Solved Winantivirus Pro and Registry problems

Logfile of HijackThis v1.99.1
Scan saved at 18:39:45, on 20/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Adam\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7D63FBE2-3764-48AB-B26D-3D1EC8EE3D8F} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: WebBuying Assistant - {C318CD44-E327-4377-A28E-6EC16A921AE8} - (no file)
O2 - BHO: (no name) - {E121D4CB-2849-4482-82E4-AF6A341F0A9E} - (no file)
O2 - BHO: (no name) - {EF391FD0-01BC-4B14-AD8E-B44D242E7830} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

Copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

http://www.windowsbbs.com/showpost.php?p=365032&postcount=20

Suspect::[22]
C:\Program Files\2IN07A7I.bat
C:\DOCUME~1\Adam\q.bat
C:\DOCUME~1\GENEVI~1\q.bat
C:\DOCUME~1\Adam\hhjj.bat
C:\DOCUME~1\Adam\yyd.bat
C:\DOCUME~1\Adam\n.bat
C:\DOCUME~1\GENEVI~1\yyd.bat
C:\DOCUME~1\GENEVI~1\n.bat

File::
C:\Program Files\wt3d.ini
C:\WINDOWS\NirCmd.exe
C:\WINDOWS\system32\tmp.reg

Folder::
C:\BFU
C:\bintheredunthat
C:\Deckard
C:\VundoFix Backups
C:\Program Files\RogueRemover FREE

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D63FBE2-3764-48AB-B26D-3D1EC8EE3D8F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C318CD44-E327-4377-A28E-6EC16A921AE8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E121D4CB-2849-4482-82E4-AF6A341F0A9E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF391FD0-01BC-4B14-AD8E-B44D242E7830}]
[-HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="Black"]currentversion[/COLOR]\explorer\mountpoints2\D]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect some files for analysis. This means that at some point, likely after reboot when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains copies of the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. Thanks!

 

ComboFix 07-09-19.8 - "Adam" 2007-09-21 17:44:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.633 [GMT 10:00]
* Created a new restore point

FILE::
C:\Program Files\wt3d.ini
C:\WINDOWS\NirCmd.exe
C:\WINDOWS\system32\tmp.reg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\BFU
C:\BFU\alcanshorty.bfu
C:\BFU\BFU.exe
C:\bintheredunthat
C:\Deckard
C:\Program Files\RogueRemover FREE
C:\Program Files\RogueRemover FREE\COMCTL32.OCX
C:\Program Files\RogueRemover FREE\Excludes.dat
C:\Program Files\RogueRemover FREE\License.txt
C:\Program Files\RogueRemover FREE\manual.chm
C:\Program Files\RogueRemover FREE\RogueRemover.dll
C:\Program Files\RogueRemover FREE\RogueRemover.exe
C:\Program Files\RogueRemover FREE\rules.dat
C:\Program Files\RogueRemover FREE\unins000.dat
C:\Program Files\RogueRemover FREE\unins000.exe
C:\Program Files\RogueRemover FREE\zlib.dll
C:\Program Files\wt3d.ini
C:\VundoFix Backups
C:\VundoFix Backups\edeeg.bak1.bad
C:\VundoFix Backups\edeeg.bak2.bad
C:\VundoFix Backups\edeeg.ini.bad
C:\VundoFix Backups\geede.dll.bad
C:\WINDOWS\NirCmd.exe
C:\WINDOWS\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2007-08-21 to 2007-09-21 )))))))))))))))))))))))))))))))
.

2007-09-20 18:43 <DIR> drahs---- C:\autorun.inf
2007-09-13 23:24 <DIR> d-------- C:\WINDOWS\pss
2007-09-07 22:56 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-09-07 22:43 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-06 20:06 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\MSNInstaller
2007-08-24 14:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-08-24 14:16 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-24 08:53 <DIR> d-------- C:\Program Files\Albumprinter Australia
2007-08-24 08:47 <DIR> d-------- C:\Program Files\My Reflections
2007-08-24 08:47 <DIR> d-------- C:\Program Files\Microsoft WSE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-21 11:05 --------- d-------- C:\Program Files\VoipCheapCom
2007-09-09 15:15 --------- d-------- C:\Program Files\oneworldflights
2007-09-09 02:30 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-09 01:15 --------- d-------- C:\Program Files\Gabest
2007-09-04 08:15 --------- d-------- C:\Program Files\Google
2007-09-04 08:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-24 14:11 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Skype
2007-08-04 14:22 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Apple Computer
2007-08-02 18:44 --------- d-------- C:\Program Files\iTunes
2007-08-02 18:44 --------- d-------- C:\Program Files\iPod
2007-08-02 18:42 --------- d-------- C:\Program Files\Common Files\Apple
2007-08-02 18:42 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-02 18:41 --------- d-------- C:\Program Files\QuickTime
2007-08-02 11:23 --------- d-------- C:\DOCUME~1\GENEVI~1\APPLIC~1\Canon
2007-07-28 08:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-28 08:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-28 08:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-28 07:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-28 07:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-04 22:48 87608 --a------ C:\DOCUME~1\Adam\APPLIC~1\ezpinst.exe
2007-04-04 22:48 47360 --a------ C:\DOCUME~1\Adam\APPLIC~1\pcouffin.sys
2007-03-29 00:39 192 --a------ C:\Program Files\2IN07A7I.bat
2007-03-22 12:19 201 --a------ C:\DOCUME~1\Adam\q.bat
2007-03-22 08:25 201 --a------ C:\DOCUME~1\GENEVI~1\q.bat
2007-03-16 17:30 114 --a------ C:\DOCUME~1\Adam\hhjj.bat
2007-03-09 08:07 63 --a------ C:\DOCUME~1\Adam\yyd.bat
2007-03-09 08:06 75 --a------ C:\DOCUME~1\Adam\n.bat
2007-03-08 07:26 105 --a------ C:\DOCUME~1\GENEVI~1\yyd.bat
2007-03-08 07:25 77 --a------ C:\DOCUME~1\GENEVI~1\n.bat
2004-08-09 23:30 40960 --a------ C:\Program Files\Uninstall_CDS.exe
2007-02-04 13:21:41 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2006-08-25 04:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-03-16 14:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service "=2 (0x2)

R2 MSMQ;Message Queuing;C:\WINDOWS\system32\mqsvc.exe
R2 MSMQTriggers;Message Queuing Triggers;C:\WINDOWS\system32\mqtgsvc.exe
R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
R3 MQAC;Message Queuing access control;\??\C:\WINDOWS\system32\drivers\mqac.sys
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys
R3 RMCAST;Reliable Multicast Protocol driver;\??\C:\WINDOWS\system32\drivers\RMCast.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-20 08:34:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-21 17:49:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-21 17:51:13 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-21 17:50
C:\ComboFix2.txt ... 2007-09-20 18:37
.
--- E O F ---

 

Logfile of HijackThis v1.99.1
Scan saved at 17:55:24, on 21/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Adam\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\Program Files\2IN07A7I.bat
C:\DOCUME~1\Adam\q.bat
C:\DOCUME~1\GENEVI~1\q.bat
C:\DOCUME~1\Adam\hhjj.bat
C:\DOCUME~1\Adam\yyd.bat
C:\DOCUME~1\Adam\n.bat
C:\DOCUME~1\GENEVI~1\yyd.bat
C:\DOCUME~1\GENEVI~1\n.bat

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

ComboFix 07-09-19.8 - "Adam" 2007-09-22 12:39:30.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.640 [GMT 10:00]
* Created a new restore point

FILE::
C:\Program Files\2IN07A7I.bat
C:\DOCUME~1\Adam\q.bat
C:\DOCUME~1\GENEVI~1\q.bat
C:\DOCUME~1\Adam\hhjj.bat
C:\DOCUME~1\Adam\yyd.bat
C:\DOCUME~1\Adam\n.bat
C:\DOCUME~1\GENEVI~1\yyd.bat
C:\DOCUME~1\GENEVI~1\n.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Adam\hhjj.bat
C:\DOCUME~1\Adam\n.bat
C:\DOCUME~1\Adam\q.bat
C:\DOCUME~1\Adam\yyd.bat
C:\DOCUME~1\GENEVI~1\n.bat
C:\DOCUME~1\GENEVI~1\q.bat
C:\DOCUME~1\GENEVI~1\yyd.bat
C:\Program Files\2IN07A7I.bat

.
((((((((((((((((((((((((( Files Created from 2007-08-22 to 2007-09-22 )))))))))))))))))))))))))))))))
.

2007-09-22 12:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-20 18:43 <DIR> drahs---- C:\autorun.inf
2007-09-13 23:24 <DIR> d-------- C:\WINDOWS\pss
2007-09-07 22:56 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-09-07 22:43 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-06 20:06 <DIR> d-------- C:\DOCUME~1\Adam\APPLIC~1\MSNInstaller
2007-08-24 14:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-08-24 14:16 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-24 08:53 <DIR> d-------- C:\Program Files\Albumprinter Australia
2007-08-24 08:47 <DIR> d-------- C:\Program Files\My Reflections
2007-08-24 08:47 <DIR> d-------- C:\Program Files\Microsoft WSE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-21 11:05 --------- d-------- C:\Program Files\VoipCheapCom
2007-09-09 15:15 --------- d-------- C:\Program Files\oneworldflights
2007-09-09 02:30 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-09 01:15 --------- d-------- C:\Program Files\Gabest
2007-09-04 08:15 --------- d-------- C:\Program Files\Google
2007-09-04 08:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-24 14:11 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Skype
2007-08-04 14:22 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Apple Computer
2007-08-02 18:44 --------- d-------- C:\Program Files\iTunes
2007-08-02 18:44 --------- d-------- C:\Program Files\iPod
2007-08-02 18:42 --------- d-------- C:\Program Files\Common Files\Apple
2007-08-02 18:42 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-02 18:41 --------- d-------- C:\Program Files\QuickTime
2007-08-02 11:23 --------- d-------- C:\DOCUME~1\GENEVI~1\APPLIC~1\Canon
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-28 08:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-28 08:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-28 08:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-28 08:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-28 07:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-28 07:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-28 07:57 95608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-19 16:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-13 09:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-28 00:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-28 00:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-28 00:34 6058496 --a------ C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-28 00:34 52224 --a------ C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-28 00:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-28 00:34 459264 --a------ C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-28 00:34 44544 --a------ C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-28 00:34 384512 --a------ C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-28 00:34 383488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-28 00:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-28 00:34 267776 --a------ C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-28 00:34 232960 --a------ C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-28 00:34 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-28 00:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-28 00:34 153088 --a------ C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-28 00:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-28 00:34 124928 --a------ C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-28 00:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-28 00:34 105984 --a------ C:\WINDOWS\system32\dllcache\url.dll
2007-06-28 00:34 102400 --a------ C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 18:27 63488 --a------ C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 18:27 625152 --a------ C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 18:27 13824 --a------ C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 17:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 16:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 16:08 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-04-04 22:48 87608 --a------ C:\DOCUME~1\Adam\APPLIC~1\ezpinst.exe
2007-04-04 22:48 47360 --a------ C:\DOCUME~1\Adam\APPLIC~1\pcouffin.sys
2005-09-25 01:49 12288 --a------ C:\WINDOWS\Fonts\RandFont.dll
2004-08-09 23:30 40960 --a------ C:\Program Files\Uninstall_CDS.exe
2007-02-04 13:21:41 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot_2007-09-20_183702.65 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 821,728 2007-09-21 14:24:45 C:\WINDOWS\system32\drivers\avg7core.sys
.
----a-w 821,600 2007-09-03 22:02:07 C:\WINDOWS\system32\drivers\avg7core.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2006-08-25 04:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-03-16 14:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service "=2 (0x2)

R2 MSMQ;Message Queuing;C:\WINDOWS\system32\mqsvc.exe
R2 MSMQTriggers;Message Queuing Triggers;C:\WINDOWS\system32\mqtgsvc.exe
R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
R3 MQAC;Message Queuing access control;\??\C:\WINDOWS\system32\drivers\mqac.sys
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys
R3 RMCAST;Reliable Multicast Protocol driver;\??\C:\WINDOWS\system32\drivers\RMCast.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-20 08:34:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-22 12:42:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-22 12:43:09
C:\ComboFix-quarantined-files.txt ... 2007-09-22 12:42
C:\ComboFix2.txt ... 2007-09-21 17:51
C:\ComboFix3.txt ... 2007-09-20 18:37
.
--- E O F ---

 

Well done! Looks good. How's the computer performing now?

Lets cleanup and run a virus scan.

Delete all of the following tools we have used, and the files/folders they created, if they exist.

combofix.exe
C:\ComboFix
C:\QOOBOX
C:\WINDOWS\nircmd.exe
all combofix logs

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin


The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot


Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC now button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Select the appropriate Yes or No to receiving marketing information
• Click the Free Online Scan button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report along with a fresh HJT log.

 

Thanks again.

I can get right through to your 2nd last instruction!

When I click on my computer the webpage has "error on page" displayed at the bottom left and nothing happends. I've rebooted and still the same. I'm getting a pop up to buy some software for $20something from Panda and am ignorning this.

I'll keep trying...

 

Seems a lot of people having trouble with Panda lately. No worries ..... we'll use another.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.

 

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, September 24, 2007 8:52:37 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 24/09/2007
Kaspersky Anti-Virus database records: 422815
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 105002
Number of viruses found: 11
Number of infected objects: 29
Number of suspicious objects: 0
Duration of the scan process: 01:57:57

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Adam\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Adam\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Adam\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-3181614797-2755035834-4263896608-1005\Dc2.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\RECYCLER\S-1-5-21-3181614797-2755035834-4263896608-1005\Dc2.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\RECYCLER\S-1-5-21-3181614797-2755035834-4263896608-1005\Dc2.exe RarSFX: infected - 2 skipped
C:\RECYCLER\S-1-5-21-3181614797-2755035834-4263896608-1005\Dc5\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP149\A0028625.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP149\A0028625.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP165\A0032454.exe Object is locked skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP167\A0032556.dll Object is locked skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP167\A0032557.dll Object is locked skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP168\A0032668.exe Object is locked skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP168\A0032872.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP168\A0032872.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP168\A0032872.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP168\A0032895.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036371.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036374.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036375.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036376.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036377.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036378.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036379.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036380.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036381.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036382.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036383.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036385.exe/data0002 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036385.exe/data0003 Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036385.exe/data0004 Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036385.exe/data0005 Infected: not-a-virus:AdWare.Win32.SurfSide.ax skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036385.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036392.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ts skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP180\A0036393.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP181\A0036468.dll Object is locked skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP182\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_HDAUDIO Soft Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D3DF705A-25D3-465D-AF92-6D13DD556A77}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\msmq\storage\QMLog Object is locked skipped
C:\WINDOWS\system32\pCastCtl.dll Infected: not-a-virus:AdWare.Win32.Dudu.f skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

Logfile of HijackThis v1.99.1
Scan saved at 20:54:32, on 24/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Adam\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

Hi,

The machine is running much better. I havent seen the winantivirus pop up (when logged in as me) for a couple of days. The online system scan did show up that I had a number of viruses and infected files so not sure how to remove them. And I'm not sure how to get AVG and avast to run on start up (I thought I just placed shortcuts to their exe files in the start up directory?)

Thanks again,

Adam

 

You're in good shape.

Delete the following file.

C:\WINDOWS\system32\pCastCtl.dll

Empty the recycle bin.

The remaining infections are in past System Restore points. Lets take care of those now.

If you're satisfied that the computer is working properly, clear the System Restore points. They are infected.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.


Your computer is now clean! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showpost.php?p=356653&postcount=49

Surf safe!

You're most welcome. Glad I could help.

 

Thanks SO much for all the help you gave me. My computer seems to be running fine now. I've installed a firewalls that was recommended which asked me to allow or deny everything and may have slowed the system down a bit but there's no sign of any virus and it all seems great.

THANKS AGAIN.

 

All great news! You're very welcome.