Please help me with trojans and an unidentified problem

Unknown

Hello all.

My computer seems to be infected with all kinds of fun stuff. Everytime I run adaware, spy search&destroy, and my antivirus, all kinds of stuff comes up.
Upon startup, AVG always finds a trojan, when the last time avg was run, that same trojan was deleted.
My most recent alert is something along the lines of this (I get it everytime i open a new web window):

While openin file: c:\windows\system32\gcdefm.dll
Virus identified obfustat.ull

It then gives me the options to quarantine, ignore heal, cancel.
Each time i heal, and each time i open a new window, it appears.

I was also having issues when i would use google. I would enter my search, click enter, and come up with search results. If i sinle clicked on the result i wanted, it would send me to some other site (something along the lines of http://208.etcetc. ) I rememb er the first three numbers as 208 followed by a series of numbers and periods. As of right now after running all of the suggested programs, Im not having that problem, but who knows when i start up my computer again, what will happen.


Here is my HJT jog:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:10:39 PM, on 10/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {E290EEA6-927B-4201-A3E9-7A72E0637DBD} - C:\WINDOWS\System32\gcdefm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Microsoft] %systemroot%\system32\drivers\csrss.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Creative Audio Studio V2.8] C:\WINDOWS\unimontr.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKLM\..\Policies\Explorer\Run: [visin] C:\WINDOWS\System32\visin.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 6018 bytes




My pandascan log:
(*I saved it to wordpad, but it is not in wordwrap, and it the document still shows up like this? )

Incident Status Location

Adware:Adware/WebSearch Not disinfected C:\WINDOWS\SYSTEM32\L4ACDB2.DLL
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf
Potentially unwanted tool:application/bestoffer Not disinfected C:\WINDOWS\SMDAT32M.SYS
Virus:Generic Malware Disinfected C:\Documents and Settings\Administrator\Desktop\setup_rcxp.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\Mozilla\Firefox\Profiles\4h77myxe.default\COOKIES.TXT[.atdmt.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\Mozilla\Firefox\Profiles\4h77myxe.default\COOKIES.TXT[.2o7.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\Mozilla\Firefox\Profiles\4h77myxe.default\COOKIES.TXT[.tribalfusion.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\Mozilla\Firefox\Profiles\4h77myxe.default\COOKIES.TXT[.advertising.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\Mozilla\Firefox\Profiles\4h77myxe.default\COOKIES.TXT[.questionmarket.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\Mozilla\Firefox\Profiles\4h77myxe.default\COOKIES.TXT[.trafficmp.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\Mozilla\Firefox\Profiles\4h77myxe.default\COOKIES.TXT[.ads.pointroll.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\Mozilla\Firefox\Profiles\4h77myxe.default\COOKIES.TXT[.mediaplex.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\Mozilla\Firefox\Profiles\4h77myxe.default\COOKIES.TXT[.adrevolver.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\Mozilla\Firefox\Profiles\4h77myxe.default\COOKIES.TXT[.www.burstbeacon.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Cookies\lucky@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Cookies\lucky@tribalfusion[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Cookies\lucky@realmedia[1].txt
Adware:Adware/Maxifiles Not disinfected C:\Program Files\SUPPORT.COM\TEMP\ComcastToolbar.exe[²ÜÇ\nsProcess.dll]
Virus:Generic Malware Disinfected C:\Program Files\RegistryCleanerXP\RegistryCleanerXP.exe



Thanks so much in advance.
Im sharing my computer with my roommates cuz our wireless router pooped out. I dont know if its something I did, or what they did, but I want to fix it. GRRR!! :mad2:

Veka

Hi roxygrly1431, and welcome to Icrontic. I'll check your logs and respond asap.

Veka

Step 1

Please download to your desktop

CCleaner
Combofix

Step 2

Install and run CCleaner

CCleaner is a freeware system optimization and privacy tool. It removes unused files from your system - allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history. ( www.ccleaner.com )

Instal CCleaner

• [SIZE=-1]Double-click the installation file.[/SIZE]
• [SIZE=-1]Select English language.[/SIZE]
• [SIZE=-1]Click OK.[/SIZE]
• [SIZE=-1]Click Next.[/SIZE]
• [SIZE=-1]Click I Agree [/SIZE]( if you agree with the terms ).
• Click Next.
• Make sure that "Add CCleaner Yahoo! Toolbar..." is unchecked.
• Click Install.

Cleaning folders and files

• Open CCleaner, if you haven't already done that.
• Click Cleaner, in the CCleaner-menu.
• Click Run Cleaner.
• CCleaner will clean all the folders and items that are checkmarked in the Cleaner-Settings
• When CCleaner is done, it will show you a list of deleted item.
• Exit from CCleaner.

[SIZE=-1]http://www.jahewi.nl/ccleaner/quick/quick.html

Step 3

Run Combofix[/SIZE]

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you.
• Save the log to your desktop.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Step 4

Please post the Combofix log along with a fresh HijackThis log.

---

Do you know anything about Comcast Toolbar ? It is not a malware, but[SIZE=-1] I was wondering whether you -- or someone else -- installed it wittingly[/SIZE].

EDIT:

[SIZE=-1]Uninstall [/SIZE]RegistryCleanerXP by using Add or Remove Programs[SIZE=-1] in Control Panel ( if present ).
[/SIZE]

roxygrly1431

Thank you for your response. I downloaded and ran the programs.
Upon restart after running combofix, to get the logfile, my computer froze, and I was unable to get the log. I ran it again, and saved the logfile the second time succesfully. Here it is..

ComboFix 07-10-28.2** - Lucky 2007-10-28 14:39:51.2 - FAT32x86
Running from: C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run

---

.
C:\Documents and Settings\Administrator\Desktop\internet.lnk
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Local Settings\Application Data\microsoft\internet explorer\filters
C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Local Settings\Application Data\microsoft\internet explorer\filters\IExpl32d.exe
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Temp\fse
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\remove_spyware_header.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\woksbvkq.sys
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
C:\WINDOWS\system32\f12WtR
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

---

\LEGACY_NPF

---

\NPF




((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-28 )))))))))))))))))))))))))))))))
.

2007-10-28 12:20 51,200 --a

---

C:\WINDOWS\NirCmd.exe
2007-10-28 12:09 <DIR> d

---

C:\Program Files\CCleaner
2007-10-26 20:48 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-26 20:47 75,248 --a

---

C:\WINDOWS\zllsputility.exe
2007-10-26 20:47 11,264 --a

---

C:\WINDOWS\system32\SpOrder.dll
2007-10-26 20:47 4,212 ---h

---

C:\WINDOWS\system32\zllictbl.dat
2007-10-26 20:03 <DIR> d

---

C:\WINDOWS\system32\ActiveScan
2007-10-26 20:00 <DIR> d

---

C:\Program Files\SpywareBlaster
2007-10-26 17:15 <DIR> d

---

C:\Program Files\SUPERAntiSpyware
2007-10-26 17:15 <DIR> d

---

C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Application Data\SUPERAntiSpyware.com
2007-10-26 17:15 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-11 16:47 245,408 --a

---

C:\WINDOWS\system32\unicows.dll
2007-10-09 08:56 <DIR> d--hs---- C:\FOUND.000
2007-10-07 11:45 <DIR> d

---

C:\WINDOWS\system32\bits
2007-10-07 11:42 <DIR> d--h

---

C:\WINDOWS\$hf_mig$
2007-10-07 11:42 22,752 --a

---

C:\WINDOWS\system32\spupdsvc.exe
2007-10-06 11:38 <DIR> d

---

C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-05 14:51 233,472 --a

---

C:\WINDOWS\system32\Ilda32.dll
2007-10-05 14:51 18,944 --a

---

C:\WINDOWS\system32\BORLNDMM.DLL
2007-10-05 14:50 <DIR> d

---

C:\Program Files\CoffeeCup Software
2007-10-05 14:17 18,688 C:\WINDOWS\system32\drivers\woksbvkq.dat
2007-10-05 14:17 5,120 C:\WINDOWS\system32\drivers\educdczm.dat
2007-10-04 07:50 <DIR> d--hs---- C:\FOUND.012
2007-10-02 13:31 <DIR> d

---

C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\AVG7
2007-10-01 14:37 <DIR> dr-h

---

C:\$VAULT$.AVG
2007-10-01 14:07 <DIR> d

---

C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Application Data\AVG7
2007-10-01 14:07 <DIR> d

---

C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-01 14:07 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-01 14:07 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\avg7
2007-10-01 14:07 499,712 --a

---

C:\WINDOWS\system32\msvcp71.dll
2007-10-01 13:44 <DIR> d

---

C:\Program Files\InterMute
2007-10-01 11:46 1,110,528 --a

---

C:\WINDOWS\system32\msxml3.dll
2007-10-01 11:46 681,984 --a

---

C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-01 11:46 116,736 --a

---

C:\WINDOWS\system32\dllcache\shsvcs.dll
2007-10-01 11:46 92,160 --a

---

C:\WINDOWS\system32\dllcache\cscdll.dll
2007-10-01 11:46 92,160 --a

---

C:\WINDOWS\system32\cscdll.dll
2007-10-01 08:30 83,456 --a

---

C:\WINDOWS\system32\mtxoci.dll
2007-10-01 08:30 72,704 --a

---

C:\WINDOWS\system32\hlink.dll
2007-10-01 08:30 64,512 --a

---

C:\WINDOWS\system32\mtxclu.dll
2007-10-01 08:30 25,600

---

C:\WINDOWS\system32\verclsid.exe
2007-09-30 13:34 361,984 --a

---

C:\WINDOWS\system32\dllcache\qmgr.dll
2007-09-30 13:34 331,776 --a

---

C:\WINDOWS\system32\winhttp.dll
2007-09-30 13:34 331,776 --a

---

C:\WINDOWS\system32\dllcache\winhttp.dll
2007-09-30 13:34 17,408 --a

---

C:\WINDOWS\system32\qmgrprxy.dll
2007-09-30 13:34 17,408 --a

---

C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2007-09-30 13:34 7,680

---

C:\WINDOWS\system32\dllcache\bitsprx2.dll
2007-09-30 13:34 7,680

---

C:\WINDOWS\system32\bitsprx2.dll
2007-09-30 13:34 7,168

---

C:\WINDOWS\system32\dllcache\bitsprx3.dll
2007-09-30 13:34 7,168

---

C:\WINDOWS\system32\bitsprx3.dll
2007-09-30 13:31 549,720 --a

---

C:\WINDOWS\system32\wuapi.dll
2007-09-30 13:31 325,976 --a

---

C:\WINDOWS\system32\wucltui.dll
2007-09-30 13:31 203,096 --a

---

C:\WINDOWS\system32\wuweb.dll
2007-09-30 13:31 186,136 --a

---

C:\WINDOWS\system32\wuaueng1.dll
2007-09-30 13:31 167,704 --a

---

C:\WINDOWS\system32\wuauclt1.exe
2007-09-30 13:31 33,624 --a

---

C:\WINDOWS\system32\wups.dll
2007-09-29 16:21 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-29 12:38 <DIR> d--hs---- C:\FOUND.011
2007-09-28 17:07 <DIR> d--hs---- C:\FOUND.010

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 00:15 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-10-27 00:15 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-09-23 20:01 6,016,952 ----a-w C:\Program Files\Firefox Setup 2.0.0.7.exe
2007-09-23 19:57 23,876,904 ----a-w C:\Program Files\SkypeSetup.exe
2007-09-23 19:57

---

d

---

w C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\Skype
2007-09-23 19:57

---

d

---

w C:\Documents and Settings\All Users\Application Data\Skype
2007-09-23 19:51 684,567 ----a-w C:\WINDOWS\system32\libeay32.dll
2007-09-23 19:51 165,888 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-09-23 19:51 147,729 ----a-w C:\WINDOWS\system32\libssl32.dll
2007-09-23 19:51 123,392 ----a-w C:\WINDOWS\system32\xlzpwuws.dll
2007-09-22 02:32

---

d

---

w C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Application Data\U3
2007-09-15 05:29

---

d

---

w C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\U3
2007-09-14 22:35 30,464 ----a-w C:\WINDOWS\system32\ace16win.dll
2007-09-14 22:13 16,384 ----a-w C:\WINDOWS\system32\s2v.exe
2007-09-14 22:12 68,096 ----a-w C:\WINDOWS\system32\l4acdb2.dll
2007-09-10 17:35

---

d

---

w C:\Program Files\Common Files\SupportSoft
2007-09-06 22:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-07-31 01:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-31 01:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 01:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 01:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-31 01:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 01:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 01:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E290EEA6-927B-4201-A3E9-7A72E0637DBD}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-07-18 16:58 C:\WINDOWS\system32\pctspk.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-04-19 18:39]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-04-19 18:34]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-23 00:16]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Audio Studio V2.8"="C:\WINDOWS\unimontr.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 16:18]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-12-14 12:34:48]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 vbikwjfz;vbikwjfz;C:\WINDOWS\System32\drivers\woksbvkq.dat


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Creative Audio Studio V2.8]
C:\WINDOWS\unimontr.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-09-17 20:24:28 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-09-17 20:25:08 C:\WINDOWS\Tasks\RegistryCleanerXP.job"
- C:\PROGRA~1\REGIST~1\REGIST~1.EXE
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-28 14:43:37
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-28 14:44:42
.
--- E O F ---

---

HJT logfile..


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:18:26 PM, on 10/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {E290EEA6-927B-4201-A3E9-7A72E0637DBD} - C:\WINDOWS\System32\gcdefm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Creative Audio Studio V2.8] C:\WINDOWS\unimontr.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 5972 bytes

Veka

Very nice!

Print these instructions out, or[SIZE=-1] copy them to a NotePad file for reading while in Safe Mode.[/SIZE]

Step 1

There is files I don't know:

C:\WINDOWS\system32\drivers\woksbvkq.dat
C:\WINDOWS\system32\drivers\educdczm.dat
C:\WINDOWS\system32\xlzpwuws.dll
C:\WINDOWS\system32\libssl32.dll
C:\WINDOWS\System32\drivers\woks bvkq.dat

Please go to www.virustotal.com. Upload files, one by one, by "copy and pasting" the file path in to the file box.
Submit the files and copy and paste the results back into this thread.

Step 2

Now open notepad and copy/paste the text in the codebox below into it:

File:: 
C:\WINDOWS\system32\ace16win.dll 
C:\WINDOWS\system32\s2v.exe 
C:\WINDOWS\system32\l4acdb2.dll 
C:\WINDOWS\unimontr.exe 
C:\PROGRA~1\REGIST~1\REGIST~1.EXE

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Step 3

Run HijackThis and click the Do system scan only button.
[SIZE=-1]When the scan is complete, check the following entries:
[/SIZE]
O2 - BHO: (no name) - {E290EEA6-927B-4201-A3E9-7A72E0637DBD} - C:\WINDOWS\System32\gcdefm.dll
O4 - HKCU\..\Run: [Creative Audio Studio V2.8] C:\WINDOWS\unimontr.exe

Close web browsers, and all other programs/windows. Click Fix Checked.

Step 4

Reboot into Safe Mode

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
• Instead of Windows loading as normal, a menu with options should appear
• Select the first option, to run Windows in Safe Mode, then press Enter
• Choose your usual account

Step 5

Scan your computer with SUPERAntiSpyware ( SAS )

• Start SAS, you have it installed.
• Click Check for Updates...
• When done, click the Preferences button.
• Open the Scanning Control -tab.
• Make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
  • Ignore System Restore/Volume Information on ME and XP

• Please leave the others unchecked.
• Click the Close button to leave.
• Click Scan your computer.
• On the left check C:\Fixed Drive.
• On the right, under "Complete Scan", select Perform Complete Scan.
• Click Next to start the scan.
• Please be patient while it scans your computer.
• After the scan is complete a summary box will appear
• Click OK.
• Make sure everything in the white box has a check next to it, then click Next.
• It will quarantine what it found and if it asks if you want to reboot, click Yes ( reboot manually if it doesn't ask )

Step 6

To retrieve the removal information - please do the following:

• After reboot, start the SUPERAntispyware again.
• Click Preferences.
• Open the Statistics/Logs -tab .
• Under "Scanner Logs", double-click SUPERAntiSpyware Scan Log.
• It will open in your default text editor (such as Notepad/Wordpad).
• Please highlight everything, then right-click and choose copy.
• Click close and close again to exit the program.

Please post a contents of SAS report, along with Combofix log, and a fresh HijackThis log.
Don't forget the results of virustotal.com either.

roxygrly1431

First im going to post the results to the virustotal virus scan.
I will then do the rest of the steps mentioned.

---

C:\WINDOWS\system32\drivers\woksbvkq.dat

---

0 bytes size received / Se ha recibido un archivo vacio

---

C:\WINDOWS\system32\drivers\educdczm.dat

---

0 bytes size received / Se ha recibido un archivo vacio

---

C:\WINDOWS\system32\xlzpwuws.dll

---

File xlzpwuws.dll_ received on 10.29.2007 21:08:52 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.10.30.0 2007.10.29 -
AntiVir 7.6.0.30 2007.10.29 TR/Crypt.Morphine.Gen
Authentium 4.93.8 2007.10.29 -
Avast 4.7.1074.0 2007.10.29 Win32:Delf-GFV
AVG 7.5.0.503 2007.10.29 -
BitDefender 7.2 2007.10.29 -
CAT-QuickHeal 9.00 2007.10.29 -
ClamAV 0.91.2 2007.10.29 -
DrWeb 4.44.0.09170 2007.10.29 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5250 2007.10.29 -
Ewido 4.0 2007.10.29 -
FileAdvisor 1 2007.10.29 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.29 -
F-Secure 6.70.13030.0 2007.10.29 W32/BHO.QG
Ikarus T3.1.1.12 2007.10.29 -
Kaspersky 7.0.0.125 2007.10.29 -
McAfee 5151 2007.10.29 -
Microsoft 1.2908 2007.10.29 VirTool:Win32/Obfuscator.P
NOD32v2 2623 2007.10.29 -
Norman 5.80.02 2007.10.29 W32/BHO.QG
Panda 9.0.0.4 2007.10.29 Suspicious file
Rising 19.47.02.00 2007.10.29 -
Sophos 4.23.0 2007.10.29 -
Sunbelt 2.2.907.0 2007.10.29 -
Symantec 10 2007.10.29 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.28 -
VirusBuster 4.3.26:9 2007.10.29 -
Webwasher-Gateway 6.0.1 2007.10.29 Trojan.Crypt.Morphine.Gen

Additional information
File size: 123392 bytes
MD5: 9099ff0494758534db1432afec47311a
SHA1: 0c658d7b36fa346cfe4f0a905df9d7a14844e35e
packers: Morphine, UPX
packers: Morphine

---

C:\WINDOWS\system32\libssl32.dll

---

File libssl32.dll_ received on 10.29.2007 21:22:25 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.10.30.0 2007.10.29 -
AntiVir 7.6.0.30 2007.10.29 -
Authentium 4.93.8 2007.10.29 -
Avast 4.7.1074.0 2007.10.29 -
AVG 7.5.0.503 2007.10.29 -
BitDefender 7.2 2007.10.29 -
CAT-QuickHeal 9.00 2007.10.29 -
ClamAV 0.91.2 2007.10.29 -
DrWeb 4.44.0.09170 2007.10.29 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5250 2007.10.29 -
Ewido 4.0 2007.10.29 -
FileAdvisor 1 2007.10.29 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.29 -
F-Secure 6.70.13030.0 2007.10.29 -
Ikarus T3.1.1.12 2007.10.29 -
Kaspersky 7.0.0.125 2007.10.29 -
McAfee 5151 2007.10.29 -
Microsoft 1.2908 2007.10.29 -
NOD32v2 2623 2007.10.29 -
Norman 5.80.02 2007.10.29 -
Panda 9.0.0.4 2007.10.29 -
Prevx1 V2 2007.10.29 -
Rising 19.47.02.00 2007.10.29 -
Sophos 4.23.0 2007.10.29 -
Sunbelt 2.2.907.0 2007.10.29 -
Symantec 10 2007.10.29 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.28 -
VirusBuster 4.3.26:9 2007.10.29 -
Webwasher-Gateway 6.0.1 2007.10.29 Win32.UPXpacked.gen!94 (suspicious)

Additional information
File size: 147729 bytes
MD5: 8dc9aeeb9206cca033b74e3088897402
SHA1: fcc219c2fad0f5cd90988a79997ceb3d2479d634
packers: UPX
packers: PE_Patch.UPX, UPX

---

C:\WINDOWS\System32\drivers\woks bvkq.dat

---

0 bytes size received / Se ha recibido un archivo vacio


With the first two entries, and the last I got this message "0 bytes size received / Se ha recibido un archivo vacio".
It was displayed on the top of a blank white screen.
I thought I got this message in error, so i tried entering them again, all of them, numerous times, and i kept getting the same message.

Hope it's ok.
If not, i can scan again.
I will post the rest of the steps you mentioned after this post.
THANKS!

roxygrly1431

OK. Ive got the other results of the other scans.
When I tried to delete that one entry when using HJT, (O2 - BHO: (no name) - {E290EEA6-927B-4201-A3E9-7A72E0637DBD} - C:\WINDOWS\System32\gcdefm.dll )
It was unsuccessful. I tried it several times, with no success. I then tried it under safe mode, thinking because I had no connection to the internet it might work, and it didnt. It's my most "annoying virus", or whatever it is, because whenever I open a new browser window, avg gives me that stupid virus alert message. It's being a stubborn POS, and wont go away!

Well, anyway.. Here's the results from my other scans.
The results from the virustotal online scan are shown in my previous post

---

SAS:

---

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/29/2007 at 04:41 PM

Application Version : 3.9.1008

Core Rules Database Version : 3331
Trace Rules Database Version: 1332

Scan type : Complete Scan
Total Scan Time : 01:16:55

Memory items scanned : 158
Memory threats detected : 0
Registry items scanned : 3823
Registry threats detected : 0
File items scanned : 19968
File threats detected : 12

Adware.Tracking Cookie
C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Cookies\lucky@realmedia[2].txt
C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Cookies\lucky@ad[1].txt
C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Cookies\lucky@banners2.battleon[2].txt
C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Cookies\lucky@ads.adbrite[2].txt
C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Cookies\lucky@adopt.euroclick[2].txt
C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Cookies\lucky@server.cpmstar[2].txt
C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Cookies\lucky@m1.webstats.motigo[1].txt
C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Cookies\lucky@adbrite[1].txt
C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Cookies\lucky@stats.ahacafe[1].txt
C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Cookies\lucky@adserver.inventorspot[1].txt
C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Cookies\lucky@eas.apm.emediate[2].txt

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\BG_BG.GIF.VIR

---

Combofix:

---

ComboFix 07-10-28.2** - Lucky 2007-10-29 14:38:24.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.62 [GMT -6:00]
Running from: C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\PROGRA~1\REGIST~1\REGIST~1.EXE
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\l4acdb2.dll
C:\WINDOWS\system32\s2v.exe
C:\WINDOWS\unimontr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\l4acdb2.dll
C:\WINDOWS\system32\s2v.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-29 )))))))))))))))))))))))))))))))
.

2007-10-28 12:20 51,200 --a

---

C:\WINDOWS\NirCmd.exe
2007-10-28 12:09 <DIR> d

---

C:\Program Files\CCleaner
2007-10-26 20:48 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-26 20:47 75,248 --a

---

C:\WINDOWS\zllsputility.exe
2007-10-26 20:47 11,264 --a

---

C:\WINDOWS\system32\SpOrder.dll
2007-10-26 20:47 4,212 ---h

---

C:\WINDOWS\system32\zllictbl.dat
2007-10-26 20:03 <DIR> d

---

C:\WINDOWS\system32\ActiveScan
2007-10-26 20:00 <DIR> d

---

C:\Program Files\SpywareBlaster
2007-10-26 17:15 <DIR> d

---

C:\Program Files\SUPERAntiSpyware
2007-10-26 17:15 <DIR> d

---

C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Application Data\SUPERAntiSpyware.com
2007-10-26 17:15 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-11 16:47 245,408 --a

---

C:\WINDOWS\system32\unicows.dll
2007-10-09 08:56 <DIR> d--hs---- C:\FOUND.000
2007-10-07 11:45 <DIR> d

---

C:\WINDOWS\system32\bits
2007-10-07 11:42 <DIR> d--h

---

C:\WINDOWS\$hf_mig$
2007-10-07 11:42 22,752 --a

---

C:\WINDOWS\system32\spupdsvc.exe
2007-10-06 11:38 <DIR> d

---

C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-05 14:51 233,472 --a

---

C:\WINDOWS\system32\Ilda32.dll
2007-10-05 14:51 18,944 --a

---

C:\WINDOWS\system32\BORLNDMM.DLL
2007-10-05 14:50 <DIR> d

---

C:\Program Files\CoffeeCup Software
2007-10-05 14:17 18,688 C:\WINDOWS\system32\drivers\woksbvkq.dat
2007-10-05 14:17 5,120 C:\WINDOWS\system32\drivers\educdczm.dat
2007-10-04 07:50 <DIR> d--hs---- C:\FOUND.012
2007-10-02 13:31 <DIR> d

---

C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\AVG7
2007-10-01 14:37 <DIR> dr-h

---

C:\$VAULT$.AVG
2007-10-01 14:07 <DIR> d

---

C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Application Data\AVG7
2007-10-01 14:07 <DIR> d

---

C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-01 14:07 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-01 14:07 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\avg7
2007-10-01 14:07 499,712 --a

---

C:\WINDOWS\system32\msvcp71.dll
2007-10-01 13:44 <DIR> d

---

C:\Program Files\InterMute
2007-10-01 11:46 1,110,528 --a

---

C:\WINDOWS\system32\msxml3.dll
2007-10-01 11:46 681,984 --a

---

C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-01 11:46 116,736 --a

---

C:\WINDOWS\system32\dllcache\shsvcs.dll
2007-10-01 11:46 92,160 --a

---

C:\WINDOWS\system32\dllcache\cscdll.dll
2007-10-01 11:46 92,160 --a

---

C:\WINDOWS\system32\cscdll.dll
2007-10-01 08:30 83,456 --a

---

C:\WINDOWS\system32\mtxoci.dll
2007-10-01 08:30 72,704 --a

---

C:\WINDOWS\system32\hlink.dll
2007-10-01 08:30 64,512 --a

---

C:\WINDOWS\system32\mtxclu.dll
2007-10-01 08:30 25,600

---

C:\WINDOWS\system32\verclsid.exe
2007-09-30 13:34 361,984 --a

---

C:\WINDOWS\system32\dllcache\qmgr.dll
2007-09-30 13:34 331,776 --a

---

C:\WINDOWS\system32\winhttp.dll
2007-09-30 13:34 331,776 --a

---

C:\WINDOWS\system32\dllcache\winhttp.dll
2007-09-30 13:34 17,408 --a

---

C:\WINDOWS\system32\qmgrprxy.dll
2007-09-30 13:34 17,408 --a

---

C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2007-09-30 13:34 7,680

---

C:\WINDOWS\system32\dllcache\bitsprx2.dll
2007-09-30 13:34 7,680

---

C:\WINDOWS\system32\bitsprx2.dll
2007-09-30 13:34 7,168

---

C:\WINDOWS\system32\dllcache\bitsprx3.dll
2007-09-30 13:34 7,168

---

C:\WINDOWS\system32\bitsprx3.dll
2007-09-30 13:31 549,720 --a

---

C:\WINDOWS\system32\wuapi.dll
2007-09-30 13:31 325,976 --a

---

C:\WINDOWS\system32\wucltui.dll
2007-09-30 13:31 203,096 --a

---

C:\WINDOWS\system32\wuweb.dll
2007-09-30 13:31 186,136 --a

---

C:\WINDOWS\system32\wuaueng1.dll
2007-09-30 13:31 167,704 --a

---

C:\WINDOWS\system32\wuauclt1.exe
2007-09-30 13:31 33,624 --a

---

C:\WINDOWS\system32\wups.dll
2007-09-29 16:21 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-29 12:38 <DIR> d--hs---- C:\FOUND.011

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 00:15 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-10-27 00:15 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-09-23 20:01 6,016,952 ----a-w C:\Program Files\Firefox Setup 2.0.0.7.exe
2007-09-23 19:57 23,876,904 ----a-w C:\Program Files\SkypeSetup.exe
2007-09-23 19:57

---

d

---

w C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\Skype
2007-09-23 19:57

---

d

---

w C:\Documents and Settings\All Users\Application Data\Skype
2007-09-23 19:51 684,567 ----a-w C:\WINDOWS\system32\libeay32.dll
2007-09-23 19:51 165,888 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-09-23 19:51 147,729 ----a-w C:\WINDOWS\system32\libssl32.dll
2007-09-23 19:51 123,392 ----a-w C:\WINDOWS\system32\xlzpwuws.dll
2007-09-22 02:32

---

d

---

w C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Application Data\U3
2007-09-15 05:29

---

d

---

w C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\U3
2007-09-10 17:35

---

d

---

w C:\Program Files\Common Files\SupportSoft
2007-09-06 22:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-07-31 01:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-31 01:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 01:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 01:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-31 01:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 01:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 01:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-28_14.43.59.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 16:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E290EEA6-927B-4201-A3E9-7A72E0637DBD}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-07-18 16:58 C:\WINDOWS\system32\pctspk.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-04-19 18:39]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-04-19 18:34]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-23 00:16]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Audio Studio V2.8"="C:\WINDOWS\unimontr.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 16:18]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-12-14 12:34:48]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 vbikwjfz;vbikwjfz;C:\WINDOWS\System32\drivers\woksbvkq.dat


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Creative Audio Studio V2.8]
C:\WINDOWS\unimontr.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-09-17 20:24:28 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-09-17 20:25:08 C:\WINDOWS\Tasks\RegistryCleanerXP.job"
- C:\PROGRA~1\REGIST~1\REGIST~1.EXE
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-29 14:46:48
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-29 14:49:28 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-28 14:44
.
--- E O F ---

Veka

Please post a fresh HijackThis log also.

roxygrly1431

Newest HJT scan:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:35:51 AM, on 10/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {E290EEA6-927B-4201-A3E9-7A72E0637DBD} - C:\WINDOWS\System32\gcdefm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-117609710-1343024091-1060284298-501\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Guest')
O4 - HKUS\S-1-5-21-117609710-1343024091-1060284298-501\..\Run: [System Integrity Check] C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe (User 'Guest')
O4 - HKUS\S-1-5-21-117609710-1343024091-1060284298-501\..\Run: [Skype] "C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Local Settings\Application Data\Skype\Phone\Skype.exe" /nosplash /minimized (User 'Guest')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 6461 bytes

Veka

Please open notepad and copy/paste the text in the code box below into it:

File:: 
C:\WINDOWS\System32\gcdefm.dll 
C:\PROGRA~1\REGIST~1\REGIST~1.EXE 
C:\WINDOWS\unimontr.exe 
C:\WINDOWS\system32\drivers\woksbvkq.dat 
C:\WINDOWS\System32\drivers\woks bvkq.dat 
C:\WINDOWS\system32\drivers\educdczm.dat 
C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe 
C:\WINDOWS\system32\xlzpwuws.dll 
 
Driver:: 
vbikwjfz

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply, along with a fresh HijackThis log.

roxygrly1431

Combofix log:


ComboFix 07-10-28.2** - Lucky 2007-11-02 17:30:37.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.108 [GMT -6:00]
Running from: C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Desktop\cfscript.txt
* Created a new restore point

FILE::
C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe
C:\PROGRA~1\REGIST~1\REGIST~1.EXE
C:\WINDOWS\system32\drivers\educdczm.dat
C:\WINDOWS\System32\drivers\woks bvkq.dat
C:\WINDOWS\system32\drivers\woksbvkq.dat
C:\WINDOWS\System32\gcdefm.dll
C:\WINDOWS\system32\xlzpwuws.dll
C:\WINDOWS\unimontr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\xlzpwuws.dll
C:\WINDOWS\system32\drivers\educdczm.dat . . . . failed to delete
C:\WINDOWS\system32\drivers\woksbvkq.dat . . . . failed to delete
C:\WINDOWS\System32\gcdefm.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

---

\LEGACY_VBIKWJFZ

---

\vbikwjfz


((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))))
.

2007-10-30 23:25 <DIR> d

---

C:\WINDOWS\LastGood.Tmp
2007-10-30 21:32 <DIR> d

---

C:\Program Files\Common Files\Adobe
2007-10-30 21:31 <DIR> d

---

C:\WINDOWS\Downloaded Installations
2007-10-30 21:06 23,405,072 --a

---

C:\Program Files\AdbeRdr811_en_US.exe
2007-10-28 12:20 51,200 --a

---

C:\WINDOWS\NirCmd.exe
2007-10-28 12:09 <DIR> d

---

C:\Program Files\CCleaner
2007-10-26 20:48 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-26 20:47 75,248 --a

---

C:\WINDOWS\zllsputility.exe
2007-10-26 20:47 11,264 --a

---

C:\WINDOWS\system32\SpOrder.dll
2007-10-26 20:47 4,212 ---h

---

C:\WINDOWS\system32\zllictbl.dat
2007-10-26 20:03 <DIR> d

---

C:\WINDOWS\system32\ActiveScan
2007-10-26 20:00 <DIR> d

---

C:\Program Files\SpywareBlaster
2007-10-26 17:15 <DIR> d

---

C:\Program Files\SUPERAntiSpyware
2007-10-26 17:15 <DIR> d

---

C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Application Data\SUPERAntiSpyware.com
2007-10-26 17:15 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-11 16:47 245,408 --a

---

C:\WINDOWS\system32\unicows.dll
2007-10-09 08:56 <DIR> d--hs---- C:\FOUND.000
2007-10-07 11:45 <DIR> d

---

C:\WINDOWS\system32\bits
2007-10-07 11:42 <DIR> d--h

---

C:\WINDOWS\$hf_mig$
2007-10-07 11:42 22,752 --a

---

C:\WINDOWS\system32\spupdsvc.exe
2007-10-06 11:38 <DIR> d

---

C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-05 14:51 233,472 --a

---

C:\WINDOWS\system32\Ilda32.dll
2007-10-05 14:51 18,944 --a

---

C:\WINDOWS\system32\BORLNDMM.DLL
2007-10-05 14:50 <DIR> d

---

C:\Program Files\CoffeeCup Software
2007-10-05 14:17 18,688 C:\WINDOWS\system32\drivers\woksbvkq.dat
2007-10-05 14:17 5,120 C:\WINDOWS\system32\drivers\educdczm.dat
2007-10-04 07:50 <DIR> d--hs---- C:\FOUND.012
2007-10-02 13:31 <DIR> d

---

C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\AVG7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 00:15 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-10-27 00:15 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-10-01 20:07 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-10-01 20:07

---

d

---

w C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Application Data\AVG7
2007-10-01 20:07

---

d

---

w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-01 20:07

---

d

---

w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-01 20:07

---

d

---

w C:\Documents and Settings\All Users\Application Data\avg7
2007-10-01 19:44

---

d

---

w C:\Program Files\InterMute
2007-09-29 22:21

---

d

---

w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-23 20:01 6,016,952 ----a-w C:\Program Files\Firefox Setup 2.0.0.7.exe
2007-09-23 19:57 23,876,904 ----a-w C:\Program Files\SkypeSetup.exe
2007-09-23 19:57

---

d

---

w C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\Skype
2007-09-23 19:57

---

d

---

w C:\Documents and Settings\All Users\Application Data\Skype
2007-09-23 19:51 684,567 ----a-w C:\WINDOWS\system32\libeay32.dll
2007-09-23 19:51 165,888 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-09-23 19:51 147,729 ----a-w C:\WINDOWS\system32\libssl32.dll
2007-09-22 02:32

---

d

---

w C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Application Data\U3
2007-09-15 05:29

---

d

---

w C:\Documents and Settings\Guest.TEST-M6CS8GOBBB.000\Application Data\U3
2007-09-10 17:35

---

d

---

w C:\Program Files\Common Files\SupportSoft
2007-09-06 22:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-28_14.43.59.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-31 03:32:28 65,536 ----a-r C:\WINDOWS\Installer\{A654A805-41D9-40C7-AA46-4AF04F044D61}\ARPPRODUCTICON.exe
+ 2007-10-31 03:32:28 65,536 ----a-r C:\WINDOWS\Installer\{A654A805-41D9-40C7-AA46-4AF04F044D61}\NewShortcut2_4BDFD2CE632942E498019B3D1F10D79B.exe
+ 2007-10-31 03:32:28 65,536 ----a-r C:\WINDOWS\Installer\{A654A805-41D9-40C7-AA46-4AF04F044D61}\NewShortcut3_4BDFD2CE632942E498019B3D1F10D79B.exe
+ 2007-10-31 03:35:16 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81100000003}\SC_Reader.exe
- 2007-10-25 06:05:52 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-02 14:11:12 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-10-25 06:05:52 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-02 14:11:12 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-10-28 18:36:06 110,192 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-10-31 03:40:00 114,176 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2006-06-05 20:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 20:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 20:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E290EEA6-927B-4201-A3E9-7A72E0637DBD}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-07-18 16:58 C:\WINDOWS\system32\pctspk.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-04-19 18:39]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-04-19 18:34]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-23 00:16]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 16:18]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-12-14 12:34:48]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 vbikwjfz;vbikwjfz;C:\WINDOWS\System32\drivers\woksbvkq.dat

*Newly Created Service* - VBIKWJFZ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Creative Audio Studio V2.8]
C:\WINDOWS\unimontr.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-09-17 20:24:28 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-09-17 20:25:08 C:\WINDOWS\Tasks\RegistryCleanerXP.job"
- C:\PROGRA~1\REGIST~1\REGIST~1.EXE
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 17:37:31
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-02 17:41:07 - machine was rebooted
C:\ComboFix3.txt ... 2007-10-28 14:44
C:\ComboFix2.txt ... 2007-10-29 14:49
.
--- E O F ---

---

HJT file:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:49:17 PM, on 11/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lucky.TEST-M6CS8GOBBB.001\Desktop\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {E290EEA6-927B-4201-A3E9-7A72E0637DBD} - C:\WINDOWS\System32\gcdefm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 6523 bytes

Thanksa gain

Veka

1. Please download Navilog1.zip and save it to your desktop.
2. Right click on Navilog1.zip and select Extract All....
3. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
4. Click on the Browse button. Click on Desktop. Then click OK.
5. Click Next. It will start extracting.
6. Once done, check (tick) the Show extracted files box.
7. Double click on Navilog1.exe to start the installation. Select English as the installation language and click Next.
8. Click Next again.
9. Select I accept the agreement and click Next.
10. Check (tick) Create a desktop icon box and click Next.
11. Click Install, then click Finish.
12. Double click on the shortcut created on your desktop to run Navilog1.
13. Press E for English and press Enter.
14. It will present you with a series of instructions, read through them and press Enter.
15. At the end, you will be shown a menu. Press 1 and press Enter.
16. It will start scanning. It will take a few minutes. Once done, it will prompt you to press any key to continue. Tap any key as requested.
17. Notepad will open afterwards. Please copy and paste the contents of this Notepad file in your next reply.