC11-8691001E-8C6AEB59
    DMI Motherboard Manufacturer ASUSTeK Computer INC.
    DMI Motherboard Product M3A
    DMI Motherboard Version Rev 1.xx
    DMI Motherboard Serial Number MB-1234567890
    DMI Chassis Manufacturer Chassis Manufacture
    DMI Chassis Version Chassis Version
    DMI Chassis Serial Number Chassis Serial Number
    DMI Chassis Asset Tag Asset-1234567890
    DMI Chassis Type Desktop Case


    --------[ Debug - PCI ]-------------------------------------------------------------------------------------------------
  4. The only line that jumps out is:

    O20 - AppInit_DLLs: c:\windows\system32\ragutali.dll,C:\WINDOWS\system32\bazisomi.dll

    The 2 dll files, ragutali.dll and bazisomi.dll, only produce few negative results when researched.

    There was one indication that the malware could be related to a vundo infection. The later Vundo variants have the ability to hide themselves from a HJT scan.

    Navigate to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe and rename HijackThis.exe to Analyse.exe and run the scan again. We'll see if anything more pops up.
  5. Thanks for the fast reply and the information

    im about to do the scan again, but interesting note; i imported my bookmarks passwords and cookies into firefox using their import button, and it too stopped having access to the internet.
    i ran cc cleaner, uninstalled firefox and reinstalled it to come back here.
  6. Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:20:53 PM, on 7/15/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\vVX6000.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\UltraMon\UltraMon.exe
    C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
    C:\Program Files\UltraMon\UltraMonTaskbar.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\PROGRA~1\CACHEM~1\CachemanXP.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\TUProgSt.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\ICQ6\ICQ.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\analyze.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe,
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
    O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
    O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
    O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
    O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
    O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
    O4 - Global Startup: UltraMon.lnk = ?
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214961248968
    O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 - AppInit_DLLs: c:\windows\system32\ragutali.dll,C:\WINDOWS\system32\bazisomi.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AODService - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Maxtor Scheduler2 Service (MaxSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
    O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

    --
    End of file - 12322 bytes
  7. i also did a start - search on ragutali.dll and bazisomi.dll and nothing came up hmm
  8. OK.... The scan didn't turn up anything more.

    First thing, you have evidence of three antivirus products running resident.

    NOD32, Mcafee and Symantec / Norton.

    You said that you are running NOD32? I have provided links below to remove Mcafee and Norton with their removal tools.

    http://majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html

    http://majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html

    Can you open Malwarebytes Antimalware and click on the "Logs" tab. Post the most recent MBAM logfile.

    Download, install, update then run SUPERAntiSpyware (SAS)

    http://www.superantispyware.com/

    Clean everything it finds and post the log from this scan also.

    Click Preferences, then click the Statistics/Logs tab and Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. Post the most recent (there should only be one).

    I will be away for a few hours, but will look at the logs when I return.
  9. kevin2m4 said:
    i also did a start - search on ragutali.dll and bazisomi.dll and nothing came up hmm


    They are probably hidden files. You will need to go into control panel > folder options and highlight "Show hidden files and folders" and apply the change.

    Once this is done go to virustotal and upload the files for analysis.

    http://www.virustotal.com/

    You will get a log for each, can you provide those as well.
  10. When you browse for them you will need to navigate to:

    c:\windows\system32\ragutali.dll

    and

    C:\WINDOWS\system32\bazisomi.dll
  11. ok i removed nav and mcafee
    i have 4 most recent malware bytes files

    1st
    Malwarebytes' Anti-Malware 1.36
    Database version: 2128
    Windows 5.1.2600 Service Pack 3

    7/13/2009 2:33:25 AM
    mbam-log-2009-07-13 (02-33-25).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 84260
    Time elapsed: 13 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\gsf83iujid.dll (Trojan.Zlob.H) -> Delete on reboot.
    C:\Documents and Settings\kev\Local Settings\Temporary Internet Files\Content.IE5\76VFCIL6\udvvmquz[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\kev\Local Settings\Temporary Internet Files\Content.IE5\PIAUL9W9\xhuyph[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\kev\Local Settings\Temporary Internet Files\Content.IE5\X41CFAM4\slvanev[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.


    2nd

    Malwarebytes' Anti-Malware 1.36
    Database version: 2128
    Windows 5.1.2600 Service Pack 3

    7/13/2009 9:27:39 PM
    mbam-log-2009-07-13 (21-27-39).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 91134
    Time elapsed: 16 minute(s), 10 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    3rd

    Malwarebytes' Anti-Malware 1.36
    Database version: 2128
    Windows 5.1.2600 Service Pack 3

    7/13/2009 10:33:17 PM
    mbam-log-2009-07-13 (22-33-17).txt

    Scan type: Quick Scan
    Objects scanned: 119023
    Time elapsed: 15 minute(s), 45 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 2
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 10

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\acpi32 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\acpi32 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpi32 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\drivers\acpi32.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\TMP11E2.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\kev\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\BN7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\BN38.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\smss.exe_ (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

    4th
    Malwarebytes' Anti-Malware 1.36
    Database version: 2128
    Windows 5.1.2600 Service Pack 3

    7/14/2009 12:53:25 AM
    mbam-log-2009-07-14 (00-53-25).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 236361
    Time elapsed: 27 minute(s), 12 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  12. while running the super anti spyware i got the BSOD and it dumped physical mem and rebooted

    also i physically went into system32 folder, and those dll files are not there.
  13. on a good note, the hdd not availavble popup is gone, and i can now change things in msconfig
  14. nvm the hd not availabe popup is still there. and doesnt matter what scan on super anti spyware i run, i get BSOD 'page fault in non paged area'
  15. I might have missed where you said it, but make sure you update malwarebytes, boot into safe mode and do a full scan there, its your only chance, also try system restore but I am almost sure its been disabled as soon as the virus infected you!

    -Here is an import note to consider: With viruses, lets say you get infected okay and i am not talking about a specific virus, just an average virus that i made up thats very popular, so the virus goes into your windows files and registry and disables system restore, next it makes it so everything is redirected to a certain website, next it edits your windows to make sure you cant get to any security sites like microsoft, next it disables many of your anti-virus programs and etc....it basically elimates all threats to its existence on your computer. what its doing is actually importing files and editing/adding registry keys to do all this, remember a virus is no different from normal file, infact a virus is just a program, humans call these programs viruses becuase they do what you dont want them to do. And that my friend is why even if you do remove the virus, the "Damage" has already been done, the files have been put inside, the registry has already been edited, your anti-virus is not going to undo these changes, its only going to undo the source, so once the damage has been its been done. Its like lets say a bullet is a virus, and somebody shoots another person with a gun, the bullet enters right through thier kidney lets say, a docter (the anti-virus) can take out the bullet, however the damage to the kidney(your computer) has already been done. And that brings to the next point it that its better to prevent having viruses in the first place then to hunt them down when they already infect you. And that is why you are very likley going to have to demolish your system and reinstall xp.
  16. Let's see if we can get SAS to run.

    Open the program and click on Configuration and Preferences, click the Preferences button.
    Click on the Scanning Control tab and under scanner options uncheck
    Use Kernel Direct File Access (recommended)
    and
    Use Kernel Direct Registry Access (recommended)

    Now try running the scanner.
  17. :(


    well it looks like disabling those 2 options are working, sas is finding some things

    i have to go to work ill let it scan and see when i come back (12 hours :'( )
  18. ok i came home and my computer wasnt off. which is good, cause usually id set a scan and it would shutdown on me. but it had rebooted.
    i ran the scan again, and cleared the items.

    now even if i am clear of viri -which i am sure im not, how do i get administrator access back, how do i get internet back for msn icq and msie, and how do i get back my dvd burner
  19. read my last post on this board and thats your answer, you might very well be clear of the viruses by as i said in my post, the damage has been done. I gave a good analogy in the post read it and it will be clear that your only way most likley is to demolish xp, full format, and rebuild xp.

    -I am sure you can fix it but, there are many millions of windows files and registry keys and you need to find certain ones, and correctly tweak them back to what they were, which you probably dont know, and wont be able to do, a professional service for this will cost you a lot, so rebuilding is the easiest way out.
  20. If you dont want to rebuild after virus in the future spend some money on a program called ghost (its worth it) and after you install updates, vital programs and drivers, make a mirror image of your system on a cD so if a virus infects you can format and restore that image under and hour and be well on way enjoying your system ;)
  21. As blackhawk stated in his post, the malware can take out vital processes and services. It gives itself administrator privileges so it can do this and it also prevents other users gaining admin rights (which is the case with yours at the moment).

    Often disinfecting the system will restore the PC. But it not a guarantee. There are many fixes available though, so all is not lost.

    Have you got the SAS log handy? There were multiple infections on your pc. ZLOB was one, it is one of the most well known DNS changers (likely the reason you have trouble letting MS apps access the net). I need to see if there are others which may interfere with the next step.
  22. kevin2m4 said:
    on a good note, the hdd not availavble popup is gone, and i can now change things in msconfig


    This is a good sign. It indicates the malware was wounded, but it restored itself, probably after a reboot.

    I really need to see the SAS log before we continue.
  23. I need to go to work, so I have provided further instructions. Please follow them very carefully, and if you are unsure about anything, discontinue and ask a question.

    Run combofix and post the log.

    Disable any realtime protection. AV or resident spyware apps.

    Here are the instructions:

    Download Combofix to your desktop.

    Note: It is important that it is saved directly to your desktop

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    Close any open browsers and windows except for Combofix

    Double click on combofix.exe and follow the prompts.

    When it's finished it will produce a log.
    Post the entire contents of C:\ComboFix.txt into your next reply.

    Note: Do not mouseclick combofix's window while it's running it can cause the program to freeze/hang.

    In some cases your Antivirus or other realtime scanner will display an alert after you downloaded Combofix or while you use Combofix, please disable your scanners, delete the copy off the desktop and download Combofix again.
    Some scanners may see some combofix related components as suspicious and block or delete them. There's nothing wrong with Combofix, heuristic detection can report this false positive because of combofixs removal technique.
  24. I ran combofix last night, i was a little tipsy, when i woke up this morning, msn was connected, i rebooted, the window telling me i didnt have admin access was gone, and i burned a cd to listen to for the drive to work.
    it looks like it is fixed,
    i will post the sas log and combo fix log when i get home tonight
  25. That's good news.

    Can you also include a fresh HiJackThis log too please.
  26. ZLOB!!! ITS THE WORST VIRUS! I have had Zlob is and it was just something unbelievable, malware wounded it but couldn't get it out. I spent 2 weeks literally hunting its keys and traces down in my own registry and finally I just gave up and rebuiled my OS. Zlob is like a level 9-10 virus which is one of the worst and hardest to get rid of. And its a russian-made virus I am pretty sure. My people are up to no good.
  27. ComboFix 09-07-14.08 - kev 07/17/2009 0:22:44.1.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2623 [GMT -4:00]
    Running from: C:\Documents and Settings\kev\My Documents\Hentede filer\ComboFix.exe
    AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\kev\Application Data\bcrypt.html
    C:\Documents and Settings\kev\Application Data\inst.exe
    C:\Program Files\sFX
    C:\Program Files\WinPCap
    C:\Program Files\WinPCap\rpcapd.exe
    C:\RECYCLER\S-1-5-21-5223466556-8096075262-254021249-8367
    C:\WINDOWS\010112010146118114.dat
    C:\WINDOWS\system32\ATIODCLI.exe
    C:\WINDOWS\system32\ATIODE.exe
    C:\WINDOWS\system32\drivers\hjgruimugohrfu.sys
    C:\WINDOWS\system32\drivers\npf.sys
    C:\WINDOWS\system32\hjgruiakwuisux.dat
    C:\WINDOWS\system32\hjgruinqtacyvt.dll
    C:\WINDOWS\system32\hjgruinwovsuab.dll
    C:\WINDOWS\system32\hjgruiycxmjqnm.dat
    C:\WINDOWS\system32\Packet.dll
    C:\WINDOWS\system32\pthreadVC.dll
    C:\WINDOWS\system32\uuddc32.dll
    C:\WINDOWS\system32\WanPacket.dll
    C:\WINDOWS\system32\wpcap.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_hjgruiyfvxjeao
    -------\Legacy_acpi32
    -------\Legacy_npf
    -------\Legacy_sfx
    -------\Legacy_sfxdrv
    -------\Service_npf
    -------\Service_sfx


    ((((((((((((((((((((((((( Files Created from 2009-06-17 to 2009-07-17 )))))))))))))))))))))))))))))))
    .

    2009-07-17 04:22:44 . 2009-07-17 04:22:44 0 d-----w- C:\Documents and Settings\kev\Local Settings\Application Data\ESET
    2009-07-16 04:30:21 . 2009-07-16 07:11:23 0 d-----w- C:\Program Files\Trillian
    2009-07-16 03:48:51 . 2009-07-17 09:55:13 117760 ----a-w- C:\Documents and Settings\kev\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-07-16 03:44:25 . 2009-07-16 03:44:25 0 d-----w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-07-16 03:43:31 . 2009-07-16 03:43:34 0 d-----w- C:\Program Files\SUPERAntiSpyware
    2009-07-16 03:43:31 . 2009-07-16 03:43:31 0 d-----w- C:\Documents and Settings\kev\Application Data\SUPERAntiSpyware.com
    2009-07-16 03:34:37 . 2009-07-16 03:34:37 0 d-----w- C:\Documents and Settings\All Users\Application Data\NortonInstaller
    2009-07-16 00:16:38 . 2009-07-16 00:16:38 0 d-----w- C:\WINDOWS\system32\config\systemprofile\Tracing
    2009-07-15 14:25:31 . 2009-07-15 14:25:31 8224 ----a-w- C:\Documents and Settings\Administrator.PIMP-6BVMACV9YE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-07-15 14:25:27 . 2009-07-15 14:25:27 0 d-----w- C:\Documents and Settings\Administrator.PIMP-6BVMACV9YE\Application Data\Ahead
    2009-07-15 14:25:14 . 2009-07-15 14:25:14 0 d-----w- C:\Documents and Settings\Administrator.PIMP-6BVMACV9YE\Local Settings\Application Data\Ahead
    2009-07-15 04:26:54 . 2009-07-15 04:26:40 102664 ----a-w- C:\WINDOWS\system32\drivers\tmcomm.sys
    2009-07-15 04:26:36 . 2009-07-15 04:27:06 0 d-----w- C:\Documents and Settings\kev\.housecall6.6
    2009-07-15 04:19:41 . 2009-07-15 04:19:41 0 d-----w- C:\Program Files\Trend Micro
    2009-07-14 05:55:41 . 2009-07-14 05:55:41 0 d-----w- C:\Program Files\ESET
    2009-07-14 05:55:41 . 2009-07-14 05:55:41 0 d-----w- C:\Documents and Settings\All Users\Application Data\ESET
    2009-07-14 05:44:07 . 2009-07-14 05:44:07 0 ----a-w- C:\WINDOWS\nsreg.dat
    2009-07-14 05:44:01 . 2009-07-14 05:44:01 0 d-----w- C:\Documents and Settings\kev\Local Settings\Application Data\Mozilla
    2009-07-13 04:53:33 . 2009-07-13 04:53:33 40960 --sh--r- C:\WINDOWS\system32\flashd32.dll
    2009-07-13 04:51:33 . 2009-07-13 05:49:32 0 ----a-w- C:\WINDOWS\system32\drivers\cbdf3c78.sys
    2009-07-13 04:50:48 . 2009-07-13 04:50:48 22627 ----a-w- C:\vfjmbvbg.exe
    2009-07-13 04:30:08 . 2009-07-14 02:42:59 0 d-----w- C:\Program Files\Easy-Hide-IP
    2009-07-07 06:06:25 . 2009-07-07 06:06:38 0 d-----w- C:\WINDOWS\system32\NtmsData
    2009-06-28 00:21:16 . 2009-06-28 00:21:16 0 d-----w- C:\Documents and Settings\kev\Report Files
    2009-06-28 00:12:55 . 2009-06-28 00:15:47 1024 ---h--r- C:\WINDOWS\system32\NTIBUN4.dll
    2009-06-28 00:12:50 . 2009-06-28 00:12:50 6144 ----a-w- C:\WINDOWS\system32\drivers\NTIDrvr.sys
    2009-06-24 01:53:37 . 2009-06-24 01:55:45 0 d-----w- C:\Documents and Settings\kev\Application Data\Winamp
    2009-06-24 01:53:37 . 2009-06-24 01:55:43 0 d-----w- C:\Program Files\Winamp
    2009-06-21 04:47:02 . 2009-06-21 04:47:32 0 d-----w- C:\Program Files\QuickTime
    2009-06-21 04:47:01 . 2009-06-21 04:47:01 0 d-----w- C:\Documents and Settings\All Users\Application Data\Apple Computer
    2009-06-18 03:19:19 . 2009-07-17 01:51:46 0 d-----w- C:\Program Files\SpeedFan

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-07-17 09:55:26 . 2009-02-01 19:31:06 0 d-----w- C:\Program Files\Steam
    2009-07-17 08:06:44 . 2009-04-10 18:40:08 0 d-----w- C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2009-07-17 04:27:07 . 2004-08-04 15:00:00 182656 ----a-w- C:\WINDOWS\system32\drivers\ndis.sys
    2009-07-17 04:20:11 . 2009-06-11 05:49:58 0 d-----w- C:\Program Files\FreeRapid-0.82
    2009-07-16 03:53:08 . 2009-01-24 05:59:58 0 d-----w- C:\Documents and Settings\All Users\Application Data\McAfee
    2009-07-16 03:43:12 . 2009-01-24 03:44:46 0 d-----w- C:\Program Files\Common Files\Wise Installation Wizard
    2009-07-16 03:37:32 . 2008-07-01 16:47:44 0 d-----w- C:\Program Files\Common Files\Symantec Shared
    2009-07-16 01:21:41 . 2008-09-13 15:37:34 0 d-----w- C:\Program Files\FlashFXP
    2009-07-15 04:11:41 . 2008-08-16 02:10:15 0 d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
    2009-07-15 04:11:23 . 2009-01-24 06:17:33 0 d-----w- C:\Documents and Settings\LocalService\Application Data\SACore
    2009-07-14 12:53:21 . 2008-07-01 15:02:11 70064 ----a-w- C:\Documents and Settings\kev\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-07-14 04:56:04 . 2008-07-01 15:04:27 0 d--h--w- C:\Program Files\InstallShield Installation Information
    2009-07-14 02:41:14 . 2009-01-24 03:33:07 0 d-----w- C:\Program Files\Total Video Converter
    2009-07-14 02:37:58 . 2009-01-18 22:42:46 0 d-----w- C:\Program Files\Garena
    2009-07-14 01:49:33 . 2009-01-31 22:52:13 1324 ----a-w- C:\WINDOWS\system32\d3d9caps.dat
    2009-07-13 05:59:28 . 2009-01-29 02:54:21 0 d-----w- C:\Program Files\Hard Disk Sentinel
    2009-07-10 21:56:50 . 2009-04-05 06:03:43 0 d-----w- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
    2009-07-07 05:48:09 . 2009-07-07 05:47:51 0 d-----w- C:\Program Files\C-Media USB Sound
    2009-06-16 14:36:30 . 2004-08-04 15:00:00 81920 ----a-w- C:\WINDOWS\system32\fontsub.dll
    2009-06-16 14:36:30 . 2004-08-04 15:00:00 119808 ----a-w- C:\WINDOWS\system32\t2embed.dll
    2009-06-16 02:31:50 . 2008-07-18 18:04:42 0 d-----w- C:\Documents and Settings\kev\Application Data\Image Zone Express
    2009-06-09 06:40:29 . 2009-06-09 06:40:24 0 d-----w- C:\Program Files\Motherboard Monitor 5
    2009-06-05 23:37:15 . 2009-04-27 02:59:58 8673792 ----a-w- C:\Documents and Settings\All Users\Application Data\atscie.msi
    2009-06-05 23:36:34 . 2009-06-05 23:36:34 0 d-----w- C:\Program Files\Common Files\Pure Networks Shared
    2009-06-05 22:54:29 . 2009-06-05 22:54:29 0 d-----w- C:\Documents and Settings\All Users\Application Data\Maxtor
    2009-06-05 22:54:24 . 2009-06-05 22:51:18 44384 ----a-w- C:\WINDOWS\system32\drivers\tifsfilt.sys
    2009-06-05 22:54:24 . 2009-06-05 22:51:18 441760 ----a-w- C:\WINDOWS\system32\drivers\timntr.sys
    2009-06-05 22:54:21 . 2009-06-05 22:51:11 132224 ----a-w- C:\WINDOWS\system32\drivers\snapman.sys
    2009-06-05 22:54:17 . 2009-06-05 22:51:06 368480 ----a-w- C:\WINDOWS\system32\drivers\tdrpman.sys
    2009-06-05 22:54:15 . 2009-06-05 22:50:29 0 d-----w- C:\Program Files\Common Files\Seagate
    2009-06-05 22:51:26 . 2009-06-05 22:51:26 0 d-----w- C:\Documents and Settings\All Users\Application Data\Seagate
    2009-06-05 22:50:29 . 2009-06-05 22:50:29 0 d-----w- C:\Program Files\Seagate
    2009-06-03 19:09:37 . 2004-08-04 15:00:00 1291264 ----a-w- C:\WINDOWS\system32\quartz.dll
    2009-05-31 07:31:02 . 2009-04-25 21:12:43 0 d-----w- C:\Documents and Settings\kev\Application Data\Nokia
    2009-05-31 03:28:49 . 2009-05-31 03:28:37 0 d-----w- C:\Program Files\AGEIA Technologies
    2009-05-31 03:28:07 . 2009-05-31 03:28:07 413696 ----a-w- C:\WINDOWS\system32\wrap_oal.dll
    2009-05-31 03:28:07 . 2009-05-31 03:28:07 110592 ----a-w- C:\WINDOWS\system32\OpenAL32.dll
    2009-05-31 03:28:07 . 2009-05-31 03:28:07 0 d-----w- C:\Program Files\OpenAL
    2009-05-14 03:04:30 . 2009-05-14 03:04:30 552 ----a-w- C:\WINDOWS\system32\d3d8caps.dat
    2009-05-07 15:32:35 . 2004-08-04 15:00:00 345600 ----a-w- C:\WINDOWS\system32\localspl.dll
    2009-04-29 04:56:02 . 2004-08-04 15:00:00 827392 ----a-w- C:\WINDOWS\system32\wininet.dll
    2009-04-29 04:55:56 . 2004-08-04 15:00:00 78336 ----a-w- C:\WINDOWS\system32\ieencode.dll
    2009-04-25 21:28:50 . 2009-04-25 21:28:50 8192 ----a-w- C:\Documents and Settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
    2009-04-25 21:28:50 . 2009-04-25 21:28:50 61440 ----a-w- C:\Documents and Settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
    2009-04-25 21:28:50 . 2009-04-25 21:28:50 10240 ----a-w- C:\Documents and Settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
    2009-04-25 21:28:36 . 2009-04-25 21:29:03 34396584 ----a-w- C:\Documents and Settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_eng.exe
    2009-04-20 04:18:07 . 2009-04-20 04:18:07 161352 ----a-w- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2009-06-24 14:22:26 . 2009-07-16 02:14:26 137208 ----a-w- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2009-03-08 18:50:38 3885408]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 00:12:28 1695232]
    "RocketDock"="C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe" [2007-03-18 22:05:02 630784]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 00:12:16 15360]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 15:01:38 1830128]
    "Steam"="c:\program files\steam\steam.exe" [2009-06-11 01:03:29 1217784]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 21:45:32 279912]
    "VX6000"="C:\WINDOWS\vVX6000.exe" [2007-04-10 21:46:43 996712]
    "IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 17:56:32 1406024]
    "egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-14 19:05:24 1410304]
    "Maxtor Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-24 23:56:52 136472]
    "MaxBlastMonitor.exe"="C:\Program Files\Seagate\DiscWizard\MaxBlastMonitor.exe" [2008-06-27 21:01:28 1325800]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 01:52:38 49152]
    "Hard Disk Sentinel"="C:\Program Files\Hard Disk Sentinel\HDSentinel.exe" [2009-01-29 04:41:55 3407360]
    "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 11:00:48 33648]
    "DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-24 23:52:18 1325848]
    "AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-25 00:06:22 904768]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2009-03-08 18:50:38 3885408]

    C:\Documents and Settings\kev\Start Menu\Programs\Startup\
    RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-3-18 630784]
    TransBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-6-1 65536]
    UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-5-21 180224]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    UltraMon.lnk - C:\WINDOWS\Installer\{AF0FA6D7-96F3-468A-ABB7-28BE006EA8E9}\IcoUltraMon.ico [2009-1-20 29310]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMBalloonTip"= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{38101905-D80F-4788-96F6-986A8186178A}"= "C:\WINDOWS\system32\flashd32.dll" [2009-07-13 04:53:33 40960]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 14:13:36 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 16:05:34 356352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^kev^Start Menu^Programs^Startup^Popup Ad Stopper.lnk]
    path=C:\Documents and Settings\kev\Start Menu\Programs\Startup\Popup Ad Stopper.lnk
    backup=C:\WINDOWS\pss\Popup Ad Stopper.lnkStartup

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\ICQ6\\ICQ.exe"=
    "C:\\Program Files\\FlashFXP\\FlashFXP.exe"=
    "C:\\WINDOWS\\system32\\java.exe"=
    "C:\\Program Files\\Sega\\OutRun2006 Coast 2 Coast\\OR2006C2C.EXE"=
    "C:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
    "C:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"=
    "C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
    "C:\\WINDOWS\\system32\\dwwin.exe"=
    "C:\\Program Files\\Winamp\\winamp.exe"=
    "C:\\Program Files\\Windows Live\\Toolbar\\wltuser.exe"=
    "C:\\Program Files\\Steam\\Steam.exe"=
    "C:\\WINDOWS\\system32\\dpvsetup.exe"=
    "C:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
    "C:\\Program Files\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "94:TCP"= 94:TCP:VRS Recording System Web Control Panel
    "67:UDP"= 67:UDP:DHCP Discovery Service

    R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\drivers\epfwtdir.sys [11/14/2007 3:06:38 PM 30728]
    R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01:40 AM 9968]
    R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01:40 AM 72944]
    R2 CachemanXPService;CachemanXP;C:\PROGRA~1\CACHEM~1\CachemanXP.exe [1/19/2009 2:48:02 AM 355840]
    R2 ekrn;Eset Service;C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/14/2007 3:05:50 PM 455936]
    R2 FLE5WNNT;FLE-5 WindowsNT Driver;C:\WINDOWS\system32\drivers\fle5wnnt.sys [10/1/2008 10:42:51 PM 33404]
    R2 FLSIFACE;FLSIface;C:\WINDOWS\system32\drivers\flsiface.sys [10/1/2008 10:42:51 PM 13440]
    R2 FLSPAR;FLSPar;C:\WINDOWS\system32\drivers\flspar.sys [10/1/2008 10:42:51 PM 16314]
    R2 FLSSER;FLSSer;C:\WINDOWS\system32\drivers\flsser.sys [10/1/2008 10:42:51 PM 8344]
    R2 FLSVCOM;FLSVCom;C:\WINDOWS\system32\drivers\flsvcom.sys [10/1/2008 10:42:51 PM 32544]
    R2 fssfltr;FssFltr;C:\WINDOWS\system32\drivers\fssfltr_tdi.sys [2/17/2009 11:42:54 PM 55152]
    R2 MaxSch2Svc;Maxtor Scheduler2 Service;C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 7:56:38 PM 431384]
    R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;C:\WINDOWS\system32\TUProgSt.exe [2/12/2009 9:58:44 AM 603904]
    R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 9:22:52 PM 11776]
    R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\drivers\l151x86.sys [7/1/2008 11:13:35 AM 36864]
    R3 cmudau32;C-Media USB UDA Sound Interface;C:\WINDOWS\system32\drivers\cmudaxu.sys [7/7/2009 1:48:35 AM 1414528]
    R3 SASENUM;SASENUM;C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01:42 AM 7408]
    R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\drivers\UltraMonMirror.sys [9/24/2006 9:23:14 PM 3584]
    R3 VX6000;Microsoft LifeCam VX-6000;C:\WINDOWS\system32\drivers\VX6000Xp.sys [7/1/2008 2:59:06 PM 2385896]
    S1 cbdf3c78;cbdf3c78;C:\WINDOWS\system32\drivers\cbdf3c78.sys [7/13/2009 12:51:33 AM 0]
    S2 AODService;AODService;C:\Program Files\AMD\OverDrive\AODAssist --> C:\Program Files\AMD\OverDrive\AODAssist [?]
    S2 SgtSch2Svc;Seagate Scheduler2 Service;C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 7:56:38 PM 431384]
    S3 fsssvc;Windows Live Family Safety;C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 7:08:58 PM 533360]
    S3 TempLog;TempLog;C:\Program Files\Hard Disk Sentinel\HDSentinel.sys [1/28/2009 10:54:21 PM 3897]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    .
    Contents of the 'Scheduled Tasks' folder

    2009-07-17 C:\WINDOWS\Tasks\1-Click Maintenance.job
    - C:\Program Files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 20:36:18 . 2008-12-11 20:36:18]

    2009-07-11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34:12 . 2008-07-30 17:34:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyServer = 192.168.0.1:80
    uInternet Settings,ProxyOverride = local
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    FF - ProfilePath - C:\Documents and Settings\kev\Application Data\Mozilla\Firefox\Profiles\diijkrzm.default\
    FF - plugin: C:\Program Files\Microsoft\Office Live\npOLW.dll
    FF - plugin: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll

    ---- FIREFOX POLICIES ----
    C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
    C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
    C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
    C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
    C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
    C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
    C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
    C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
    C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
    C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
    C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
    C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
    C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
    C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
    C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
    C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
    C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".dk");
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
    C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
    .
  28. Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:21:47 PM, on 7/17/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16850)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\vVX6000.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Hard Disk Sentinel\HDSentinel.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
    C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\program files\steam\steam.exe
    C:\Program Files\UltraMon\UltraMon.exe
    C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
    C:\PROGRA~1\CACHEM~1\CachemanXP.exe
    C:\Program Files\UltraMon\UltraMonTaskbar.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\TUProgSt.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\analyze.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
    O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
    O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [Maxtor Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Seagate\DiscWizard\MaxBlastMonitor.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Hard Disk Sentinel] "C:\Program Files\Hard Disk Sentinel\HDSentinel.exe" /AUTORUN
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
    O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
    O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
    O4 - Global Startup: UltraMon.lnk = ?
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214961248968
    O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AODService - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Maxtor Scheduler2 Service (MaxSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
    O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

    --
    End of file - 11105 bytes
  29. I'm just looking over your logs, there are a couple of suspicious entries.

    Upload them to VirusTotal for analysis.

    http://www.virustotal.com/

    Click the browse button and navigate to:

    C:\vfjmbvbg.exe

    then

    C:\WINDOWS\system32\drivers\cbdf3c78.sys

    You may to have hidden files and folders made visible.

    Can you post the logs from VirusTotal please.
  30. C:\WINDOWS\System32\svchost.exe

    -Svhost can potentially be a virus, it mimics its name.
    -If you can try doing a boot-scan for viruses if you have software to do that...very suspicious. In boot-time scan, it can scan all processes, giving a much higher chance of catching a malware/virus

    - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    -Many viruses can be called anti-virus be really be viruses, i am not saying it is one but looks suspicious to me

    -O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    -Okay i know what punkbuster is but the fact that it says unkown owner tells me it might not be verified and have the real punkbuster's digital signiture...very suspicious

    -Can you please organize the running processes by thier NAME from A-Z and repost, it will be easier for my to notice potential malware.
  31. MD5: b42f06bb21d598a834ae4739a10fd34f
    First received: 2009.07.13 05:40:27 UTC
    Date: 2009.07.16 09:30:56 UTC [+1D]
    Results: 23/41
    Permalink: analisis/0b6fd9711b2706d97c1b125a67a5ed11a5339b8b11bb43c62222ab5146c95143-1247736656


    File fdhjbl.exe received on 2009.07.16 09:30:56 (UTC)
    Current status: finished
    Result: 23/41 (56.10%)
    Compact Compact
    Print results Print results
    Antivirus Version Last Update Result
    a-squared 4.5.0.24 2009.07.16 Trojan.Win32.Rabbit!IK
    AhnLab-V3 5.0.0.2 2009.07.16 -
    AntiVir 7.9.0.215 2009.07.16 TR/Dropper.Gen2
    Antiy-AVL 2.0.3.7 2009.07.16 Trojan/Win32.Agent.gen
    Authentium 5.1.2.4 2009.07.16 W32/Kobcka.B.gen!Eldorado
    Avast 4.8.1335.0 2009.07.16 Win32:Wigon-G
    AVG 8.5.0.387 2009.07.16 Win32/Heur
    BitDefender 7.2 2009.07.16 -
    CAT-QuickHeal 10.00 2009.07.16 TrojanDownloader.Agent.ciiv
    ClamAV 0.94.1 2009.07.16 -
    Comodo 1668 2009.07.16 -
    DrWeb 5.0.0.12182 2009.07.16 Trojan.DownLoad.38937
    eSafe 7.0.17.0 2009.07.15 Win32.Wigon.Kt
    eTrust-Vet 31.6.6617 2009.07.15 -
    F-Prot 4.4.4.56 2009.07.16 W32/Kobcka.B.gen!Eldorado
    F-Secure 8.0.14470.0 2009.07.16 Trojan-Downloader.Win32.Agent.ciiv
    Fortinet 3.120.0.0 2009.07.16 W32/Agent.CIIV!tr.dldr
    GData 19 2009.07.16 Win32:Wigon-G
    Ikarus T3.1.1.64.0 2009.07.16 Trojan.Win32.Rabbit
    Jiangmin 11.0.800 2009.07.16 TrojanDownloader.Agent.bofg
    K7AntiVirus 7.10.793 2009.07.15 Trojan-Downloader.Win32.Agent.ciiv
    Kaspersky 7.0.0.125 2009.07.16 Trojan-Downloader.Win32.Agent.ciiv
    McAfee 5677 2009.07.15 -
    McAfee+Artemis 5677 2009.07.15 Artemis!B42F06BB21D5
    McAfee-GW-Edition 6.8.5 2009.07.16 Heuristic.LooksLike.Win32.Cutwail.A
    Microsoft 1.4803 2009.07.16 TrojanDownloader:Win32/Cutwail.AS
    NOD32 4249 2009.07.16 a variant of Win32/Wigon.KT
    Norman 6.01.09 2009.07.15 -
    nProtect 2009.1.8.0 2009.07.16 -
    Panda 10.0.0.14 2009.07.15 -
    PCTools 4.4.2.0 2009.07.15 -
    Prevx 3.0 2009.07.16 -
    Rising 21.38.31.00 2009.07.16 -
    Sophos 4.43.0 2009.07.16 -
    Sunbelt 3.2.1858.2 2009.07.16 Trojan.Win32.Unidentified.VS
    Symantec 1.4.4.12 2009.07.16 -
    TheHacker 6.3.4.3.368 2009.07.15 -
    TrendMicro 8.950.0.1094 2009.07.16 -
    VBA32 3.12.10.8 2009.07.15 -
    ViRobot 2009.7.16.1838 2009.07.16 -
    VirusBuster 4.6.5.0 2009.07.15 Trojan.DR.Pandex.Gen.13
    Additional information
    File size: 22627 bytes
    MD5 : b42f06bb21d598a834ae4739a10fd34f
    SHA1 : ee97e5164ad4ac3879c60e6ee68f6267abaaca62
    SHA256: 0b6fd9711b2706d97c1b125a67a5ed11a5339b8b11bb43c62222ab5146c95143
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x11E4
    timedatestamp.....: 0x4A5A6E2E (Mon Jul 13 01:13:50 2009)
    machinetype.......: 0x14C (Intel I386)

    ( 4 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0xBBC 0xBC0 6.46 3c6d167c3aee0e59f7d55fa0cdfe3d28
    .rdata 0x2000 0x362 0x364 4.88 01ba01f2a0b9619a8df22cfa8c6217e7
    .data 0x3000 0xD4 0x8F 3.55 c65aaf09d706efb2b8d98183b762aaca
    .rsrc 0x4000 0x4260 0x4263 7.98 e3f83fbc9c8cdcfa2d334d8dc5e3dc3d

    ( 2 imports )

    > kernel32.dll: GetModuleHandleA, GetSystemInfo, GetVersionExA, LocalAlloc, Sleep, ExitProcess
    > user32.dll: BeginPaint, BlockInput, CharLowerA, CharUpperA, CreateDialogParamA, CreateWindowExA, CreateWindowStationA, DefWindowProcA, DispatchMessageA, EndDialog, EndPaint, FindWindowA, FlashWindow, GetAsyncKeyState, GetClassInfoExA, GetTopWindow, GetUserObjectInformationA, MessageBoxA, RegisterWindowMessageA, SetDlgItemInt, SetFocus, SetWindowTextA, ShowWindow, TranslateMessage, UpdateWindow

    ( 0 exports )
    TrID : File type identification
    Win32 Executable Generic (38.3%)
    Win32 Dynamic Link Library (generic) (34.1%)
    Win16/32 Executable Delphi generic (9.3%)
    Generic Win/DOS Executable (9.0%)
    DOS Executable Generic (9.0%)
    ssdeep: 384:07oityqnQ7S+tZsJvcoH6oOB0GpFwrPP69DSUAxxaMF8ipnJymmiBZ:0cMu3sJp6AGcrnAm7aMOikmFBZ
    PEiD : -
    RDS : NSRL Reference Data Set
  32. it let me delete it tho
  33. C:\WINDOWS\system32\drivers\cbdf3c78.sys

    0 bytes size received / Se ha recibido un archivo vacio
  34. I dont understand, is that results from a scan(s)?

    --Can you please organize the running processes from task mananger by thier NAME from A-Z and repost, it will be easier for me to notice potential malware.
  35. those were the results of the files i submitted to virus total
  36. That's good, lets continue with the fix.

    Step One

    First create a batch file to delete a service

    Open notepad.

    Click start > run and type in:

    notepad.exe

    Copy and paste the bolded text below into notepad:

    @ECHO OFF
    sc stop hjgruiyfvxjeao
    sc delete hjgruiyfvxjeao
    exit


    Select "File" then "Save as"
    Save to the Desktop and make the File name:

    delserv.bat

    make sure that the "Save as type" says "All files"

    Double click the newly created delserv file on your desktop. A black window should briefly appear.


    Step Two

    Open notepad.

    Click start > run and type in:

    notepad.exe

    Copy and paste the bolded text below into notepad:

    KillAll::

    File::
    c:\windows\system32\flashd32.dll
    C:\vfjmbvbg.exe
    C:\WINDOWS\system32\drivers\cbdf3c78.sys

    Registry::
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{38101905-D80F-4788-96F6-986A8186178A}"=-


    Save this as a text file with name of:

    CFScript

    Select "All files" from Save as Type. Save to the desktop.

    Now click and drag the CFScript file onto the combofix icon on your desktop.

    Post the new combofix log in your next reply.
  37. --Can you please organize the running processes from task mananger by thier NAME from A-Z and repost, it will be easier for me to notice potential malware. As you did in one of the posts above...

    -Why are you ignoring me? I need to see them organized by name from A-Z, it will let me notice and see anything fishy.
  38. how do i do that
    hijack this arranges them how it wants
  39. ohh i see i used everest for that one post ok gimme a sec
  40. --------[ Processes ]---------------------------------------------------------------------------------------------------

    aawservice.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe 32-bit 1504 KB 11524 KB
    Ati2evxx.exe C:\WINDOWS\system32\Ati2evxx.exe 32-bit 3820 KB 2108 KB
    Ati2evxx.exe C:\WINDOWS\system32\Ati2evxx.exe 32-bit 3300 KB 1904 KB
    CachemanXP.exe C:\PROGRA~1\CACHEM~1\CachemanXP.exe 32-bit 1520 KB 2232 KB
    ctfmon.exe C:\WINDOWS\system32\ctfmon.exe 32-bit 4772 KB 1340 KB
    devldr32.exe C:\WINDOWS\system32\devldr32.exe 32-bit 3976 KB 2364 KB
    egui.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe 32-bit 3312 KB 8064 KB
    ekrn.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe 32-bit 43200 KB 40172 KB
    everest.exe C:\Program Files\Lavalys\EVEREST Ultimate Edition\everest.exe 32-bit 24284 KB 21764 KB
    Explorer.EXE C:\WINDOWS\Explorer.EXE 32-bit 32792 KB 35556 KB
    firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe 32-bit 167 MB 158 MB
    frd.exe C:\Program Files\Java\jre6\launch4j-tmp\frd.exe 32-bit 35004 KB 71768 KB
    GrooveMonitor.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe 32-bit 7252 KB 2748 KB
    HDSentinel.exe C:\Program Files\Hard Disk Sentinel\HDSentinel.exe 32-bit 16308 KB 13700 KB
    HPWuSchd2.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe 32-bit 2904 KB 952 KB
    ICQ.exe C:\Program Files\ICQ6.5\ICQ.exe 32-bit 49040 KB 46472 KB
    InCDsrv.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe 32-bit 5272 KB 2228 KB
    ipoint.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe 32-bit 14556 KB 8496 KB
    jqs.exe C:\Program Files\Java\jre6\bin\jqs.exe 32-bit 1392 KB 2236 KB
    lsass.exe C:\WINDOWS\system32\lsass.exe 32-bit 1604 KB 2800 KB
    MaxBlastMonitor.exe C:\Program Files\Seagate\DiscWizard\MaxBlastMonitor.exe 32-bit 2304 KB 1812 KB
    MSCamS32.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe 32-bit 2560 KB 760 KB
    msmsgs.exe C:\Program Files\Messenger\msmsgs.exe 32-bit 1896 KB 1632 KB
    MsnMsgr.Exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe 32-bit 59932 KB 40900 KB
    PnkBstrA.exe C:\WINDOWS\system32\PnkBstrA.exe 32-bit 2528 KB 1764 KB
    regmech.exe C:\Program Files\Registry Mechanic\regmech.exe 32-bit 22500 KB 21872 KB
    RocketDock.exe C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe 32-bit 11840 KB 4972 KB
    schedhlp.exe C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe 32-bit 3212 KB 996 KB
    schedul2.exe C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe 32-bit 2388 KB 736 KB
    SeaPort.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe 32-bit 8408 KB 5776 KB
    services.exe C:\WINDOWS\system32\services.exe 32-bit 5404 KB 3696 KB
    smss.exe C:\WINDOWS\System32\smss.exe 32-bit 416 KB 172 KB
    speedfan.exe C:\Program Files\SpeedFan\speedfan.exe 32-bit 11640 KB 6304 KB
    spoolsv.exe C:\WINDOWS\system32\spoolsv.exe 32-bit 5876 KB 3920 KB
    StarWindService.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe 32-bit 2140 KB 608 KB
    steam.exe C:\program files\steam\steam.exe 32-bit 21712 KB 54396 KB
    SUPERAntiSpyware.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe 32-bit 804 KB 100 MB
    svchost.exe C:\WINDOWS\System32\svchost.exe 32-bit 1924 KB 532 KB
    svchost.exe C:\WINDOWS\System32\svchost.exe 32-bit 1884 KB 520 KB
    svchost.exe C:\WINDOWS\system32\svchost.exe 32-bit 4060 KB 2328 KB
    svchost.exe C:\WINDOWS\System32\svchost.exe 32-bit 2492 KB 1116 KB
    svchost.exe C:\WINDOWS\system32\svchost.exe 32-bit 6404 KB 3392 KB
    svchost.exe C:\WINDOWS\system32\svchost.exe 32-bit 4788 KB 2884 KB
    svchost.exe C:\WINDOWS\System32\svchost.exe 32-bit 36480 KB 20980 KB
    svchost.exe C:\WINDOWS\system32\svchost.exe 32-bit 2260 KB 1720 KB
    TimounterMonitor.exe C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe 32-bit 6220 KB 6684 KB
    TUProgSt.exe C:\WINDOWS\System32\TUProgSt.exe 32-bit 2952 KB 1020 KB
    UberIcon Manager.exe C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe 32-bit 4060 KB 1328 KB
    UltraMon.exe C:\Program Files\UltraMon\UltraMon.exe 32-bit 4236 KB 3640 KB
    UltraMonTaskbar.exe C:\Program Files\UltraMon\UltraMonTaskbar.exe 32-bit 3224 KB 1464 KB
    vVX6000.exe C:\WINDOWS\vVX6000.exe 32-bit 4268 KB 1484 KB
    WgaTray.exe C:\WINDOWS\system32\WgaTray.exe 32-bit 416 KB 2256 KB
    winamp.exe C:\Program Files\Winamp\winamp.exe 32-bit 71068 KB 60396 KB
    winlogon.exe C:\WINDOWS\system32\winlogon.exe 32-bit 5016 KB 7296 KB
    wlcomm.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe 32-bit 32860 KB 20512 KB
    WLService.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe 32-bit 1384 KB 380 KB
    WMP54Gv4.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe 32-bit 7720 KB 8188 KB
  41. Hi Kevin,

    How are you going with the scripts?

    We are at the business end of the process.
  42. that report is after i ran those scripts. they rocked. chug a beer.

    are you some kind of computer magician or wizard?
  43. LOL.... I do enjoy a chug o' beer.

    Can you grab the combofix log from C:\ComboFix.txt, it will be updated from the previous combofix run.
  44. ox dibhjj js,,,rt yr i is hammeeref anf i dont ghink ti abnk thrtihkkk
  45. hsth teh
  46. Everything all good?

    We can continue the fix when you're ready, just let me know.
  47. Thanks, I checked out your processes and it looks pretty clean to me, however just be safe since svhost really looks suspicious to me, just go to this link:
    http://www.processlibrary.com/search/?q=svhost
    and run the scan to check for svhost related errors, becuase everything might be fine but I smell fish from that processes.

    -Also services.exe looks fishy,
    http://www.processlibrary.com/search/?q=services.exe
    -run the scan

    -And lastly msmsgs.exe looks like it might be something
    http://www.processlibrary.com/search/?q=msmsgs.exe

    *Note* in the links I sent you, there might be more then one of the same processes listed, run the scan under the one that is colored red, not green.
  48. Sorry for double post, but give me some time and I will give a closer look to those processes and will try to find a software for you to get rid of process-related malware. I will stay focused on just the *"running processes and services"* to look into that cause i dont really know much about the scripts you and the other poster are doing and other stuff.
Ask a new question

Read More

MSN Virus Connection Windows XP