Malware Removed ... I think? Now having Firewall problems!

[Highroller]

Hi all,

I have not had much experience in removing Malware etc, however a few days ago my PC started slowing right down and was being pretty much non-responsive.

I ran Spybot, Adware and AVG Antivirus - all of which detected various nasty's. I removed and/or deleted the various findings and thought all was OK. however I have since discovered that my Windows Firewall is not starting at each startup. I can turn it on manually each time, but clearly something is not quite right.

After reading the posts on this (and other) forums, I downloaded RougeRemover and this found SVCHOST.EXE and suggested I remove it. My understanding is that this is actually a legit program??

Just looking for some advice as to how I can (1) be sure I have cleansed my PC of all malware etc, and (2) see if I can find out why the Windows Firewall is suddenly turning itself off.

Any advice or help will be much appreciated.

Cheers

Highroller

[Highroller]

Actually, I read some more posts and have downloaded AVG Anti-Spyware and Hijackthis.

AVG found 3 trojans which I took recommended action against. Below are the log reports - appreciate any help you guys can offer.

Thanks.

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

+ Created at: 9:54:45 PM 31/10/2007

+ Scan result:

D:\Downloads\DVD Downloads\windvd3257 - build 57 - hopefully.zip/windvd.crack.30057.exe -> Backdoor.Theef.111 : Cleaned with backup (quarantined).

D:\Downloads\DVD Downloads\windvd3_.zip/windvd.crack.30057.exe -> Backdoor.Theef.111 : Cleaned with backup (quarantined).

C:\Documents and Settings\The Little Man\Cookies\the_little_man@3.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.

C:\Documents and Settings\The Little Man\Cookies\the_little_man@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.

C:\Documents and Settings\The Little Man\Cookies\the little man@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.

C:\Documents and Settings\Kylie\Cookies\kylie@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.

C:\Documents and Settings\The Little Man\Cookies\the_little_man@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.

C:\Documents and Settings\The Little Man\Cookies\the little man@connextra[1].txt -> TrackingCookie.Connextra : Cleaned.

C:\Documents and Settings\Kylie\Cookies\kylie@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.

C:\Documents and Settings\Kylie\Cookies\kylie@ehg-legonewyorkinc.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.

C:\Documents and Settings\The Little Man\Cookies\the little man@ehg-hasbro.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.

C:\Documents and Settings\The Little Man\Cookies\the_little_man@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.

C:\Documents and Settings\The Little Man\Cookies\the_little_man@ehg-hitent.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.

C:\Documents and Settings\The Little Man\Cookies\the_little_man@ehg-warnerbrothers.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.

C:\Documents and Settings\Kylie\Cookies\kylie@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.

C:\Documents and Settings\The Little Man\Cookies\the little man@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.

C:\Documents and Settings\The Little Man\Cookies\the little man@navrcholu[1].txt -> TrackingCookie.Navrcholu : Cleaned.

C:\Documents and Settings\Adam\Cookies\adam@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.

C:\Documents and Settings\Kylie\Cookies\kylie@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.

C:\Documents and Settings\The Little Man\Cookies\the_little_man@h.starware[2].txt -> TrackingCookie.Starware : Cleaned.

C:\Documents and Settings\The Little Man\Cookies\the_little_man@try.starware[2].txt -> TrackingCookie.Starware : Cleaned.

C:\Documents and Settings\Kylie\Cookies\kylie@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.

C:\Documents and Settings\The Little Man\Cookies\the_little_man@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.

C:\Documents and Settings\Adam\Cookies\adam@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.

C:\Documents and Settings\Kylie\Cookies\kylie@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.

C:\Documents and Settings\The Little Man\Cookies\the_little_man@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.

C:\Program Files\Alcohol Soft\Alcohol 120\star_syn_client.dll -> Trojan.Agent.abd : Cleaned with backup (quarantined).

C:\Documents and Settings\Adam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-3c4ded0-2b9bfcce.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup (quarantined).

::Report end

________________________________________________________________________________

_____________________

And HijackThis Log .......

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:58:11 PM, on 31/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Gigabyte\ET5\GUI.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Nikon\NkView6\NkvMon.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: 108.112.42.206 ad.doubleclick.net

O1 - Hosts: 184.169.44.29 upgrade.bitdefender.com

O1 - Hosts: 106.62.59.13 report.bitdefender.com

O1 - Hosts: 178.95.95.213 ad.fastclick.net

O1 - Hosts: 107.116.117.138 ads.fastclick.net

O1 - Hosts: 115.27.183.221 atdmt.com

O1 - Hosts: 108.15.197.227 awaps.net

O1 - Hosts: 180.66.164.240 banner.fastclick.net

O1 - Hosts: 112.56.109.230 banners.fastclick.net

O1 - Hosts: 180.140.140.115 click.atdmt.com

O1 - Hosts: 104.148.31.185 clicks.atdmt.com

O1 - Hosts: 111.57.62.146 engine.awaps.net

O1 - Hosts: 100.178.73.135 fastclick.net

O1 - Hosts: 182.38.71.88 ftp.avp.ch

O1 - Hosts: 106.65.181.226 ftp.kasperskylab.ru

O1 - Hosts: 115.99.75.57 updates5.kaspersky-labs.com

O1 - Hosts: 186.54.74.45 www.awaps.net

O1 - Hosts: 179.223.125.67 www.viruslist.ru

O1 - Hosts: 108.51.94.92 awaps.net

O1 - Hosts: 102.35.134.158 fastclick.net

O1 - Hosts: 113.214.19.103 kaspersky.ru

O1 - Hosts: 102.158.3.18 akamai.net

O1 - Hosts: 179.147.199.183 www.antivir.de

O1 - Hosts: 105.108.119.104 antivir.de

O1 - Hosts: 181.87.27.164 drweb.com

O1 - Hosts: 110.60.112.152 www.drweb.com

O1 - Hosts: 173.72.89.247 drweb.ru

O1 - Hosts: 111.44.59.160 www.ravantivirus.com

O1 - Hosts: 184.57.115.18 www.bitdefender.com

O1 - Hosts: 111.9.106.84 www.clamav.net

O1 - Hosts: 179.134.219.18 clamav.net

O1 - Hosts: 104.26.34.150 ftpav.ca.com

O1 - Hosts: 178.40.61.175 upgrade.bitdefender.com

O1 - Hosts: 104.145.107.4 www.bitdefender.ru

O1 - Hosts: 186.223.18.161 bitdefender.ru

O1 - Hosts: 100.125.216.116 open.by

O1 - Hosts: 175.210.118.4 vba32.de

O1 - Hosts: 106.43.202.48 www.open.by

O1 - Hosts: 187.158.9.42 lavasoft.com

O1 - Hosts: 176.168.161.132 rs01.avast.com

O1 - Hosts: 113.196.23.53 sm01.avast.com

O1 - Hosts: 173.85.201.82 rs02.avast.com

O1 - Hosts: 100.83.75.234 sm02.avast.com

O1 - Hosts: 178.94.124.98 rs03.avast.com

O1 - Hosts: 115.115.189.31 sm03.avast.com

O1 - Hosts: 179.82.30.213 rs04.avast.com

O1 - Hosts: 108.6.5.208 sm04.avast.com

O1 - Hosts: 184.166.75.163 rs05.avast.com

O1 - Hosts: 109.98.190.168 sm05.avast.com

O1 - Hosts: 185.166.221.212 rs06.avast.com

O1 - Hosts: 101.71.169.118 sm06.avast.com

O1 - Hosts: 183.68.192.179 rs07.avast.com

O1 - Hosts: 113.156.186.65 sm07.avast.com

O1 - Hosts: 173.216.20.157 rs08.avast.com

O1 - Hosts: 115.25.97.195 sm08.avast.com

O1 - Hosts: 185.172.91.117 rs09.avast.com

O1 - Hosts: 103.56.26.4 sm09.avast.com

O1 - Hosts: 187.21.191.24 rs10.avast.com

O1 - Hosts: 106.135.126.37 sm10.avast.com

O1 - Hosts: 186.92.191.182 rs11.avast.com

O1 - Hosts: 101.151.218.40 sm11.avast.com

O1 - Hosts: 182.12.173.157 rs12.avast.com

O1 - Hosts: 102.44.86.6 sm12.avast.com

O1 - Hosts: 187.177.109.41 rs13.avast.com

O1 - Hosts: 100.135.39.7 sm13.avast.com

O1 - Hosts: 183.4.26.28 rs14.avast.com

O1 - Hosts: 109.152.56.132 sm14.avast.com

O1 - Hosts: 174.22.52.47 rs15.avast.com

O1 - Hosts: 112.44.76.101 sm15.avast.com

O1 - Hosts: 176.24.2.108 rs16.avast.com

O1 - Hosts: 104.88.100.68 sm16.avast.com

O1 - Hosts: 175.209.96.55 rs17.avast.com

O1 - Hosts: 108.136.54.58 sm17.avast.com

O1 - Hosts: 182.81.75.62 rs18.avast.com

O1 - Hosts: 100.132.172.31 sm18.avast.com

O1 - Hosts: 183.224.68.115 rs19.avast.com

O1 - Hosts: 103.144.191.113 sm19.avast.com

O1 - Hosts: 184.193.195.14 rs20.avast.com

O1 - Hosts: 103.69.72.110 sm20.avast.com

O1 - Hosts: 176.169.145.194 rs21.avast.com

O1 - Hosts: 105.200.223.248 sm21.avast.com

O1 - Hosts: 176.72.49.72 rs22.avast.com

O1 - Hosts: 105.200.136.24 sm22.avast.com

O1 - Hosts: 184.106.33.253 rs23.avast.com

O1 - Hosts: 112.106.95.4 sm23.avast.com

O1 - Hosts: 176.15.175.146 rs24.avast.com

O1 - Hosts: 115.172.124.52 sm24.avast.com

O1 - Hosts: 174.173.108.253 rs25.avast.com

O1 - Hosts: 111.199.132.183 sm25.avast.com

O1 - Hosts: 181.141.199.236 rs26.avast.com

O1 - Hosts: 108.110.4.67 sm26.avast.com

O1 - Hosts: 187.38.57.188 rs27.avast.com

O1 - Hosts: 110.153.170.218 sm27.avast.com

O1 - Hosts: 184.120.97.180 rs28.avast.com

O1 - Hosts: 104.221.204.97 sm28.avast.com

O1 - Hosts: 184.87.84.126 rs29.avast.com

O1 - Hosts: 113.158.156.12 sm29.avast.com

O1 - Hosts: 175.137.116.58 rs30.avast.com

O1 - Hosts: 106.89.171.42 sm30.avast.com

O1 - Hosts: 181.63.155.14 downloadhosting.core.ignum.cz

O1 - Hosts: 108.171.61.165 download25.avast.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Windows Firewall] C:\WINDOWS\System32\drivers\svchost.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Windows Firewall] C:\WINDOWS\System32\drivers\svchost.exe

O4 - HKCU\..\Run: [steam] C:\Program Files\Valve\Steam\Steam.exe -silent

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.com.au/SnapfishActivia.cab

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: HXD Service 100 (HackerDefender100) - Unknown owner - C:\WINDOWS\System32\drivers\svchost.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--

End of file - 12681 bytes

[JeanInMontana]

Hello Highroller and welcome to Malwarebytes.

Please set your system to show

all files; Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

Now please do this:

Print or Copy these instructions to notepad and save to your Desktoop as you will be offline with all browsers closed for this fix.

Download:

Use this URL to download the latest version (the file contains both English and French versions):

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

* Double-click SmitfraudFix.exe

* Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Clean:

* Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)

* Double-click SmitfraudFix.exe

* Select 2 and hit Enter to delete infect files.

* You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

* The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.

* A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

* Optional:

o To restore Trusted and Restricted site zone, select 3 and hit Enter.

o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.

Note:

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

Post the results of the Smitfraud as a reply.

Then also please go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum. Post that log for me and a new HJT log also. We will see what is left to do.

[Highroller]

Thankyou Jean. Since posting I followed the Sticky advice and think I may have solve all problems.

Should I still perform the operations you have suggested above? Here is a Hijackthis log FYI. Let me know if I need to still clean my system.

Thanks so much for helping me.

Highroller

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:42:52 PM, on 3/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Gigabyte\ET5\GUI.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Nikon\NkView6\NkvMon.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe

C:\Program Files\Ahead\nero\nero.exe

C:\WINDOWS\system32\imapi.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: 180.78.122.242 www.avast.com

O1 - Hosts: 105.94.46.61 avast.com

O1 - Hosts: 177.128.188.27 avira.com

O1 - Hosts: 104.119.33.105 www.avira.com

O1 - Hosts: 100.89.152.164 zak.avira.com

O1 - Hosts: 183.81.157.57 downloads.avira.com

O1 - Hosts: 101.219.196.161 www.clamwin.com

O1 - Hosts: 177.93.131.172 clamwin.com

O1 - Hosts: 113.178.206.30 213.219.245.4

O1 - Hosts: 178.169.49.160 files.referats.net

O1 - Hosts: 104.83.9.105 database.clamav.net

O1 - Hosts: 173.153.208.24 213.248.60.121

O1 - Hosts: 101.135.166.191 gin.ba.euroweb.sk

O1 - Hosts: 187.98.219.21 www2.eset.com

O1 - Hosts: 106.190.161.183 esetsoftware.com

O1 - Hosts: 176.66.89.23 msk4.drweb.com

O1 - Hosts: 101.69.45.112 drweb.com

O1 - Hosts: 173.95.15.84 www.drweb.com

O1 - Hosts: 112.24.167.210 62.146.66.181

O1 - Hosts: 104.147.137.57 www.hbedv.com

O1 - Hosts: 174.131.68.125 hbedv.com

O1 - Hosts: 106.3.47.173 www.hacksoft.com.pe

O1 - Hosts: 177.137.173.100 ikarus-software.at

O1 - Hosts: 114.219.187.247 download.ikarus.at

O1 - Hosts: 178.202.68.47 193.69.114.12

O1 - Hosts: 100.9.1.202 niutwo.norman.no

O1 - Hosts: 183.208.148.247 www.anti-virus.by

O1 - Hosts: 109.60.43.169 anti-virus.by

O1 - Hosts: 185.112.35.70 www.vba32.de

O1 - Hosts: 108.83.215.209 ftpav.ca.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.com.au/SnapfishActivia.cab

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--

End of file - 9477 bytes

[JeanInMontana]

No you have not followed instructions and you have not solved all problems. I need the log from Panda scan and you need to run the Smitfraud fix. Then post that log also, after Panda and Smitfraud have been run and the logs posted another HJT log is also needed.

[Highroller]

Thanks Jean. Here they all are:

SmitFraudFix v2.246

Scan done at 8:28:31.65, Sun 04/11/2007

Run from D:\Downloads\Utilities\Spyware Utilities\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

[JeanInMontana]

Hi Highroller, OK we have confirmed infection of a backdoor trojan. I must tell you all your confidential information has been potentially compromised. You need to notify banking, credit cards and change all passwords immediately. We may be able to completely remove the trojan but there is only one way to be completely sure and that is to reformat.

Home / Viruses / Virus Encyclopedia / Malware Descriptions / Trojan Programs

Trojan Programs

Trojans can be classified according to the actions which they carry out on victim machines.

* Backdoors

* General Trojans

* PSW Trojans

* Trojan Clickers

* Trojan Downloaders

* Trojan Droppers

* Trojan Proxies

* Trojan Spies

* Trojan Notifiers

* ArcBombs

* Rootkits

Backdoors

Today backdoors are the most dangerous type of Trojans and the most widespread. These Trojans are remote administration utilities that open infected machines to external control via a LAN or the Internet. They function in the same way as legal remote administration programs used by system administrators. This makes them difficult to detect.

The only difference between a legal administration tool and a backdoor is that backdoors are installed and launched without the knowledge or consent of the user of the victim machine. Once the backdoor is launched, it monitors the local system without the user's knowledge; often the backdoor will not be visible in the log of active programs.

Once a remote administration utilitiy has been successfully installed and launched, the victim machine is wide open. Backdoor functions can include:

* Sending/ receiving files

* Launching/ deleting files

* Executing files

* Displaying notification

* Deleting data

* Rebooting the machine

In other words, backdoors are used by virus writers to detect and download confidential information, execute malicious code, destroy data, include the machine in bot networks and so forth. In short, backdoors combine the functionality of most other types of Trojans in one package.

Backdoors have one especially dangerous sub-class: variants that can propagate like worms. The only difference is that worms are programmed to propagate constantly, whereas these 'mobile' backdoors spread only after a specific command from the 'master'.

If you wish to procede do this:

1. Download this file :

http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:

Do not mouseclick combofix's window while its running. That may cause it to stall

[Highroller]

Thanks Jean - sounds bad.

Here is the Combofix log:

ComboFix 07-11-01.1** - Adam 2007-11-05 21:18:44.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.637 [GMT 9:00]

Running from: D:\Downloads\Utilities\Spyware Utilities\combofix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\drivers\sfsync03.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\LEGACY_SFSYNC03

-------\sfsync03

((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))

.

2007-11-05 20:49 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-11-05 17:34 <DIR> d-------- C:\hegames

2007-11-04 08:45 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-11-03 21:35 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2

2007-11-03 21:30 3,760 --a------ C:\WINDOWS\system32\tmp.reg

2007-11-03 20:13 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2007-11-03 20:13 207,736 --a------ C:\WINDOWS\system32\muweb.dll

2007-11-03 19:13 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll

2007-11-03 19:11 <DIR> d-------- C:\Program Files\MSBuild

2007-11-03 19:11 <DIR> d-------- C:\Program Files\Microsoft Works

2007-11-03 19:08 <DIR> d-------- C:\Program Files\Microsoft.NET

2007-11-03 19:06 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8

2007-11-03 19:05 <DIR> d-------- C:\WINDOWS\SHELLNEW

2007-11-03 19:04 <DIR> dr-h----- C:\MSOCache

2007-11-03 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help

2007-11-03 17:30 <DIR> d-------- C:\Documents and Settings\The Little Man\Application Data\Grisoft

2007-11-01 20:59 <DIR> d-------- C:\Program Files\Java

2007-11-01 20:59 <DIR> d-------- C:\Program Files\Common Files\Java

2007-11-01 20:58 0 -ra------ C:\WINDOWS\system32\drivers\hxdefdrv.sys

2007-11-01 20:38 <DIR> d-------- C:\mwav

2007-11-01 20:38 <DIR> d-------- C:\Downloads

2007-11-01 20:38 <DIR> d-------- C:\Bases

2007-11-01 07:55 <DIR> d-------- C:\Documents and Settings\Kylie\Application Data\Grisoft

2007-10-31 20:32 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\Grisoft

2007-10-31 20:32 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-10-31 20:29 <DIR> d-------- C:\Program Files\Trend Micro

2007-10-30 23:35 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\DivX

2007-10-30 22:50 <DIR> d-------- C:\Program Files\ShellExView

2007-10-30 22:50 39,424 --a------ C:\WINDOWS\zipinst.exe

2007-10-29 21:42 <DIR> d-------- C:\Program Files\RogueRemover FREE

2007-10-28 19:42 <DIR> d-------- C:\Program Files\Wondershare

2007-10-20 11:18 <DIR> d-------- C:\Documents and Settings\Adam\WINDOWS

2007-10-16 21:38 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\Microsoft Web Folders

2007-10-13 20:05 3,666,293 --a------ C:\WINDOWS\LEGO Star Wars.SCR

2007-10-13 20:04 <DIR> d-------- C:\Documents and Settings\The Little Man\Application Data\iScreensaver

2007-10-06 19:30 <DIR> d-------- C:\Program Files\Vodei

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-05 03:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7

2007-11-04 22:02 --------- d-----w C:\Documents and Settings\Adam\Application Data\Azureus

2007-11-04 00:31 --------- d-----w C:\Program Files\QuickTime

2007-11-04 00:26 --------- d-----w C:\Program Files\GetRight

2007-11-02 15:05 22,584 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2007-11-02 15:01 --------- d-----w C:\Program Files\GameSpy Arcade

2007-10-31 11:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft

2007-10-30 13:48 --------- d-----w C:\Program Files\DivX

2007-10-30 12:26 40,136 ----a-w C:\WINDOWS\system32\drivers\ET5Drv.sys

2007-10-29 12:58 --------- d-----w C:\Documents and Settings\Adam\Application Data\AVG7

2007-10-16 12:38 --------- d-----w C:\Program Files\microsoft frontpage

2007-10-06 23:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink

2007-10-06 10:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-09-15 05:04 --------- d-----w C:\Program Files\MoTeC

2007-09-15 03:50 224,292 ----a-w C:\WINDOWS\rFactor Data Acquisition Plugin Uninstaller.exe

2007-09-15 03:43 --------- d-----w C:\Documents and Settings\Adam\Application Data\MoTeC

2007-09-13 12:38 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-09-10 12:15 --------- d-----w C:\Program Files\Azureus

2007-09-03 12:48 737,280 ----a-w C:\WINDOWS\iun6002.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-23 19:38]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-11 14:47]

"nwiz"="nwiz.exe" [2005-11-11 14:47 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-11 14:47]

"EasyTuneV"="C:\Program Files\Gigabyte\ET5\GUI.exe" [2007-10-30 21:26]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]

"SoundMan"="SOUNDMAN.EXE" [2006-08-03 06:12 C:\WINDOWS\soundman.exe]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 00:14]

"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 13:19]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 16:44 C:\WINDOWS\KHALMNPR.Exe]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 16:44 C:\WINDOWS\KHALMNPR.Exe]

"NWEReboot"="" []

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-18 23:13]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 18:25]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 21:00]

"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 17:03]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 01:24]

"Start WingMan Profiler"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Windows Firewall"=C:\WINDOWS\System32\drivers\svchost.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-09-12 22:31:41]

NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2005-04-17 22:56:49]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys

R3 MarkFun_NT;MarkFun_NT;\??\C:\Program Files\Gigabyte\ET5\markfun.w32

R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys

R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys

R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys

S3 papycpu;papycpu;C:\WINDOWS\system32\drivers\papycpu.sys

S3 WmHidLo;Logitech Gaming USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys

S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

\Shell\AutoRun\command - G:\racer.exe

.

**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-05 21:24:01

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\WindowsShell.Manifest 749 bytes

C:\WINDOWS\WindowsUpdate.log 1967701 bytes

C:\WINDOWS\winhelp.exe 256192 bytes

C:\WINDOWS\winhlp32.exe 283648 bytes executable

C:\WINDOWS\wmprfnld.prx 32964 bytes

C:\WINDOWS\winnt.bmp 48680 bytes

C:\WINDOWS\winnt256.bmp 48680 bytes

C:\WINDOWS\WinSxS

C:\WINDOWS\WMFDist11.log 30409 bytes

C:\WINDOWS\wmp11.log 18798 bytes

C:\WINDOWS\WMPrfAra.prx 33336 bytes

C:\WINDOWS\WMPrfCHS.prx 19492 bytes

C:\WINDOWS\WMPrfCHT.prx 18804 bytes

C:\WINDOWS\wmprfcsy.prx 35474 bytes

C:\WINDOWS\wmprfdan.prx 31712 bytes

C:\WINDOWS\WMPrfDeu.prx 33820 bytes

C:\WINDOWS\wmprfell.prx 36594 bytes

C:\WINDOWS\wmprfesp.prx 35590 bytes

C:\WINDOWS\wmprffin.prx 31764 bytes

C:\WINDOWS\wmprffra.prx 37916 bytes

C:\WINDOWS\wmprfheb.prx 28718 bytes

C:\WINDOWS\wmprfhun.prx 37014 bytes

C:\WINDOWS\wmprfita.prx 35680 bytes

C:\WINDOWS\WMPrfJpn.prx 23304 bytes

C:\WINDOWS\WMPrfKor.prx 22338 bytes

C:\WINDOWS\wmprfnor.prx 32852 bytes

C:\WINDOWS\wmprfplk.prx 35822 bytes

C:\WINDOWS\wmprfptb.prx 33694 bytes

C:\WINDOWS\wmprfptg.prx 35916 bytes

C:\WINDOWS\wmprfrus.prx 35306 bytes

C:\WINDOWS\wmprfsky.prx 38232 bytes

C:\WINDOWS\wmprfslv.prx 33580 bytes

C:\WINDOWS\wmprfsve.prx 33314 bytes

C:\WINDOWS\wmprftrk.prx 32022 bytes

C:\WINDOWS\wmsetup.log 126189 bytes

C:\WINDOWS\wmsetup10.log 1030 bytes

C:\WINDOWS\WMSysPr9.prx 316640 bytes

C:\WINDOWS\Wudf01000Inst.log 11482 bytes

C:\WINDOWS\Zapotec.bmp 9522 bytes

C:\WINDOWS\zipinst.exe 39424 bytes executable

C:\WINDOWS\_default.pif 707 bytes

scan completed successfully

hidden files: 41

**************************************************************************

.

Completion time: 2007-11-05 21:30:20 - machine was rebooted

.

--- E O F ---

Here is the new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:33:31 PM, on 5/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Gigabyte\ET5\GUI.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\Program Files\Nikon\NkView6\NkvMon.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.com.au/SnapfishActivia.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--

End of file - 8539 bytes

Thanks again for your help.

Cheers

Adam

[JeanInMontana]

It is bad and your system was loaded with bad files. I'm getting a second opinion, but as I said before no guarantee you are safe.

[Highroller]

Thanks again Jean. Let me know your suggestions.

Obviously I would prefer not to do a format and fresh reinstall of Windows, but if that's what

[JeanInMontana]

OK we need to get some things still.

C:\WINDOWS\System32\drivers\svchost.exe <===== Delete that file

Run HJT again and put a check next to these items below:

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" Uninstall Groove Monitor not Office but this part of it.

Then please run another ComboFix scan and post that log and a new HJT. I can't guarantee we will get it all, as I have said before, I'm giving it my best shot but all people that do this type of work will tell you the same thing. The only sure way to be rid of a root kit is to reformat.

1. Download this file :

http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:

Do not mouseclick combofix's window while its running. That may cause it to stall

[Highroller]

Thanks Jean.

There was no file at "C:\WINDOWS\System32\drivers\svchost.exe"??

Logs follow:

ComboFix 07-11-01.1** - Adam 2007-11-09 20:06:18.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.554 [GMT 9:00]

Running from: D:\Downloads\Utilities\Spyware Utilities\combofix.exe

.

((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))

.

2007-11-05 20:49 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-11-05 17:34 <DIR> d-------- C:\hegames

2007-11-04 08:45 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-11-03 21:35 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2

2007-11-03 21:30 3,760 --a------ C:\WINDOWS\system32\tmp.reg

2007-11-03 20:13 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2007-11-03 20:13 207,736 --a------ C:\WINDOWS\system32\muweb.dll

2007-11-03 19:13 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll

2007-11-03 19:11 <DIR> d-------- C:\Program Files\MSBuild

2007-11-03 19:11 <DIR> d-------- C:\Program Files\Microsoft Works

2007-11-03 19:08 <DIR> d-------- C:\Program Files\Microsoft.NET

2007-11-03 19:06 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8

2007-11-03 19:05 <DIR> d-------- C:\WINDOWS\SHELLNEW

2007-11-03 19:04 <DIR> dr-h----- C:\MSOCache

2007-11-03 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help

2007-11-03 17:30 <DIR> d-------- C:\Documents and Settings\The Little Man\Application Data\Grisoft

2007-11-01 20:59 <DIR> d-------- C:\Program Files\Java

2007-11-01 20:59 <DIR> d-------- C:\Program Files\Common Files\Java

2007-11-01 20:58 0 -ra------ C:\WINDOWS\system32\drivers\hxdefdrv.sys

2007-11-01 20:38 <DIR> d-------- C:\mwav

2007-11-01 20:38 <DIR> d-------- C:\Downloads

2007-11-01 20:38 <DIR> d-------- C:\Bases

2007-11-01 07:55 <DIR> d-------- C:\Documents and Settings\Kylie\Application Data\Grisoft

2007-10-31 20:32 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\Grisoft

2007-10-31 20:32 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-10-31 20:29 <DIR> d-------- C:\Program Files\Trend Micro

2007-10-30 23:35 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\DivX

2007-10-30 22:50 <DIR> d-------- C:\Program Files\ShellExView

2007-10-30 22:50 39,424 --a------ C:\WINDOWS\zipinst.exe

2007-10-29 21:42 <DIR> d-------- C:\Program Files\RogueRemover FREE

2007-10-28 19:42 <DIR> d-------- C:\Program Files\Wondershare

2007-10-20 11:18 <DIR> d-------- C:\Documents and Settings\Adam\WINDOWS

2007-10-16 21:38 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\Microsoft Web Folders

2007-10-13 20:05 3,666,293 --a------ C:\WINDOWS\LEGO Star Wars.SCR

2007-10-13 20:04 <DIR> d-------- C:\Documents and Settings\The Little Man\Application Data\iScreensaver

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-09 10:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7

2007-11-05 08:33 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll

2007-11-04 22:02 --------- d-----w C:\Documents and Settings\Adam\Application Data\Azureus

2007-11-04 00:31 --------- d-----w C:\Program Files\QuickTime

2007-11-04 00:26 --------- d-----w C:\Program Files\GetRight

2007-11-02 15:05 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

2007-11-02 15:05 22,584 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2007-11-02 15:01 --------- d-----w C:\Program Files\GameSpy Arcade

2007-10-31 11:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft

2007-10-30 13:48 --------- d-----w C:\Program Files\DivX

2007-10-30 12:26 40,136 ----a-w C:\WINDOWS\system32\drivers\ET5Drv.sys

2007-10-29 12:58 --------- d-----w C:\Documents and Settings\Adam\Application Data\AVG7

2007-10-16 12:38 --------- d-----w C:\Program Files\microsoft frontpage

2007-10-15 14:38 --------- d-----w C:\Program Files\Vodei

2007-10-06 23:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink

2007-10-06 10:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2007-09-28 16:07 129,784 ------w C:\WINDOWS\system32\pxafs.dll

2007-09-28 16:07 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe

2007-09-28 16:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe

2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll

2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll

2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll

2007-09-15 05:04 --------- d-----w C:\Program Files\MoTeC

2007-09-15 03:50 224,292 ----a-w C:\WINDOWS\rFactor Data Acquisition Plugin Uninstaller.exe

2007-09-15 03:43 --------- d-----w C:\Documents and Settings\Adam\Application Data\MoTeC

2007-09-13 12:38 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-09-10 12:15 --------- d-----w C:\Program Files\Azureus

2007-09-03 12:48 737,280 ----a-w C:\WINDOWS\iun6002.exe

2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-23 19:38]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-11 14:47]

"nwiz"="nwiz.exe" [2005-11-11 14:47 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-11 14:47]

"EasyTuneV"="C:\Program Files\Gigabyte\ET5\GUI.exe" [2007-10-30 21:26]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]

"SoundMan"="SOUNDMAN.EXE" [2006-08-03 06:12 C:\WINDOWS\soundman.exe]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 00:14]

"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 13:19]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 16:44 C:\WINDOWS\KHALMNPR.Exe]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 16:44 C:\WINDOWS\KHALMNPR.Exe]

"NWEReboot"="" []

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-18 23:13]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 18:25]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 21:00]

"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 17:03]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 01:24]

"Start WingMan Profiler"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Windows Firewall"=C:\WINDOWS\System32\drivers\svchost.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-09-12 22:31:41]

NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2005-04-17 22:56:49]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys

R3 MarkFun_NT;MarkFun_NT;\??\C:\Program Files\Gigabyte\ET5\markfun.w32

R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys

R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys

R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys

S3 papycpu;papycpu;C:\WINDOWS\system32\drivers\papycpu.sys

S3 WmHidLo;Logitech Gaming USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys

S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

\Shell\AutoRun\command - G:\racer.exe

.

**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-09 20:09:31

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\WindowsShell.Manifest 749 bytes

C:\WINDOWS\WindowsUpdate.log 2020874 bytes

C:\WINDOWS\winhelp.exe 256192 bytes

C:\WINDOWS\winhlp32.exe 283648 bytes executable

C:\WINDOWS\wmprfnld.prx 32964 bytes

C:\WINDOWS\winnt.bmp 48680 bytes

C:\WINDOWS\winnt256.bmp 48680 bytes

C:\WINDOWS\WinSxS

C:\WINDOWS\WMFDist11.log 30409 bytes

C:\WINDOWS\wmp11.log 18798 bytes

C:\WINDOWS\WMPrfAra.prx 33336 bytes

C:\WINDOWS\WMPrfCHS.prx 19492 bytes

C:\WINDOWS\WMPrfCHT.prx 18804 bytes

C:\WINDOWS\wmprfcsy.prx 35474 bytes

C:\WINDOWS\wmprfdan.prx 31712 bytes

C:\WINDOWS\WMPrfDeu.prx 33820 bytes

C:\WINDOWS\wmprfell.prx 36594 bytes

C:\WINDOWS\wmprfesp.prx 35590 bytes

C:\WINDOWS\wmprffin.prx 31764 bytes

C:\WINDOWS\wmprffra.prx 37916 bytes

C:\WINDOWS\wmprfheb.prx 28718 bytes

C:\WINDOWS\wmprfhun.prx 37014 bytes

C:\WINDOWS\wmprfita.prx 35680 bytes

C:\WINDOWS\WMPrfJpn.prx 23304 bytes

C:\WINDOWS\WMPrfKor.prx 22338 bytes

C:\WINDOWS\wmprfnor.prx 32852 bytes

C:\WINDOWS\wmprfplk.prx 35822 bytes

C:\WINDOWS\wmprfptb.prx 33694 bytes

C:\WINDOWS\wmprfptg.prx 35916 bytes

C:\WINDOWS\wmprfrus.prx 35306 bytes

C:\WINDOWS\wmprfsky.prx 38232 bytes

C:\WINDOWS\wmprfslv.prx 33580 bytes

C:\WINDOWS\wmprfsve.prx 33314 bytes

C:\WINDOWS\wmprftrk.prx 32022 bytes

C:\WINDOWS\wmsetup.log 126189 bytes

C:\WINDOWS\wmsetup10.log 1030 bytes

C:\WINDOWS\WMSysPr9.prx 316640 bytes

C:\WINDOWS\Wudf01000Inst.log 11482 bytes

C:\WINDOWS\Zapotec.bmp 9522 bytes

C:\WINDOWS\zipinst.exe 39424 bytes executable

C:\WINDOWS\_default.pif 707 bytes

IPC error: 2 The system cannot find the file specified.

scan completed successfully

hidden files: 41

**************************************************************************

.

Completion time: 2007-11-09 20:10:16

C:\ComboFix2.txt ... 2007-11-05 21:30

.

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:13:52 PM, on 9/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Gigabyte\ET5\GUI.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\Program Files\Nikon\NkView6\NkvMon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.com.au/SnapfishActivia.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--

End of file - 8379 bytes

Thanks again.

[JeanInMontana]

There is a file there because it shows in your log. Do you have your system set to show hidden files and folders?

Run HJT again and put a check next to these:

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

I'm not finding much good about GameSpy either. My advice is get rid of it and the Azerous. P2P is dangerous behavior.

[Highroller]

I still can't find that file in that folder. I do find svchost.exe in "C:\WINDOWS\System32" ...... but just not in the path you described ("C:\WINDOWS\System32\drivers\svchost.exe") - is that the file you refer to.

Gamespy is a legitimate program, it's a widely used online gaming interface - I've used it for years.

Let me know if I should delete svchost.exe in the other path and then I'll run HJT again and post the log. (I'm assuming when you say to check the items is HJT, you then want me to click fix items??)

Thanks Jean.

[JeanInMontana]

Yes, put a check next to the items and click fix. Sorry for not being more clear.

Gamespy has been (and maybe still is) a security risk and venue for infection. It is also listed by at least one security related site as leaving spyware files.

http://www.spywaredata.com/spyware/threat_...ings/result.php

http://www.packetstormsecurity.com/0512-exploits/index2.html

/// File Name: GameFlyXSS.txt

Description:

GameFly, the popular online video game rental service, suffers from a cross site scripting flaw.

Author: Matthew Benenati

File Size: 417

Last Modified: Dec 3 06:25:45 2005

MD5 Checksum: fd363324b7ba22cd1ed151f9e8b1cda4

The flaw is a couple year old so maybe it's been fixed. If they do things like Microsoft don't count on it.

No do not delete the file you see. Your seeing a legit Windows file. Your not seeing the malware, that's how these things work. It shows in the special tool but can be seen with the "naked" eye so to speak. We have a tool for this situation.

Author: Option^Explicit Download Location

License: Freeware KillBox Download Link http://download.bleepingcomputer.com/spyware/KillBox.exe

Operating System: Windows

File Description:

Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them.

Usage Information:

Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.

I recommend copy and paste C:\WINDOWS\System32\drivers\svchost.exe you can't make a typo this way. Do this and post a new HJT log please.

[Highroller]

Thanks Jean.

I ran killbox and it did not find the file either. I also had it seach my system and it only found it in the following paths:

c:\windows\system32\svchost.exe

c:\windows\system32\dllcache\svchost.exe

I ran HJT as per your other post and checked those items mentioned - here is the log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:58:54 AM, on 11/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Gigabyte\ET5\GUI.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Nikon\NkView6\NkvMon.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.com.au/SnapfishActivia.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--

End of file - 8076 bytes

[JeanInMontana]

Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.

Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.

Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.

A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

SiteHound by FireTrust

RogueRemover

hpHosts

For an excellent list of reliable free firewalls and antivirus programs see here .

[Highroller]

Thanks Jean.

What do you think about that svchost.exe issue ..... Is something hiding it from view or is it gone?

Do you think my system is cleansed or should I still consider a fresh windows install?

[JeanInMontana]

Thanks Jean.

What do you think about that svchost.exe issue ..... Is something hiding it from view or is it gone?

Do you think my system is cleansed or should I still consider a fresh windows install?

There isn't much you can do about it. Svchost.exe is a needed Windows file, the one showing in the log is not. It is very likely something is hiding, that's why we tell people the only sure way to be rid of a root kit is reformat. These things are constantly being rewritten to escape detection. It's not good this particular file can't be found. It is there because it shows in the log, or possibly it was removed. But again, there is no way of knowing. I'm sorry I can't give you the answer you want to hear.

[Highroller]

OK Thanks Jean. I really appreciate all of the help you have provided me with over the past week or so.

Thanks so much.

Cheers

Adam

[JeanInMontana]

Your welcome Adam. I hope everything works out for the best and you have safe surfing. Prevention and education are key elements to staying away from this sort of trouble.

Since this topic is resolved I will close it.

The fixes and procedures in this topic are for this machine only. You should not apply them to another system. If you experience similar symptoms and need help open a topic of your own and someone will be happy to help.