hijacked i think

Unknown · October 2008

Hello all, i seem to have been hijacked !!

i am unable to open many antivirus sites, and other sites in relation to my problem, also unable to download updates for my antivirus software.

reading other peoples posts it seems this is my problem

i downloaded hijackthis - v1.99.1, and here is the results of my scan, i hope someone will be able some advice on what to do.
thanks
tom.

Logfile of HijackThis v1.99.1
Scan saved at 17:57:32, on 06/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.robattle.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=presario&pf=laptop
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142031400406
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C3B7AF3F-DFBB-4CA2-8B16-781DAE1CC583} (Weed Media Activator component) - https://www.shmedlic.com/V3/Consumer/ActivatorComponent/SML.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{C07D2EDF-0276-4F0D-8184-20B81BE43AA6}: NameServer = 213.94.190.194,213.94.190.236
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

2smiggy · October 2008

sorry the correct list and uninstall list should be the following (i should have read the other posts more closely

)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:18:27, on 06/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.robattle.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=presario&pf=laptop
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142031400406
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C3B7AF3F-DFBB-4CA2-8B16-781DAE1CC583} (Weed Media Activator component) - https://www.shmedlic.com/V3/Consumer/ActivatorComponent/SML.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{C07D2EDF-0276-4F0D-8184-20B81BE43AA6}: NameServer = 213.94.190.194,213.94.190.236
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6965 bytes

AC3Filter (remove only)
Ad-Aware
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player Plugin
Adobe Reader 7.0
Apple Mobile Device Support
Apple Software Update
Ashampoo Burning Studio 8.03
Athlon 64 Processor Driver
ATI Control Panel
ATI Display Driver
AutoCAD 2002
AVG Free 8.0
Betfair Poker
Bonjour
CloneDVD2
Compaq Presario r4000 User Guides
Conexant AC-Link Audio
ConvertXtoDVD 2.2.2.256
DAEMON Tools
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DVD-CLONER V3.30 Build 897
Easy CD-DA Extractor 11
Easy Internet Sign-up
eMule
eMule2
FlashFXP v3
Football Manager 2006
Google Toolbar for Firefox
HijackThis 2.0.2
HP Extended Capabilities 5.3
HP Image Zone Express
HP Imaging Device Functions 5.3
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HP Wireless Assistant
InterActual Player
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0
Lame ACM MP3 Codec
Logitech MouseWare 9.29 .3
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Office XP Media Content
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.3)
MSN Messenger 7.5
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
Napster Burn Engine
Nokia PC Suite 6.1
Now SMS/MMS Gateway
nullDC 1.0.0 Public Beta 1 Setup
OpenMG Secure Module 4.3.00
PCI 1620 Cardbus Controller and Software
PDF Manual NW-A10003000
PFConfig 1.0.172
Quick Launch Buttons 5.10 A2
QuickTime
Robattle Installer 3.00
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
SiSoftware Sandra Professional 2003
SoftV90 Data Fax Modem with SmartCP
Sonic RecordNow!
Sonic Update Manager
Sony Ericsson PC Suite
Spyware Doctor 6.0
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
UserGuides
VideoLAN VLC media player 0.8.6a
WinAVI Video Converter
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinRAR archiver
Xfire (remove only)
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger with BT Communicator
Yahoo! Toolbar

chiaz · October 2008

Hello.

Please download Malwarebytes' Anti-Malware by clicking the link below:
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* You'll be required to post the contents of this log later.

Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

==============================================

Ok. Let's have you download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review (copy and paste them, not attach), so that we may continue cleansing the system:

MBAM log
C:\ComboFix.txt
New HijackThis log

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

2smiggy · October 2008

Malwarebytes' Anti-Malware 1.28
Database version: 1240
Windows 5.1.2600 Service Pack 2

07/10/2008 17:58:01
mbam-log-2008-10-07 (17-58-01).txt

Scan type: Quick Scan
Objects scanned: 48563
Time elapsed: 3 minute(s), 43 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 13

Memory Processes Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\750623 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssadw.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSerrors.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSl.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf1.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Rootkit.Agent) -> Delete on reboot.

ComboFix 08-10-07.01 - User 2008-10-07 18:25:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.682 [GMT 1:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\User\Application Data\inst.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\Legacy_TDSSSERV

\Service_TDSSserv

((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.

2008-10-07 17:50 . 2008-10-07 17:51 <DIR> d

C:\Program Files\Malwarebytes' Anti-Malware
2008-10-07 17:50 . 2008-09-10 00:04 38,528 --a

C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-07 17:50 . 2008-09-10 00:03 17,200 --a

C:\WINDOWS\system32\drivers\mbam.sys
2008-10-06 18:18 . 2008-10-06 18:18 <DIR> d

C:\Program Files\Trend Micro
2008-10-06 01:00 . 2008-10-06 01:00 <DIR> d

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-10-05 20:45 . 2008-10-05 21:35 <DIR> d--h

C:\$AVG8.VAULT$
2008-10-05 18:28 . 2008-10-05 18:28 <DIR> d

C:\Program Files\Alwil Software
2008-09-23 00:31 . 2008-10-07 18:30 54,156 --ah

C:\WINDOWS\QTFont.qfn
2008-09-23 00:31 . 2008-09-23 00:31 1,409 --a

C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 17:23

d

w C:\Documents and Settings\All Users\Application Data\avg8
2008-10-07 06:51

d

w C:\Documents and Settings\User\Application Data\uTorrent
2008-10-06 00:02

d

w C:\Program Files\Auto Maintenance Plus 7.2
2008-09-02 21:01 6,236 ----a-w C:\Documents and Settings\User\Application Data\wklnhst.dat
2008-08-28 17:10

d

w C:\Program Files\SUPERAntiSpyware
2008-08-28 17:10

d

w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-27 18:13

d

w C:\Documents and Settings\User\Application Data\My Games
2008-08-27 18:10

d-s---w C:\Program Files\Xfire
2008-08-27 18:10

d

w C:\Documents and Settings\User\Application Data\Xfire
2008-08-27 18:01

d

w C:\Documents and Settings\User\Application Data\InstallShield Installation Information
2008-08-27 18:01

d

w C:\Documents and Settings\User\Application Data\Firaxis Games
2008-08-20 21:17

d

w C:\Documents and Settings\User\Application Data\Vso
2008-08-19 19:44

d

w C:\Documents and Settings\User\Application Data\Ashampoo
2008-08-19 19:42

d

w C:\Program Files\Ashampoo
2008-08-19 19:42

d

w C:\Documents and Settings\All Users\Application Data\ashampoo
2008-08-18 18:58

d

w C:\Program Files\Betfair
2008-08-18 18:58

d

w C:\Documents and Settings\User\Application Data\Betfair
2008-08-17 11:45

d

w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-17 11:32

d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-17 11:31

d

w C:\Program Files\Spyware Doctor
2008-08-17 11:23

d

w C:\Documents and Settings\User\Application Data\PC Tools
2008-05-21 22:40 47,360 ----a-w C:\Documents and Settings\User\Application Data\pcouffin.sys
2005-07-25 07:45 136 ----a-w C:\Program Files\http--www.emule-paradise.com-.url
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-21 344064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [2005-02-17 36972]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 385024]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]
"hpWirelessAssistant"="C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-08 790528]
"DataLayer"="C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE" [2004-05-06 1159168]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE" [2004-03-23 147968]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-07-26 34816]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIVF"= DivX412.dll
"vidc.vp31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=2 (0x2)
"iPod Service"=3 (0x3)
"hpqwmi"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"SPTISRV"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\User\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4660:TCP"= 4660:TCP:Emule TCP
"4670:UDP"= 4670:UDP:Emule UDP

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-06-10 192896]
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-03-04 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-03-04 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-03-04 87456]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-03-04 77072]
S3 NTPASp50;NTPASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\NTPASp50.sys [2005-02-23 17536]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SNM - C:\Program Files\SpyNoMore\SNM.exe

.

Supplementary Scan

.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\sy0w2o0f.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.ie
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0\bin\NPJPI150.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 18:30:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????I????|?????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

Other Running Processes

.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-10-07 18:33:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-07 17:33:28

Pre-Run: 21,310,320,640 bytes free
Post-Run: 21,377,818,624 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

171

'' this is the first time i ran combofix, i ran it a second time as i think had adaware left running by mistake, the following is the result of running it the second time with adaware turned off. hopefully this does not make matters more difficult - tom

''

ComboFix 08-10-07.01 - User 2008-10-07 18:39:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.681 [GMT 1:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.

2008-10-07 17:50 . 2008-10-07 17:51 <DIR> d

C:\Program Files\Malwarebytes' Anti-Malware
2008-10-07 17:50 . 2008-09-10 00:04 38,528 --a

C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-07 17:50 . 2008-09-10 00:03 17,200 --a

C:\WINDOWS\system32\drivers\mbam.sys
2008-10-06 18:18 . 2008-10-06 18:18 <DIR> d

C:\Program Files\Trend Micro
2008-10-06 01:00 . 2008-10-06 01:00 <DIR> d

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-10-05 20:45 . 2008-10-05 21:35 <DIR> d--h

C:\$AVG8.VAULT$
2008-10-05 18:28 . 2008-10-05 18:28 <DIR> d

C:\Program Files\Alwil Software
2008-09-23 00:31 . 2008-10-07 18:30 54,156 --ah

C:\WINDOWS\QTFont.qfn
2008-09-23 00:31 . 2008-09-23 00:31 1,409 --a

C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 17:23

d

w C:\Documents and Settings\All Users\Application Data\avg8
2008-10-07 06:51

d

w C:\Documents and Settings\User\Application Data\uTorrent
2008-10-06 00:02

d

w C:\Program Files\Auto Maintenance Plus 7.2
2008-09-02 21:01 6,236 ----a-w C:\Documents and Settings\User\Application Data\wklnhst.dat
2008-08-28 17:10

d

w C:\Program Files\SUPERAntiSpyware
2008-08-28 17:10

d

w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-27 18:13

d

w C:\Documents and Settings\User\Application Data\My Games
2008-08-27 18:10

d-s---w C:\Program Files\Xfire
2008-08-27 18:10

d

w C:\Documents and Settings\User\Application Data\Xfire
2008-08-27 18:01

d

w C:\Documents and Settings\User\Application Data\InstallShield Installation Information
2008-08-27 18:01

d

w C:\Documents and Settings\User\Application Data\Firaxis Games
2008-08-20 21:17

d

w C:\Documents and Settings\User\Application Data\Vso
2008-08-19 19:44

d

w C:\Documents and Settings\User\Application Data\Ashampoo
2008-08-19 19:42

d

w C:\Program Files\Ashampoo
2008-08-19 19:42

d

w C:\Documents and Settings\All Users\Application Data\ashampoo
2008-08-18 18:58

d

w C:\Program Files\Betfair
2008-08-18 18:58

d

w C:\Documents and Settings\User\Application Data\Betfair
2008-08-17 11:45

d

w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-17 11:32

d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-17 11:31

d

w C:\Program Files\Spyware Doctor
2008-08-17 11:23

d

w C:\Documents and Settings\User\Application Data\PC Tools
2008-07-31 09:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 09:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 09:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-12 07:18 467,984 ----a-w C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 07:18 3,851,784 ----a-w C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 07:18 1,493,528 ----a-w C:\WINDOWS\system32\D3DCompiler_39.dll
2008-05-21 22:40 47,360 ----a-w C:\Documents and Settings\User\Application Data\pcouffin.sys
2005-07-25 07:45 136 ----a-w C:\Program Files\http--www.emule-paradise.com-.url
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-21 344064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [2005-02-17 36972]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 385024]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]
"hpWirelessAssistant"="C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-08 790528]
"DataLayer"="C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE" [2004-05-06 1159168]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE" [2004-03-23 147968]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-07-26 34816]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIVF"= DivX412.dll
"vidc.vp31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=2 (0x2)
"iPod Service"=3 (0x3)
"hpqwmi"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"SPTISRV"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\User\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4660:TCP"= 4660:TCP:Emule TCP
"4670:UDP"= 4670:UDP:Emule UDP

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-06-10 192896]
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-03-04 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-03-04 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-03-04 87456]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-03-04 77072]
S3 NTPASp50;NTPASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\NTPASp50.sys [2005-02-23 17536]

*Newly Created Service* - CATCHME
.
.

Supplementary Scan

.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\sy0w2o0f.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.ie
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0\bin\NPJPI150.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 18:40:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????I????|?????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-07 18:40:44
ComboFix-quarantined-files.txt 2008-10-07 17:40:41
ComboFix2.txt 2008-10-07 17:33:33

Pre-Run: 21,393,952,768 bytes free
Post-Run: 21,383,225,344 bytes free

148

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:54:38, on 07/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.robattle.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=presario&pf=laptop
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142031400406
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C3B7AF3F-DFBB-4CA2-8B16-781DAE1CC583} (Weed Media Activator component) - https://www.shmedlic.com/V3/Consumer/ActivatorComponent/SML.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{C07D2EDF-0276-4F0D-8184-20B81BE43AA6}: NameServer = 213.94.190.194,213.94.190.236
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6352 bytes

AC3Filter (remove only)
Ad-Aware
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player Plugin
Adobe Reader 7.0
Apple Mobile Device Support
Apple Software Update
Ashampoo Burning Studio 8.03
Athlon 64 Processor Driver
ATI Control Panel
ATI Display Driver
AutoCAD 2002
Betfair Poker
Bonjour
CloneDVD2
Compaq Presario r4000 User Guides
Conexant AC-Link Audio
ConvertXtoDVD 2.2.2.256
DAEMON Tools
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DVD-CLONER V3.30 Build 897
Easy CD-DA Extractor 11
Easy Internet Sign-up
eMule
eMule2
FlashFXP v3
Football Manager 2006
Google Toolbar for Firefox
HijackThis 2.0.2
HP Extended Capabilities 5.3
HP Image Zone Express
HP Imaging Device Functions 5.3
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HP Wireless Assistant
InterActual Player
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0
Lame ACM MP3 Codec
Logitech MouseWare 9.29 .3
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Office XP Media Content
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.3)
MSN Messenger 7.5
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
Napster Burn Engine
Nokia PC Suite 6.1
Now SMS/MMS Gateway
nullDC 1.0.0 Public Beta 1 Setup
OpenMG Secure Module 4.3.00
PCI 1620 Cardbus Controller and Software
PDF Manual NW-A10003000
PFConfig 1.0.172
Quick Launch Buttons 5.10 A2
QuickTime
Robattle Installer 3.00
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
SiSoftware Sandra Professional 2003
SoftV90 Data Fax Modem with SmartCP
Sonic RecordNow!
Sonic Update Manager
Sony Ericsson PC Suite
Spyware Doctor 6.0
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
UserGuides
VideoLAN VLC media player 0.8.6a
WinAVI Video Converter
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinRAR archiver
Xfire (remove only)
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger with BT Communicator
Yahoo! Toolbar

Thanks very much for the quick reply, and hopefully the above will make sense to you

thanks,
Tom

chiaz · October 2008

HijackThis log looks clean to me.

However since HijackThis does not scan the entire system, please go HERE to run Panda ActiveScan 2.0

Click the big green Scan now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
Once the scan is completed, please hit the notepad icon next to the text Export to:
Save it to a convenient location such as your Desktop
Post the contents of the ActiveScan.txt in your next reply.

Let's see how it turns out.

2smiggy · October 2008

again thanks for the quick reply

,here is the txt file from active scan
regards
tom

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-10-08 22:14:51
PROTECTIONS: 0
MALWARE: 11
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00041446 application/myway HackTools No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C9-189F-421A-88CD-07CFE51CFF10}
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@apmebf[1].txt
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@888[1].txt
00172483 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@888[2].txt
00172484 Cookie/Cassava TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@cassava[1].txt
00394770 Application/SpyNoMore HackTools No 0 Yes No C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP226\A0031377.exe
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP272\A0037317.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP272\A0037304.sys
02897073 Cookie/Revenue TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@adsrevenue[1].txt
03249984 Adware/Startpage.JY Adware No 0 Yes No C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP248\A0033256.exe
03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\User\Desktop\ComboFix.exe[32788R22FWJFW\catchme.cfexe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location Z
;===================================================================================================================================================================================
No C:\Program Files\MSN Messenger\msnmsgr.exe Z
No C:\WINDOWS\Installer\MSN Messenger 7.5.0299\MsnMsgs.Msi[unk_0035][msnmsgrexe] Z
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description Z
;===================================================================================================================================================================================
184380 MEDIUM MS08-002 Z
184379 MEDIUM MS08-001 Z
182048 HIGH MS07-069 Z
182046 HIGH MS07-067 Z
182043 HIGH MS07-064 Z
179553 HIGH MS07-061 Z
176382 HIGH MS07-057 Z
176383 HIGH MS07-058 Z
170911 HIGH MS07-050 Z
170907 HIGH MS07-046 Z
170906 HIGH MS07-045 Z
170904 HIGH MS07-043 Z
164915 HIGH MS07-035 Z
164913 HIGH MS07-033 Z
164911 HIGH MS07-031 Z
160623 HIGH MS07-027 Z
157262 HIGH MS07-022 Z
157261 HIGH MS07-021 Z
157260 HIGH MS07-020 Z
157259 HIGH MS07-019 Z
156477 HIGH MS07-017 Z
;===================================================================================================================================================================================

chiaz · October 2008

ActiveScan detected Myway on your system.

We usually consider this optional to remove. You can read more about it here:
http://www.adwarereport.com/mt/archives/000062.html

(Don't follow the removal instructions there, they are fairly tedious and not necessary)

Let me know if you would like to remove Myway.

2smiggy · October 2008

I don't use IE, but i may as well remove it. Again many thanks for your quick reply and the help you have given

regards
tom

chiaz · October 2008

Alright, let's remove it.

Please go to Control Panel > Add/Remove Programs and uninstall the following if present:
My Web Search (Smiley Central or FWP product as applicable)
My Way Speedbar (Smiley Central or other FWP as applicable)
My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
Search Assistant - My Way
My Web Search

Restart your computer even if not prompted.

Open My Computer, Drive C, and double-click on the Program Files folder
Right-click and delete the folders for MyWeb, MySearch, etc if found.

Then, please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C9-189F-421A-88CD-07CFE51CFF10}]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Now, this will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below into the box and click OK.

ComboFix /u

Finally, flush System Restore by following the instructions here:
http://safecomputing.umn.edu/guides/systemrestore.html

Run Panda ActiveScan again and post the new log in your reply. Let's see how it turns out this time.

2smiggy · October 2008

here is the new panda active scan

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-10-09 22:58:49
PROTECTIONS: 0
MALWARE: 5
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@apmebf[1].txt
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@888[1].txt
00172483 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@888[2].txt
00172484 Cookie/Cassava TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@cassava[1].txt
02897073 Cookie/Revenue TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@adsrevenue[1].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location Ó¬
;===================================================================================================================================================================================
No C:\Program Files\MSN Messenger\msnmsgr.exe Ó¬
No C:\WINDOWS\Installer\MSN Messenger 7.5.0299\MsnMsgs.Msi[unk_0035][msnmsgrexe] Ó¬
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description Ó¬
;===================================================================================================================================================================================
184380 MEDIUM MS08-002 Ó¬
184379 MEDIUM MS08-001 Ó¬
182048 HIGH MS07-069 Ó¬
182046 HIGH MS07-067 Ó¬
182043 HIGH MS07-064 Ó¬
179553 HIGH MS07-061 Ó¬
176382 HIGH MS07-057 Ó¬
176383 HIGH MS07-058 Ó¬
170911 HIGH MS07-050 Ó¬
170907 HIGH MS07-046 Ó¬
170906 HIGH MS07-045 Ó¬
170904 HIGH MS07-043 Ó¬
164915 HIGH MS07-035 Ó¬
164913 HIGH MS07-033 Ó¬
164911 HIGH MS07-031 Ó¬
160623 HIGH MS07-027 Ó¬
157262 HIGH MS07-022 Ó¬
157261 HIGH MS07-021 Ó¬
157260 HIGH MS07-020 Ó¬
157259 HIGH MS07-019 Ó¬
156477 HIGH MS07-017 Ó¬
;===================================================================================================================================================================================

hopefully everything is ok,

seem to have none of the trouble i was having before. whats the best antivirus/spyware programs to have running on a computer ?
again many thanks for your help so far
regards
tom

chiaz · October 2008

Yep everything appears OK now.

This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below into the box and click OK.

ComboFix /u

I'll post some things you should be aware of, and some security software that you may wish to use, after you've done the above.

2smiggy · October 2008

i have run the combofix removale commad , said it uninstalled, ran it again just in case and it said it could not be found.
so thank you once again for all the help and good work you are doing in helping out the likes of me who would be lost otherwise in trying to get rid of some of these viruses.

:D:D
regards
Tom

chiaz · October 2008

You're welcome.

You may wish to peruse this thread here for some tips on keeping your computer clean and secure:
http://icrontic.com/forum/showthread.php?t=39435

For recommendations on security software, you may check out:
http://parasitedb.com/recommendations.html

Let me know if you have any more questions.

Veka · October 2008

Glad we could be of assistance! The help you received here was free.

This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead

_______________________________

Have we helped you with any issues you have had with your PCs or other items? If so, you can now help us by Joining Team 93 and fold for a cure.

hijacked i think

Comments