vmmdiag32.exe haxdoor virus

I am now combo-fixed!
Here is the logfile, followed by a fresh HJT log.
And good morning.


Mark - 06-11-07 18:18:25.42 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Program Files\Opera "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\windows\secure32.html
C:\windows\system32\components


((((((((((((((((((((((((((((((( Files Created from 2006-10-07 to 2006-11-07 ))))))))))))))))))))))))))))))))))


2006-11-07 16:42 51,764 --a------ C:\WINDOWS\system32\csldv.exe
2006-11-07 13:38 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-07 12:20 70 --a------ C:\getservice.bat
2006-11-07 12:20 61,440 --a------ C:\psservice.exe
2006-11-07 11:28 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2006-11-07 02:19 24,576 --a------ C:\msupd0112842875.exe
2006-11-07 02:18 3,072 -r-hs---- C:\msupd0112832828.exe
2006-11-06 16:38 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-11-06 16:38 7,483 --a------ C:\clean.bat
2006-11-06 16:38 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-06 16:38 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-11-06 16:38 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-11-06 15:24 86 --a------ C:\ff.bat
2006-10-29 19:41 577,536 --a------ C:\WINDOWS\soundman.exe
2006-10-29 19:41 4,019,072 -ra------ C:\WINDOWS\system32\drivers\alcxwdm.sys
2006-10-29 19:40 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-10-29 19:40 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-07 18:17 -------- d-------- C:\Program Files\Opera
2006-11-07 18:16 -------- d-------- C:\Program Files\Combofix
2006-11-07 18:00 -------- d-------- C:\Program Files\HaxFix
2006-11-07 16:50 -------- d-------- C:\Program Files\HJThis
2006-11-07 16:05 -------- d-------- C:\Program Files\AVG Anti-Spyware 7.5
2006-11-07 13:52 -------- d-------- C:\Program Files\BFU
2006-11-07 03:24 -------- d-------- C:\Program Files\Warcraft III 1.20e UNCRACKED
2006-11-06 01:31 -------- d-------- C:\Program Files\Prince of Persia Warrior Within
2006-10-30 21:38 -------- d-------- C:\Documents and Settings\Mark\Application Data\.gaim
2006-10-29 22:31 -------- d-------- C:\Program Files\Warcraft III
2006-10-29 19:40 -------- d-------- C:\Program Files\Realtek AC97
2006-10-29 15:59 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-24 17:43 -------- d-------- C:\Documents and Settings\Mark\Application Data\foobar2000
2006-10-24 17:30 -------- d-------- C:\Program Files\foobar2000
2006-10-24 15:14 -------- d-------- C:\Program Files\Real Alternative
2006-10-24 15:14 -------- d-------- C:\Program Files\Media Player Classic
2006-10-24 15:14 -------- d-------- C:\Documents and Settings\Mark\Application Data\Real
2006-10-24 15:14 -------- d-------- C:\Documents and Settings\Mark\Application Data\Media Player Classic
2006-10-12 16:10 -------- d-------- C:\Program Files\Windows Media Player
2006-10-07 12:19 -------- d-------- C:\Program Files\D-Tools
2006-09-26 02:15 666240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-09-26 02:10 87424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-09-26 02:10 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-09-26 02:09 36176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-09-26 02:09 16352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-09-26 02:07 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-09-26 02:07 24560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-09-12 19:18 -------- d-------- C:\Program Files\Steam
2006-08-10 07:27 10528768 --a------ C:\WINDOWS\system32\RTLCPL.exe
2006-08-10 03:47 243512 --a------ C:\Program Files\Java.exe
2006-08-10 03:40 21048 --a------ C:\Documents and Settings\Mark\Application Data\GDIPFONTCACHEV1.DAT


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Winstt "= "C:\\msupd0112842546.exe "
"Winsti "= "C:\\msupd0112842546.exe "
"Winsts "= "C:\\msupd0112842546.exe "
"Winstr "= "C:\\msupd0112842546.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PRONoMgr.exe "= "C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe "
"avast! "= "C:\\Avast4\\ashDisp.exe "
"Zone Labs Client "= "C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe "
"POINTER "= "point32.exe "
"NeroCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"SoundMan "= "SOUNDMAN.EXE "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=dword:40000004
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Gaim.lnk]
"path "= "C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Gaim.lnk "
"backup "= "C:\\WINDOWS\\pss\\Gaim.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\Gaim\\gaim.exe "
"item "= "Gaim "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "cli "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "atiptaxx "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "CloneCDTray "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\CloneCD\\CloneCDTray.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ICQLite "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\ICQ\\ICQLite.exe\" -minimize "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstaFinderK]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "InstaFinderK_inst "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\INSTAFINK\\InstaFinderK_inst.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\killall]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "dialer423 "
"hkey "= "HKLM "
"command "= "dialer423.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msnmsgr "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "P2P Networking "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\System32\\P2P Networking\\P2P Networking.exe /AUTOSTART "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "=" "
"hkey "= "HKCU "
"command "=" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "fsg_4203 "
"hkey "= "HKLM "
"command "= "\ "c:\\windows\\temp\\adware\\fsg_4203.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TRPT]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "panel_its "
"hkey "= "HKLM "
"command "= "panel_its.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yak!]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "Yak "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\Yak!\\Yak.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger "=dword:00000002

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

Completion time: 06-11-07 18:18:46.48
C:\ComboFix.txt ... 06-11-07 18:18




Logfile of HijackThis v1.99.1
Scan saved at 6:19:48 PM, on 7/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\System32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Avast4\aswUpdSv.exe
C:\Avast4\ashServ.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Avast4\ashWebSv.exe
C:\Avast4\ashMaiSv.exe
C:\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\SOUNDMAN.EXE
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HJThis\HJThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Winstt] C:\msupd0112842546.exe
O4 - HKCU\..\Run: [Winsti] C:\msupd0112842546.exe
O4 - HKCU\..\Run: [Winsts] C:\msupd0112842546.exe
O4 - HKCU\..\Run: [Winstr] C:\msupd0112842546.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139533146875
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72DE85CB-F735-439C-BB8B-6E7A1066E9B2}: NameServer = 85.255.116.174,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{A898C316-9996-4BA0-96B8-F683FF15E646}: NameServer = 85.255.116.174,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD4FF7CB-076E-4D06-B4C6-64215CA2E3CC}: NameServer = 85.255.116.174,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED468E6B-E035-4D12-9CBF-32DE6CA0E367}: NameServer = 85.255.116.174,85.255.112.82
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.82
O17 - HKLM\System\CS1\Services\Tcpip\..\{72DE85CB-F735-439C-BB8B-6E7A1066E9B2}: NameServer = 85.255.116.174,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.82
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

OK, lets see how this finishes up.

Lets break out KillBox again, and using the files below, perform as previously instructed.
C:\WINDOWS\system32\csldv.exe
C:\msupd0112842875.exe
C:\msupd0112832828.exe
C:\ff.bat
C:\msupd0112842546.exe
dialer423.exe
P2P Networking.exe
fsg_4203.exe
panel_its.exe

Do not reboot, but run HJT.

Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php


O4 - HKCU\..\Run: [Winstt] C:\msupd0112842546.exe

O4 - HKCU\..\Run: [Winsti] C:\msupd0112842546.exe

O4 - HKCU\..\Run: [Winsts] C:\msupd0112842546.exe

O4 - HKCU\..\Run: [Winstr] C:\msupd0112842546.exe


O17 - HKLM\System\CCS\Services\Tcpip\..\{72DE85CB-F735-439C-BB8B-6E7A1066E9B2}: NameServer = 85.255.116.174,85.255.112.82

O17 - HKLM\System\CCS\Services\Tcpip\..\{A898C316-9996-4BA0-96B8-F683FF15E646}: NameServer = 85.255.116.174,85.255.112.82

O17 - HKLM\System\CCS\Services\Tcpip\..\{CD4FF7CB-076E-4D06-B4C6-64215CA2E3CC}: NameServer = 85.255.116.174,85.255.112.82

O17 - HKLM\System\CCS\Services\Tcpip\..\{ED468E6B-E035-4D12-9CBF-32DE6CA0E367}: NameServer = 85.255.116.174,85.255.112.82

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.82

O17 - HKLM\System\CS1\Services\Tcpip\..\{72DE85CB-F735-439C-BB8B-6E7A1066E9B2}: NameServer = 85.255.116.174,85.255.112.82

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.82

Reboot and run ComboFix first, then HJT and post both logs back into this thread and also let me know of any problems still occurring, or new ones.

 

Okay, did all that, and I'm noticing no problems now.
Here are the two logfiles:


Mark - 06-11-08 9:34:23.99 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Program Files\Combofix "

((((((((((((((((((((((((((((((( Files Created from 2006-10-08 to 2006-11-08 ))))))))))))))))))))))))))))))))))


2006-11-07 13:38 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-07 12:20 70 --a------ C:\getservice.bat
2006-11-07 12:20 61,440 --a------ C:\psservice.exe
2006-11-07 11:28 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2006-11-06 16:38 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-11-06 16:38 7,483 --a------ C:\clean.bat
2006-11-06 16:38 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-06 16:38 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-11-06 16:38 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-10-29 19:41 577,536 --a------ C:\WINDOWS\soundman.exe
2006-10-29 19:41 4,019,072 -ra------ C:\WINDOWS\system32\drivers\alcxwdm.sys
2006-10-29 19:40 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-10-29 19:40 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-08 09:34 -------- d-------- C:\Program Files\Combofix
2006-11-08 09:29 -------- d-------- C:\Program Files\HJThis
2006-11-07 18:17 -------- d-------- C:\Program Files\Opera
2006-11-07 18:00 -------- d-------- C:\Program Files\HaxFix
2006-11-07 16:05 -------- d-------- C:\Program Files\AVG Anti-Spyware 7.5
2006-11-07 13:52 -------- d-------- C:\Program Files\BFU
2006-11-07 03:24 -------- d-------- C:\Program Files\Warcraft III 1.20e UNCRACKED
2006-11-06 01:31 -------- d-------- C:\Program Files\Prince of Persia Warrior Within
2006-10-30 21:38 -------- d-------- C:\Documents and Settings\Mark\Application Data\.gaim
2006-10-29 22:31 -------- d-------- C:\Program Files\Warcraft III
2006-10-29 19:40 -------- d-------- C:\Program Files\Realtek AC97
2006-10-29 15:59 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-24 17:43 -------- d-------- C:\Documents and Settings\Mark\Application Data\foobar2000
2006-10-24 17:30 -------- d-------- C:\Program Files\foobar2000
2006-10-24 15:14 -------- d-------- C:\Program Files\Real Alternative
2006-10-24 15:14 -------- d-------- C:\Program Files\Media Player Classic
2006-10-24 15:14 -------- d-------- C:\Documents and Settings\Mark\Application Data\Real
2006-10-24 15:14 -------- d-------- C:\Documents and Settings\Mark\Application Data\Media Player Classic
2006-10-12 16:10 -------- d-------- C:\Program Files\Windows Media Player
2006-10-07 12:19 -------- d-------- C:\Program Files\D-Tools
2006-09-26 02:15 666240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-09-26 02:10 87424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-09-26 02:10 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-09-26 02:09 36176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-09-26 02:09 16352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-09-26 02:07 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-09-26 02:07 24560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-09-12 19:18 -------- d-------- C:\Program Files\Steam
2006-08-10 07:27 10528768 --a------ C:\WINDOWS\system32\RTLCPL.exe
2006-08-10 03:47 243512 --a------ C:\Program Files\Java.exe
2006-08-10 03:40 21048 --a------ C:\Documents and Settings\Mark\Application Data\GDIPFONTCACHEV1.DAT


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PRONoMgr.exe "= "C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe "
"avast! "= "C:\\Avast4\\ashDisp.exe "
"Zone Labs Client "= "C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe "
"POINTER "= "point32.exe "
"NeroCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"SoundMan "= "SOUNDMAN.EXE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Gaim.lnk]
"path "= "C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Gaim.lnk "
"backup "= "C:\\WINDOWS\\pss\\Gaim.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\Gaim\\gaim.exe "
"item "= "Gaim "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "cli "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "atiptaxx "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "CloneCDTray "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\CloneCD\\CloneCDTray.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ICQLite "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\ICQ\\ICQLite.exe\" -minimize "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstaFinderK]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "InstaFinderK_inst "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\INSTAFINK\\InstaFinderK_inst.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\killall]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "dialer423 "
"hkey "= "HKLM "
"command "= "dialer423.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msnmsgr "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "P2P Networking "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\System32\\P2P Networking\\P2P Networking.exe /AUTOSTART "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "=" "
"hkey "= "HKCU "
"command "=" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "fsg_4203 "
"hkey "= "HKLM "
"command "= "\ "c:\\windows\\temp\\adware\\fsg_4203.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TRPT]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "panel_its "
"hkey "= "HKLM "
"command "= "panel_its.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yak!]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "Yak "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\Yak!\\Yak.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger "=dword:00000002

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

Completion time: 06-11-08 9:34:53.71
C:\ComboFix.txt ... 06-11-08 09:34
C:\ComboFix2.txt ... 06-11-07 18:18



Logfile of HijackThis v1.99.1
Scan saved at 9:36:07 AM, on 8/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\System32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Avast4\aswUpdSv.exe
C:\Avast4\ashServ.exe
C:\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\SOUNDMAN.EXE
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Avast4\ashMaiSv.exe
C:\Avast4\ashWebSv.exe
C:\windows\System32\wuauclt.exe
C:\Program Files\HJThis\HJThis.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139533146875
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


I'm daring to hope it's all clean...

 

That would indeed appear to be so. Nice work.

All we have are some regostry entries to remove.

But lets first back up your registry. This is just a precautionary step, and you can delete the saved file once we are done.

Perform the steps below for the following entries:
InstaFinderK
killall
P2P Networking
Trickler
TRPT


NAVIGATE TO REGISTRY
Click the Start button, select Run, hit Enter.

When box appears, type regedit, hit Enter.

Navigate to the following key, by unticking the '+' next to each subkey:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg

Look for each of the above in the left hand side of the registry editor,
Right-click it, and select 'Delete'.

Once all deleted, close the registry reboot and your done. Let me know if you have any troubles.

 

Okay that's done and everything looks good TeMerc.
Thankyou very much for helping me, I really appreciate it.
No doubt my brother will find more viruses and you'll hear from me again, haha.
Seriously - thanks very much.

 

Glad to hear all is working well.

Have your brother install some protection as outlined below and he will reduce the probability of future infections.

We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom

Due to resolution this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.