[Winupdate errors - HJT log]

LostRealist · 2008/02/12

Not sure if this posted already but ill post it again.

When I start my computer this pops up

-Winupdate.exe has encountered a problem and needs to close.

Then this happens
- Application Error
Exception EAccessViolation in module winupdate.exe at 0001B6BB
Access violation at address 0041B6BB in module winupdate

Also I have this thing in my tray that says System Alert: Malware threats then opens a window to some site.

-----Logfile of Trend Micro HijackThis v2.0.2-----------
Scan saved at 7:30:50 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\NetProject\scit.exe
C:\Program Files\NetProject\scm.exe
C:\Program Files\NetProject\sbmntr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
F3 - REG:win.ini: run= "C:\WINDOWS\system32\winupdate.exe "
O2 - BHO: &Research - {037C7B8A-151A-49E6-BAED-CC05FCB50328} - C:\WINDOWS\system32\winsrc.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {42A44A09-3A1E-4BA2-B14C-D8398E0C3317} - C:\WINDOWS\system32\ddcyyyw.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {89DAFA36-D2B0-4CCA-80BD-1DD6566D2447} - C:\WINDOWS\system32\awvtt.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: e404 helper - {C03FD59D-9104-44B7-929A-9EAA0BA05211} - C:\Program Files\Helper\1202856564.dll
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\NetProject\sbmdl.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &WinSec Toolbar - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINDOWS\system32\wscmp.dll (file missing)
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe "
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe "
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupdates.exe "
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-542953270-4015992607-1351183667-1005\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/AutoDLDivXWebPlayerInstaller.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ddcyyyw - ddcyyyw.dll (file missing)
O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)
O21 - SSODL: SrvAvp - {1a2f52df-4394-4919-944d-06fba696d304} - C:\WINDOWS\Installer\{1a2f52df-4394-4919-944d-06fba696d304}\SrvAvp.dll (file missing)
O21 - SSODL: zip - {6d0d5cec-cba7-4249-b344-d9a0129b1dbb} - C:\WINDOWS\Installer\{6d0d5cec-cba7-4249-b344-d9a0129b1dbb}\zip.dll (file missing)
O23 - Service: Intel(R) Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Gateway Game Console\GameConsoleService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

--
End of file - 9983 bytes

------------Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-12 21:52:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Owner.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:05 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetProject\scit.exe
C:\Program Files\NetProject\sbmntr.exe
C:\Program Files\NetProject\scm.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Owner.gateway\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
F3 - REG:win.ini: run= "C:\WINDOWS\system32\winupdate.exe "
O2 - BHO: &Research - {037C7B8A-151A-49E6-BAED-CC05FCB50328} - C:\WINDOWS\system32\winsrc.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {42A44A09-3A1E-4BA2-B14C-D8398E0C3317} - C:\WINDOWS\system32\ddcyyyw.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {89DAFA36-D2B0-4CCA-80BD-1DD6566D2447} - C:\WINDOWS\system32\awvtt.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: e404 helper - {C03FD59D-9104-44B7-929A-9EAA0BA05211} - C:\Program Files\Helper\1202856564.dll
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\NetProject\sbmdl.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &WinSec Toolbar - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINDOWS\system32\wscmp.dll (file missing)
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe "
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe "
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupdates.exe "
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-542953270-4015992607-1351183667-1005\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/AutoDLDivXWebPlayerInstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CD50C22-B2A0-4641-980F-0091378EBBB6}: NameServer = 206.108.253.70 209.105.192.122
O17 - HKLM\System\CS1\Services\Tcpip\..\{2CD50C22-B2A0-4641-980F-0091378EBBB6}: NameServer = 206.108.253.70 209.105.192.122
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ddcyyyw - ddcyyyw.dll (file missing)
O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)
O21 - SSODL: SrvAvp - {1a2f52df-4394-4919-944d-06fba696d304} - C:\WINDOWS\Installer\{1a2f52df-4394-4919-944d-06fba696d304}\SrvAvp.dll (file missing)
O21 - SSODL: zip - {6d0d5cec-cba7-4249-b344-d9a0129b1dbb} - C:\WINDOWS\Installer\{6d0d5cec-cba7-4249-b344-d9a0129b1dbb}\zip.dll (file missing)
O23 - Service: Intel(R) Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Gateway Game Console\GameConsoleService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

--
End of file - 10964 bytes

-- Files created between 2008-01-12 and 2008-02-12 -----------------------------

2008-02-12 21:42:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 18:02:44 0 d-------- C:\Program Files\Trend Micro
2008-02-12 17:49:24 0 d-------- C:\Program Files\Helper
2008-02-12 17:49:20 0 d-------- C:\Program Files\NetProject
2008-02-09 21:05:22 0 d-------- C:\Documents and Settings\Owner.gateway\Application Data\Grisoft
2008-02-09 20:59:46 0 dr-h----- C:\$VAULT$.AVG
2008-02-09 20:57:30 0 d-------- C:\Documents and Settings\Owner.gateway\Application Data\AVG7
2008-02-09 20:56:53 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-09 20:56:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-09 20:56:43 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-09 20:00:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-02-09 19:59:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\VCOM
2008-02-09 19:58:53 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-02-09 19:21:29 7340032 --a------ C:\Documents and Settings\Owner.gateway\ntuser.dat
2008-02-09 19:21:29 262144 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-02-09 19:21:29 1835008 --a------ C:\Documents and Settings\IUSR_NMPR\ntuser.dat
2008-02-09 19:21:12 254300 --ahs---- C:\WINDOWS\system32\ttvwa.ini2
2008-02-09 19:18:16 87040 --a------ C:\WINDOWS\system32\winupdate.exe
2008-02-09 19:17:48 15360 --a------ C:\WINDOWS\system32\drvtajr.dll
2008-02-06 16:48:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-06 16:48:10 0 d-------- C:\Program Files\AOL Games
2008-01-31 12:51:34 0 d-------- C:\Documents and Settings\Owner.gateway\Application Data\U3
2008-01-30 20:47:09 0 d-------- C:\Documents and Settings\Owner.gateway\Application Data\PlayFirst
2008-01-28 14:10:07 0 d-------- C:\SIERRA
2008-01-28 14:10:07 0 d-------- C:\Program Files\Sierra On-Line
2008-01-28 14:08:55 2829 --a------ C:\WINDOWS\DiabUnin.pif
2008-01-28 14:08:55 118784 --a------ C:\WINDOWS\DiabUnin.exe <Not Verified; Blizzard Entertainment; Diablo Uninstaller>
2008-01-28 14:08:53 5598 --a------ C:\WINDOWS\DiabUnin.dat
2008-01-28 14:08:53 0 d-------- C:\Program Files\Diablo
2008-01-20 22:58:35 0 d-------- C:\Documents and Settings\Owner.gateway\Application Data\DivX

-- Find3M Report ---------------------------------------------------------------

2008-02-12 20:01:13 0 d-------- C:\Program Files\Lx_cats
2008-02-12 17:46:43 0 d-------- C:\Documents and Settings\Owner.gateway\Application Data\uTorrent
2008-02-11 19:31:58 0 d-------- C:\Program Files\Diablo II
2008-02-10 18:16:52 0 d-------- C:\Program Files\Starcraft
2008-02-07 17:20:19 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-02-06 17:17:33 0 d-------- C:\Program Files\Gateway Games
2008-02-02 18:53:43 0 d-------- C:\Documents and Settings\Owner.gateway\Application Data\LimeWire
2008-01-30 20:47:09 0 d-------- C:\Documents and Settings\Owner.gateway\Application Data\Macromedia
2008-01-26 22:33:13 0 d-------- C:\Program Files\PCFriendly
2008-01-20 22:53:48 0 d-------- C:\Program Files\DivX
2008-01-09 19:57:03 0 d-------- C:\Documents and Settings\Owner.gateway\Application Data\Arcsoft
2008-01-09 19:56:10 0 d-------- C:\Program Files\palmOne
2008-01-06 14:52:07 35190 --a------ C:\WINDOWS\scunin.dat
2008-01-06 14:52:06 967 --a------ C:\WINDOWS\ScUnin.pif
2008-01-06 14:52:06 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-01-04 16:58:50 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 16:57:22 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-01-04 16:57:22 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-01-04 16:57:12 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-04 16:57:10 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-01-04 16:57:10 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-04 16:57:10 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-04 16:56:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-14 13:02:56 0 d-------- C:\Documents and Settings\Owner.gateway\Application Data\CyberLink

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}]
C:\WINDOWS\system32\winsrc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42A44A09-3A1E-4BA2-B14C-D8398E0C3317}]
C:\WINDOWS\system32\ddcyyyw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89DAFA36-D2B0-4CCA-80BD-1DD6566D2447}]
C:\WINDOWS\system32\awvtt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C03FD59D-9104-44B7-929A-9EAA0BA05211}]
02/12/2008 05:49 PM 12800 --a------ C:\Program Files\Helper\1202856564.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}]
02/12/2008 07:59 PM 10240 --a------ C:\Program Files\NetProject\sbmdl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder "= "%WINDIR%\Creator\Remind_XP.exe" []
"Recguard "= "%WINDIR%\SMINST\RECGUARD.EXE" []
"NMSSupport "= "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [03/29/2006 10:10 PM]
"VirusScannerPro "= "C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe" [01/29/2007 03:02 PM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [01/04/2007 01:11 PM]
"LXCECATS "= "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [07/20/2005 08:46 AM]
"lxcemon.exe "= "C:\Program Files\Lexmark 4300 Series\lxcemon.exe" [08/02/2005 12:45 PM]
"EzPrint "= "C:\Program Files\Lexmark 4300 Series\ezprint.exe" [07/26/2005 07:17 AM]
"FaxCenterServer "= "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [07/12/2005 04:36 AM]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02/09/2008 08:58 PM]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 02:00 PM]
"msnmsgr "= "C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 11:54 AM]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 03:45 PM]
"ieupdate "= "C:\WINDOWS\system32\ieupdates.exe" []
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 9:05:26 PM]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [6/9/2004 1:16:08 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"some "=C:\Program Files\NetProject\scit.exe
"start "=C:\Program Files\NetProject\sbmntr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{42A44A09-3A1E-4BA2-B14C-D8398E0C3317} "= C:\WINDOWS\system32\ddcyyyw.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SrvAvp "= {1a2f52df-4394-4919-944d-06fba696d304} - C:\WINDOWS\Installer\{1a2f52df-4394-4919-944d-06fba696d304}\SrvAvp.dll [ ]
"zip "= {6d0d5cec-cba7-4249-b344-d9a0129b1dbb} - C:\WINDOWS\Installer\{6d0d5cec-cba7-4249-b344-d9a0129b1dbb}\zip.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyyyw]
ddcyyyw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwly32]
winwly32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\WINDOWS\system32\awvtt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
AutoRun\command- K:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67162701-9f1b-11db-ae2c-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

-- End of Deckard's System Scanner: finished at 2008-02-12 21:53:31 -------

noahdfear · 2008/02/12

Welcome to WindowsBBS LostRealist

Download SmitfraudFix by S!Ri, saving it to the desktop.

Restart the computer in Safe Mode by tapping the F8 key upon startup and selecting Safe Mode from the Advanced Startup Menu. Logon to your account.

Double-click SmitfraudFix.exe to start the tool and press 2, then hit Enter.

You will be prompted 'Do you want to clean the registry?' answer Y (yes) and hit Enter.

If prompted to replace the infected wininet.dll file (if found), answer Y (yes) and hit Enter to restore a clean file.

Reboot to normal mode when the tool completes.

Post the contents of C:\rapport.txt here.

Then, download ComboFix by sUBs from here, saving the file to your desktop.

It's best disable realtime protection applications as they sometime interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

LostRealist · 2008/02/13

C:\rapport.txt

SmitFraudFix v2.288

Scan done at 22:06:56.87, Wed 02/13/2008
Run from C:\Documents and Settings\Owner.gateway\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

Had to remove this the text was too long but if need i can make multiple posts to get it all. Too long (225429 characters)

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\wsremover.exe Deleted
C:\Program Files\Helper\ Deleted
C:\Program Files\NetProject\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

LostRealist · 2008/02/13

ComboFix Report

ComboFix 08-02-13.2 - Owner 2008-02-13 22:26:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.551 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.gateway\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Owner.gateway\Application Data\macromedia\Flash Player\#SharedObjects\94JBGYAM\iforex.com
C:\Documents and Settings\Owner.gateway\Application Data\macromedia\Flash Player\#SharedObjects\94JBGYAM\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Owner.gateway\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Owner.gateway\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Program Files\SystemDefender
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\drvtajr.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mrzyozyx.dllbox
C:\WINDOWS\system32\ntload.sys
C:\WINDOWS\system32\ttvwa.ini
C:\WINDOWS\system32\ttvwa.ini2
C:\WINDOWS\system32\winupdate.exe
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://au.download.windowsupdate.cÃµj+|CÃ¼¤ÃŒâ€ºvÃ·+Ãˆ@â„¢JÅ¸:®½â€°NÃªGD_©½ºDËœQÃ„{¶Ã€zÃŽtÃ§Ã’»ÃŒHÅ¾Gâ€ .XÃ³Ã†ÃŸ±UÃ•â€¡Ã€ÃN¼Å¾Ã‡vâ€šPÃ¥Ã¢WU Client Download S-1-5-18`â‚¬HT4?? 6ÃšVwoQZC¬¬D¢HÃ¿Ã³MsC:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\eef5a36924cdf0c02598ccf96aa4f60887a49840â€°
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NTLOAD
-------\ntload

((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.

2008-02-13 22:07 . 2008-02-13 22:07 3,394 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-12 22:09 . 2008-02-12 22:09 86 --a------ C:\WINDOWS\wininit.ini
2008-02-12 21:42 . 2008-02-12 21:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-12 21:42 . 2008-02-13 17:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 18:05 . 2008-02-12 18:05 <DIR> d-------- C:\Deckard
2008-02-12 18:02 . 2008-02-12 18:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-09 21:05 . 2008-02-09 21:05 <DIR> d-------- C:\Documents and Settings\Owner.gateway\Application Data\Grisoft
2008-02-09 21:05 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-09 20:57 . 2008-02-13 17:14 <DIR> d-------- C:\Documents and Settings\Owner.gateway\Application Data\AVG7
2008-02-09 20:56 . 2008-02-09 20:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-09 20:56 . 2008-02-09 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-09 20:56 . 2008-02-09 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-09 20:24 . 2008-02-09 20:27 3,262 --a------ C:\WINDOWS\system32\sex2.ico
2008-02-09 20:24 . 2008-02-09 20:28 3,262 --a------ C:\WINDOWS\system32\sex1.ico
2008-02-09 20:00 . 2008-02-09 20:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-02-09 19:59 . 2008-02-09 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\VCOM
2008-02-06 16:48 . 2008-02-09 19:50 <DIR> d-------- C:\Program Files\AOL Games
2008-02-06 16:48 . 2008-02-06 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-04 12:30 . 2008-02-04 12:30 268 --ah----- C:\sqmdata02.sqm
2008-02-04 12:30 . 2008-02-04 12:30 244 --ah----- C:\sqmnoopt02.sqm
2008-02-04 12:30 . 2008-02-04 12:30 136 --ah----- C:\sqmdata03.sqm
2008-02-03 18:31 . 2008-02-03 18:31 244 --ah----- C:\sqmnoopt00.sqm
2008-02-03 18:31 . 2008-02-03 18:31 232 --ah----- C:\sqmdata00.sqm
2008-02-03 18:31 . 2008-02-03 18:31 172 --ah----- C:\sqmnoopt01.sqm
2008-02-03 18:31 . 2008-02-03 18:31 172 --ah----- C:\sqmdata01.sqm
2008-01-31 12:51 . 2008-02-09 20:55 <DIR> d-------- C:\Documents and Settings\Owner.gateway\Application Data\U3
2008-01-30 20:47 . 2008-01-30 20:47 <DIR> d-------- C:\Documents and Settings\Owner.gateway\Application Data\PlayFirst
2008-01-28 14:10 . 2008-01-28 14:10 <DIR> d-------- C:\SIERRA
2008-01-28 14:10 . 2008-01-28 14:10 <DIR> d-------- C:\Program Files\Sierra On-Line
2008-01-28 14:09 . 2008-01-28 14:11 393 --a------ C:\WINDOWS\SIERRA.INI
2008-01-28 14:08 . 2008-01-28 14:11 <DIR> d-------- C:\Program Files\Diablo
2008-01-28 14:08 . 2008-01-28 14:08 118,784 --a------ C:\WINDOWS\DiabUnin.exe
2008-01-28 14:08 . 2008-01-28 14:08 5,598 --a------ C:\WINDOWS\DiabUnin.dat
2008-01-28 14:08 . 2008-01-28 14:08 2,829 --a------ C:\WINDOWS\DiabUnin.pif
2008-01-20 22:58 . 2008-01-21 08:26 <DIR> d-------- C:\Documents and Settings\Owner.gateway\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 03:12 --------- d-----w C:\Program Files\Lx_cats
2008-02-12 22:46 --------- d-----w C:\Documents and Settings\Owner.gateway\Application Data\uTorrent
2008-02-12 00:31 --------- d-----w C:\Program Files\Diablo II
2008-02-10 23:16 --------- d-----w C:\Program Files\Starcraft
2008-02-10 21:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-02-06 22:17 --------- d-----w C:\Program Files\Gateway Games
2008-02-02 23:53 --------- d-----w C:\Documents and Settings\Owner.gateway\Application Data\LimeWire
2008-01-27 03:33 --------- d-----w C:\Program Files\PCFriendly
2008-01-21 03:53 --------- d-----w C:\Program Files\DivX
2008-01-18 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-01-10 00:57 --------- d-----w C:\Documents and Settings\Owner.gateway\Application Data\Arcsoft
2008-01-10 00:56 --------- d-----w C:\Program Files\palmOne
2008-01-06 19:52 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-01-04 21:58 9,464 ----a-w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-04 21:58 9,336 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-04 21:58 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-12-14 18:02 --------- d-----w C:\Documents and Settings\Owner.gateway\Application Data\CyberLink
2007-09-01 23:03 0 ----a-w C:\Documents and Settings\Owner.gateway\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}]
C:\WINDOWS\system32\winsrc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42A44A09-3A1E-4BA2-B14C-D8398E0C3317}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89DAFA36-D2B0-4CCA-80BD-1DD6566D2447}]
C:\WINDOWS\system32\awvtt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"msnmsgr "= "C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder "= "%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard "= "%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"NMSSupport "= "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-03-29 22:10 375296]
"VirusScannerPro "= "C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe" [2007-01-29 15:02 62976]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-01-04 13:11 98304]
"LXCECATS "= "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 08:46 73728]
"lxcemon.exe "= "C:\Program Files\Lexmark 4300 Series\lxcemon.exe" [2005-08-02 12:45 192512]
"EzPrint "= "C:\Program Files\Lexmark 4300 Series\ezprint.exe" [2005-07-26 07:17 94208]
"FaxCenterServer "= "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 04:36 299008]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-09 20:58 579072]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-09 20:56 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 13:16:08 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "= 0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SrvAvp "= {1a2f52df-4394-4919-944d-06fba696d304} - C:\WINDOWS\Installer\{1a2f52df-4394-4919-944d-06fba696d304}\SrvAvp.dll [ ]
"zip "= {6d0d5cec-cba7-4249-b344-d9a0129b1dbb} - C:\WINDOWS\Installer\{6d0d5cec-cba7-4249-b344-d9a0129b1dbb}\zip.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyyyw]
ddcyyyw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwly32]
winwly32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

R2 Fix-It Task Manager;Fix-It Task Manager;C:\PROGRA~1\VCOM\Fix-It\mxtask.exe [2007-01-29 15:02]
S3 GameConsoleService;GameConsoleService; "C:\Program Files\WildTangent\Apps\Gateway Game Console\GameConsoleService.exe" [2008-01-29 12:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67162701-9f1b-11db-ae2c-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-08-15 16:14:40 C:\WINDOWS\Tasks\ISP signup reminder 1.job "
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-08-15 16:14:40 C:\WINDOWS\Tasks\ISP signup reminder 2.job "
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-08-15 16:14:40 C:\WINDOWS\Tasks\ISP signup reminder 3.job "
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 22:29:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rsvp.exe
.
**************************************************************************
.
Completion time: 2008-02-13 22:34:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-14 03:34:01
.
2008-02-13 03:14:20 --- E O F ---

LostRealist · 2008/02/13

Updated Hijackthis report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:06 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: &Research - {037C7B8A-151A-49E6-BAED-CC05FCB50328} - C:\WINDOWS\system32\winsrc.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {89DAFA36-D2B0-4CCA-80BD-1DD6566D2447} - C:\WINDOWS\system32\awvtt.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe "
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe "
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-542953270-4015992607-1351183667-1005\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/AutoDLDivXWebPlayerInstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CD50C22-B2A0-4641-980F-0091378EBBB6}: NameServer = 206.108.253.70 209.105.192.122
O17 - HKLM\System\CS1\Services\Tcpip\..\{2CD50C22-B2A0-4641-980F-0091378EBBB6}: NameServer = 206.108.253.70 209.105.192.122
O17 - HKLM\System\CS2\Services\Tcpip\..\{2CD50C22-B2A0-4641-980F-0091378EBBB6}: NameServer = 206.108.253.70 209.105.192.122
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ddcyyyw - ddcyyyw.dll (file missing)
O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)
O21 - SSODL: SrvAvp - {1a2f52df-4394-4919-944d-06fba696d304} - C:\WINDOWS\Installer\{1a2f52df-4394-4919-944d-06fba696d304}\SrvAvp.dll (file missing)
O21 - SSODL: zip - {6d0d5cec-cba7-4249-b344-d9a0129b1dbb} - C:\WINDOWS\Installer\{6d0d5cec-cba7-4249-b344-d9a0129b1dbb}\zip.dll (file missing)
O23 - Service: Intel(R) Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Gateway Game Console\GameConsoleService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

--
End of file - 8955 bytes

noahdfear · 2008/02/15

Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
http://www.windowsbbs.com/showpost.php?p=384916&postcount=4

Collect::
C:\Qoobox\quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
C:\Qoobox\quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir

File::
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\wininit.ini
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\sex1.ico
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42A44A09-3A1E-4BA2-B14C-D8398E0C3317}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89DAFA36-D2B0-4CCA-80BD-1DD6566D2447}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyyyw]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwly32]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67162701-9f1b-11db-ae2c-806d6172696f}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
 "SrvAvp "=-
 "zip "=-
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a new HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect some files. This means that at some point, likely after reboot when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates. Thanks!

LostRealist · 2008/02/15

Combofix results feb 15

Since I have not said this already thank you alot for helping me with this problem.

ComboFix 08-02-16.2 - Owner 2008-02-15 20:34:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.534 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.gateway\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.gateway\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\wininit.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-13 17:19 . 2007-12-18 04:51 179,584 -----c--- C:\WINDOWS\system32\dllcache\mrxdav.sys
2008-02-12 21:42 . 2008-02-12 21:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-12 21:42 . 2008-02-13 17:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 18:05 . 2008-02-12 18:05 <DIR> d-------- C:\Deckard
2008-02-12 18:02 . 2008-02-12 18:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-09 21:05 . 2008-02-09 21:05 <DIR> d-------- C:\Documents and Settings\Owner.gateway\Application Data\Grisoft
2008-02-09 21:05 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-09 20:57 . 2008-02-15 19:39 <DIR> d-------- C:\Documents and Settings\Owner.gateway\Application Data\AVG7
2008-02-09 20:56 . 2008-02-09 20:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-09 20:56 . 2008-02-09 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-09 20:56 . 2008-02-09 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-09 20:00 . 2008-02-09 20:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-02-09 19:59 . 2008-02-09 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\VCOM
2008-02-06 16:48 . 2008-02-09 19:50 <DIR> d-------- C:\Program Files\AOL Games
2008-02-06 16:48 . 2008-02-06 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-04 12:30 . 2008-02-04 12:30 268 --ah----- C:\sqmdata02.sqm
2008-02-04 12:30 . 2008-02-04 12:30 244 --ah----- C:\sqmnoopt02.sqm
2008-02-04 12:30 . 2008-02-04 12:30 136 --ah----- C:\sqmdata03.sqm
2008-02-03 18:31 . 2008-02-03 18:31 244 --ah----- C:\sqmnoopt00.sqm
2008-02-03 18:31 . 2008-02-03 18:31 232 --ah----- C:\sqmdata00.sqm
2008-02-03 18:31 . 2008-02-03 18:31 172 --ah----- C:\sqmnoopt01.sqm
2008-02-03 18:31 . 2008-02-03 18:31 172 --ah----- C:\sqmdata01.sqm
2008-01-31 12:51 . 2008-02-09 20:55 <DIR> d-------- C:\Documents and Settings\Owner.gateway\Application Data\U3
2008-01-30 20:47 . 2008-01-30 20:47 <DIR> d-------- C:\Documents and Settings\Owner.gateway\Application Data\PlayFirst
2008-01-28 14:10 . 2008-01-28 14:10 <DIR> d-------- C:\SIERRA
2008-01-28 14:10 . 2008-01-28 14:10 <DIR> d-------- C:\Program Files\Sierra On-Line
2008-01-28 14:09 . 2008-01-28 14:11 393 --a------ C:\WINDOWS\SIERRA.INI
2008-01-28 14:08 . 2008-01-28 14:11 <DIR> d-------- C:\Program Files\Diablo
2008-01-28 14:08 . 2008-01-28 14:08 118,784 --a------ C:\WINDOWS\DiabUnin.exe
2008-01-28 14:08 . 2008-01-28 14:08 5,598 --a------ C:\WINDOWS\DiabUnin.dat
2008-01-28 14:08 . 2008-01-28 14:08 2,829 --a------ C:\WINDOWS\DiabUnin.pif
2008-01-20 22:58 . 2008-01-21 08:26 <DIR> d-------- C:\Documents and Settings\Owner.gateway\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 21:55 --------- d-----w C:\Program Files\Starcraft
2008-02-15 21:16 --------- d-----w C:\Program Files\Lx_cats
2008-02-12 22:46 --------- d-----w C:\Documents and Settings\Owner.gateway\Application Data\uTorrent
2008-02-12 00:31 --------- d-----w C:\Program Files\Diablo II
2008-02-10 21:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-02-07 22:20 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-02-06 22:17 --------- d-----w C:\Program Files\Gateway Games
2008-02-02 23:53 --------- d-----w C:\Documents and Settings\Owner.gateway\Application Data\LimeWire
2008-01-27 03:33 --------- d-----w C:\Program Files\PCFriendly
2008-01-21 03:53 --------- d-----w C:\Program Files\DivX
2008-01-18 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-01-10 00:57 --------- d-----w C:\Documents and Settings\Owner.gateway\Application Data\Arcsoft
2008-01-10 00:56 --------- d-----w C:\Program Files\palmOne
2008-01-06 19:52 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 9,464 ----a-w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-04 21:58 9,336 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-04 21:58 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-01-04 21:58 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-01-04 21:58 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-09-01 23:03 0 ----a-w C:\Documents and Settings\Owner.gateway\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"msnmsgr "= "C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 22:45 36040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder "= "%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard "= "%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"NMSSupport "= "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-03-29 22:10 375296]
"VirusScannerPro "= "C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe" [2007-01-29 15:02 62976]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-01-04 13:11 98304]
"LXCECATS "= "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 08:46 73728]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-09 20:58 579072]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"MSConfig "= "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-27 02:34 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-09 20:56 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 13:16:08 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2005-07-26 07:17 94208 C:\Program Files\Lexmark 4300 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--a------ 2005-07-12 04:36 299008 C:\Program Files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcemon.exe]
--a------ 2005-08-02 12:45 192512 C:\Program Files\Lexmark 4300 Series\lxcemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R2 Fix-It Task Manager;Fix-It Task Manager;C:\PROGRA~1\VCOM\Fix-It\mxtask.exe [2007-01-29 15:02]
S3 GameConsoleService;GameConsoleService; "C:\Program Files\WildTangent\Apps\Gateway Game Console\GameConsoleService.exe" [2008-01-29 12:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-08-15 16:14:40 C:\WINDOWS\Tasks\ISP signup reminder 1.job "
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-08-15 16:14:40 C:\WINDOWS\Tasks\ISP signup reminder 2.job "
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2007-08-15 16:14:40 C:\WINDOWS\Tasks\ISP signup reminder 3.job "
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 20:35:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-15 20:36:21
ComboFix-quarantined-files.txt 2008-02-16 01:36:14
ComboFix2.txt 2008-02-14 03:34:03
.
2008-02-14 03:56:51 --- E O F ---

noahdfear · 2008/02/15

Happy to help.

Were you prompted to upload the collected zip file? I don't see it in the submissions area.

Logs look good. Let's run an online scan now to see if we've missed anything. Please do an online scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will program will start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.

LostRealist · 2008/02/16

Kaspersky Report + Hijackthis report

KASPERSKY ONLINE SCANNER REPORT
Saturday, February 16, 2008 9:59:47 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/02/2008
Kaspersky Anti-Virus database records: 568431

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics
Total number of scanned objects 78362
Number of viruses found 3
Number of infected objects 9
Number of suspicious objects 0
Duration of the scan process 00:53:09

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\IUSR_NMPR\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\IUSR_NMPR\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\IUSR_NMPR\ntuser.dat Object is locked skipped

C:\Documents and Settings\IUSR_NMPR\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner.gateway\Application Data\GTek\GTUpdate\AUpdate\NMSSupport\AUNet.log Object is locked skipped

C:\Documents and Settings\Owner.gateway\Application Data\GTek\GTUpdate\AUpdate\NMSSupport\AUNetDevs.log Object is locked skipped

C:\Documents and Settings\Owner.gateway\Application Data\GTek\GTUpdate\AUpdate\NMSSupport\IntelHCTAgent.log Object is locked skipped

C:\Documents and Settings\Owner.gateway\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner.gateway\Desktop\Virus Removal Program\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Owner.gateway\Desktop\Virus Removal Program\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Owner.gateway\Desktop\Virus Removal Program\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Owner.gateway\Desktop\Virus Removal Program\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\Owner.gateway\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner.gateway\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner.gateway\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner.gateway\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner.gateway\ntuser.dat Object is locked skipped

C:\Documents and Settings\Owner.gateway\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectiondb.mdb1 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectiondb.mdb2 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectionnameindex.mdb1 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectionnameindex.mdb2 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectionrevindex.mdb1 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectionrevindex.mdb2 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectiontypedateindex.mdb1 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectiontypedateindex.mdb2 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectiontypeindex.mdb1 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectiontypeindex.mdb2 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectiontypenameindex.mdb1 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_collectiontypenameindex.mdb2 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_content.mdb1 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_content.mdb2 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_creationdateindex.mdb1 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_creationdateindex.mdb2 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_propdb.mdb1 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_propdb.mdb2 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_typenameindex.mdb1 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_typenameindex.mdb2 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_urldb.mdb1 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_urldb.mdb2 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_urlindex.mdb1 Object is locked skipped

C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\db\mb_urlindex.mdb2 Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP148\A0013498.Scr Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP150\A0013527.exe Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP151\A0014575.dll Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP151\A0014578.dll Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP151\A0014654.dll Infected: not-a-virus:AdWare.Win32.BHO.cc skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP151\A0014668.exe Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP152\A0014700.dll Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP152\A0014727.exe Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP152\A0014730.dll Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP152\A0014732.dll Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP152\A0014733.dll Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP152\A0014734.dll Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP152\A0014735.dll Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP152\A0014751.dll Infected: not-a-virus:AdWare.Win32.BHO.cc skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP152\A0014752.dll Infected: not-a-virus:AdWare.Win32.BHO.cc skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP152\A0014774.dll Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP155\A0014877.exe Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP155\A0014878.dll Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP156\A0014940.exe Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP156\A0014974.dll Infected: not-a-virus:AdWare.Win32.E404.f skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP156\A0014976.dll Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP156\A0014977.exe Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP156\A0014978.exe Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP156\A0014979.exe Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP156\A0014980.exe Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP156\A0014983.exe Object is locked skipped

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP160\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\ModemLog_PCI Soft Data Fax Modem with SmartCP.txt Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3C8E7F87-D86F-48BD-9C72-07023F3F8A0E}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP160\change.log Object is locked skipped

D:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP160\A0015347.dll Infected: not-a-virus:AdWare.Win32.BHO.cc skipped

Scan process completed.

--------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:41 AM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rsvp.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-542953270-4015992607-1351183667-1005\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/AutoDLDivXWebPlayerInstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CD50C22-B2A0-4641-980F-0091378EBBB6}: NameServer = 206.108.253.70 209.105.192.122
O17 - HKLM\System\CS1\Services\Tcpip\..\{2CD50C22-B2A0-4641-980F-0091378EBBB6}: NameServer = 206.108.253.70 209.105.192.122
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Intel(R) Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Gateway Game Console\GameConsoleService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

--
End of file - 7719 bytes

noahdfear · 2008/02/16

"noahdfear said: ↑

Were you prompted to upload the collected zip file? I don't see it in the submissions area.
Click to expand...

Please respond to the above question.

KAV scan results look good, just a bit of tidying up to do. We can do that as soon as those files get submitted.

LostRealist · 2008/02/16

not sure if they were submitted

it finished then closed but i have the zip folder on my desktop

noahdfear · 2008/02/16

Please go here and upload the zip file.

Copy the following link and paste it in the Link to Topic field, then add a comment that I requested the files be submitted.

http://www.windowsbbs.com/showpost.php?p=384916&postcount=4

LostRealist · 2008/02/16

Done

I submitted the zip file now

noahdfear · 2008/02/16

Thanks!

Have a couple errands. Will post further instructions later this evening.

noahdfear · 2008/02/16

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will be removed as well. You can delete any logs that were created/saved too.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

That should wrap things up. Your computer is now clean! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!

Log in or Sign up

[Winupdate errors - HJT log]

LostRealist Inactive Thread Starter

noahdfear Inactive

LostRealist Inactive Thread Starter

LostRealist Inactive Thread Starter

LostRealist Inactive Thread Starter

noahdfear Inactive

LostRealist Inactive Thread Starter

noahdfear Inactive

LostRealist Inactive Thread Starter

noahdfear Inactive

LostRealist Inactive Thread Starter

noahdfear Inactive

LostRealist Inactive Thread Starter

noahdfear Inactive

noahdfear Inactive

Share This Page

Log in or Sign up

[Winupdate errors - HJT log]

LostRealist Inactive Thread Starter

noahdfear Inactive

LostRealist Inactive Thread Starter

LostRealist Inactive Thread Starter

LostRealist Inactive Thread Starter

noahdfear Inactive

LostRealist Inactive Thread Starter

noahdfear Inactive

LostRealist Inactive Thread Starter

noahdfear Inactive

LostRealist Inactive Thread Starter

noahdfear Inactive

LostRealist Inactive Thread Starter

noahdfear Inactive

noahdfear Inactive

Share This Page

Useful Searches