Solved Help!! Think i have browser hijack? Calling clever people :)

hayeslockett · 2007/09/21

[Resolved] Help!! Think i have browser hijack? Calling clever people

Hi Guys,

1st of all, i apologise if theres a general sticky about this but i have trawled through and only found this from ages ago...

http://www.windowsbbs.com/showthread.php?t=53154

I have an identical problem to him but cannot resolve. I'm not amazingly techie but really not too bad but go easy on me!!
I have tried loads of spyware removal etc and still getting same problem. Search enging results route elsewhere etc as described perfectly by the guy in the example thread.

Thought i'd attatch my hijackthis results for someone clever to cast their eye over?

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:21:57, on 21/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\csrss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS2\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS2\system32\crypserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS2\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gg\Desktop\HiJackThis_v2.exe
C:\WINDOWS2\System32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F1F2026-646A-4269-B341-927A75A139A6}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1CC9E51-3EEB-4BFD-8FBA-88D88AD9E252}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: pmnnl - C:\WINDOWS2\system32\pmnnl.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS2\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS2\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS2\SYSTEM32\crypserv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

--
End of file - 6787 bytes

Any help really greatly apreciated

Hayes

noahdfear · 2007/09/21

Welcome to WindowsBBS Hayes

Before we start fixing, lets use another tool to get a better look at things.

Note: You must be logged onto an account with administrator privileges to complete the following.

Download Deckard's System Scanner (dss.exe) to your desktop.
Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

Did you use Spybot to lock the Internet Explorer control panel?

hayeslockett · 2007/09/21

Hey,

Thanks for the really quick response.
Not too sure bout your spybot question and the ie panel. Dont recall doing anything like that but i have ran a few removal programs on recommendation so could have happened automatically?? :S

As for your results, they are below. thanks again...

Deckard's System Scanner v20070905.67
Run by gg on 2007-09-21 23:08:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
29: 2007-09-21 22:08:13 UTC - RP154 - Deckard's System Scanner Restore Point
28: 2007-09-21 19:02:08 UTC - RP153 - Shockwave Player
27: 2007-09-21 19:01:33 UTC - RP152 - Shockwave Player
26: 2007-09-20 18:27:38 UTC - RP151 - Removed J2SE Runtime Environment 5.0 Update 11
25: 2007-09-20 18:26:57 UTC - RP150 - Removed J2SE Runtime Environment 5.0 Update 8

-- First Restore Point --
1: 2007-06-28 15:06:40 UTC - RP126 - Software Distribution Service 3.0

Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-21 23:09:34
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS2\system32\smss.exe
C:\WINDOWS2\system32\csrss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\system32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS2\explorer.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS2\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS2\system32\Crypserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\WINDOWS2\system32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\gg\Desktop\dss.exe
C:\WINDOWS2\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKEY_LOCAL_MACHINE\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKEY_LOCAL_MACHINE\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKEY_LOCAL_MACHINE\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKEY_LOCAL_MACHINE\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{8F1F2026-646A-4269-B341-927A75A139A6}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{C1CC9E51-3EEB-4BFD-8FBA-88D88AD9E252}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS2\system32\msvidctl.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.0.0812.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.0.0812.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: pmnnl - C:\WINDOWS2\system32\pmnnl.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS2\system32\Crypserv.exe

-- HijackThis Fixed Entries (C:\Documents and Settings\gg\Desktop\backups\) ----

backup-20070920-213054-780 R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
backup-20070920-213356-148 O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS2\SiSUSBrg.exe
backup-20070920-213356-253 O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
backup-20070920-213356-962 O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL,S
backup-20070920-221142-630 O2 - BHO: (no name) - {F19781C0-ED57-4AAB-A7AA-D4335E9BDB12} - C:\WINDOWS2\system32\pmnnl.dll (file missing)
backup-20070921-215946-405 O8 - Extra context menu item: &Search - ?p=ZJfox000

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NetworkX - c:\windows2\system32\ckldrv.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Crypkey License - crypserv.exe <Not Verified; Kenonic Controls Ltd.; CrypKey Software Licensing System>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-09-21 21:52:04 442 --a------ C:\WINDOWS2\Tasks\XoftSpySE 2.job
2007-09-21 18:29:37 356 --a------ C:\WINDOWS2\Tasks\XoftSpySE.job
2007-09-19 21:21:08 284 --a------ C:\WINDOWS2\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-08-21 and 2007-09-21 -----------------------------

2007-09-21 21:21:13 0 d-------- C:\Program Files\Browser Hijack Recover
2007-09-21 20:02:38 52224 --a------ C:\WINDOWS2\system32\Crypserv.exe <Not Verified; Kenonic Controls Ltd.; CrypKey Software Licensing System>
2007-09-21 20:02:38 24608 --a------ C:\WINDOWS2\system32\Ckldrv.sys
2007-09-21 20:02:38 27648 -ra------ C:\WINDOWS2\Setup_ck.exe
2007-09-21 20:02:38 18432 --a------ C:\WINDOWS2\Setup_ck.dll
2007-09-21 20:02:38 11776 --a------ C:\WINDOWS2\Ckrfresh.exe
2007-09-21 20:02:38 165888 --a------ C:\WINDOWS2\Ckconfig.exe <Not Verified; Kenonic Controls; CKCONFIG Application>
2007-09-20 23:02:02 0 d-------- C:\Program Files\XoftSpySE
2007-09-20 21:37:50 0 d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Spybot - Search & Destroy
2007-09-20 20:51:50 0 d-------- C:\Documents and Settings\gg\Application Data\Grisoft
2007-09-20 19:24:45 0 d-------- C:\WINDOWS2\SxsCaPendDel
2007-09-20 18:34:15 0 d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Lavasoft
2007-09-19 21:22:16 0 d-------- C:\Program Files\QuickTime
2007-09-19 21:21:04 0 d-------- C:\Program Files\Apple Software Update
2007-09-19 21:20:30 0 d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Apple
2007-09-16 23:12:15 0 d-------- C:\Program Files\DirectAccess
2007-09-16 19:56:01 0 d-------- C:\Program Files\Windows Media Connect 2
2007-09-16 19:53:55 0 d-------- C:\WINDOWS2\system32\drivers\UMDF
2007-09-14 17:15:47 0 d-------- C:\Program Files\MSXML 4.0
2007-09-13 20:04:33 86016 --a------ C:\WINDOWS2\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2007-09-13 20:04:29 0 d-------- C:\Program Files\Skunk Studios
2007-09-13 20:00:34 0 d-------- C:\Program Files\Common Files\PestPatrol
2007-09-13 20:00:34 0 d-------- C:\Program Files\Common Files\Command Software
2007-09-13 19:58:02 0 d-------- C:\Windows
2007-09-13 19:55:52 0 d-------- C:\Documents and Settings\gg\Application Data\Virgin Broadband
2007-09-13 19:55:47 0 d-------- C:\Program Files\Virgin Broadband
2007-09-13 19:55:47 0 d-------- C:\Documents and Settings\All Users.WINDOWS2\Application Data\Virgin Broadband
2007-09-13 19:54:52 0 d-------- C:\Program Files\VirginBroadband
2007-09-13 19:18:51 0 d-------- C:\Program Files\Common Files\Motive
2007-09-13 19:18:24 159744 --a------ C:\WINDOWS2\system32\ssleay32_1-1-0_DDR.dll
2007-09-13 19:18:23 532594 --a------ C:\WINDOWS2\system32\xerces-c_1_40_0_DDR.dll
2007-09-13 19:18:23 524377 --a------ C:\WINDOWS2\system32\stlport_4_0_0_DDR.dll
2007-09-13 19:18:23 663552 --a------ C:\WINDOWS2\system32\libeay32_1-1-0_DDR.dll
2007-09-13 19:18:23 307329 --a------ C:\WINDOWS2\system32\BJBase_2-2-2_DDR.dll <Not Verified; BroadJump, Inc.; >
2007-09-13 19:18:21 0 d-------- C:\Program Files\BroadJump

-- Find3M Report ---------------------------------------------------------------

2007-09-21 20:14:38 0 d-------- C:\Program Files\SWiSH v2.0
2007-09-20 20:07:09 0 d-------- C:\Program Files\RingBearers Script
2007-09-20 19:58:06 0 d-------- C:\Program Files\3IABWL
2007-09-20 19:29:15 0 d-------- C:\Program Files\Common Files\Real
2007-09-20 19:29:00 0 d-------- C:\Documents and Settings\gg\Application Data\Real
2007-09-20 19:27:48 0 d-------- C:\Program Files\Java
2007-09-20 19:24:29 0 d-a------ C:\Program Files\Common Files
2007-09-20 18:34:16 0 d-------- C:\Program Files\Lavasoft
2007-09-20 18:34:13 0 d-------- C:\Documents and Settings\gg\Application Data\Lavasoft
2007-09-20 18:33:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-20 09:49:26 0 d-------- C:\Documents and Settings\gg\Application Data\AVG7
2007-09-19 21:24:36 0 d-------- C:\Program Files\iTunes
2007-09-19 21:24:25 0 d-------- C:\Program Files\iPod
2007-09-15 00:23:08 0 d-------- C:\Program Files\LimeWire
2007-07-19 16:48:02 1225271 --ahs---- C:\WINDOWS2\system32\lnnmp.bak2
2007-07-18 16:40:46 6365 --ahs---- C:\WINDOWS2\system32\lnnmp.bak1
2007-07-08 13:54:53 409600 --a------ C:\WINDOWS2\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2007-07-08 13:54:52 86016 --a------ C:\WINDOWS2\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [14/09/2007 16:55]
"CTHelper "= "CTHELPER.EXE" [11/08/2006 14:56 C:\WINDOWS2\CTHELPER.EXE]
"NeroFilterCheck "= "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [12/01/2006 16:40]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [14/09/2007 10:00]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 04:00]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 10:25]
"Broadbandadvisor.exe "= "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [24/01/2007 14:12]
"AAWTray "= "C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [08/08/2007 15:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [31/08/2007 16:46]

C:\Documents and Settings\All Users.WINDOWS2\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [23/10/2006 02:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [23/10/2006 01:01:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)
"DisableTaskMgr "=0 (0x0)
"NoDispAppearancePage "=0 (0x0)
"NoColorChoice "=0 (0x0)
"NoSizeChoice "=0 (0x0)
"NoDispBackgroundPage "=0 (0x0)
"NoDispScrSavPage "=0 (0x0)
"NoDispCPL "=0 (0x0)
"NoVisualStyleChoice "=0 (0x0)
"NoDispSettingsPage "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize "=0 (0x0)
"NoToolbarCustomize "=0 (0x0)
"NoActiveDesktopChanges "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize "=0 (0x0)
"NoToolbarCustomize "=0 (0x0)
"NoActiveDesktop "=0 (0x0)
"NoSaveSettings "=0 (0x0)
"NoThemesTab "=0 (0x0)
"ForceActiveDesktopOn "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System "= "kdaco.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnl]
C:\WINDOWS2\system32\pmnnl.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS2^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users.WINDOWS2\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS2\pss\Last.fm Helper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
rundll32.exe "C:\WINDOWS2\system32\tdbayjwb.dll ",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc

-- End of Deckard's System Scanner: finished at 2007-09-21 23:12:33 ------------

noahdfear · 2007/09/21

Download ComboFix by sUBs from Here or Here, saving the file to your Desktop.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

hayeslockett · 2007/09/21

Thanks Again

Ok, Combofix log ......................

ComboFix 07-09-21.2 - "gg" 2007-09-22 0:33:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.210 [GMT 1:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS2\system32\kdaco.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-21 to 2007-09-21 )))))))))))))))))))))))))))))))
.

2007-09-22 00:31 51,200 --a------ C:\WINDOWS2\NirCmd.exe
2007-09-21 23:07 <DIR> d-------- C:\Deckard
2007-09-21 21:21 <DIR> d-------- C:\Program Files\Browser Hijack Recover
2007-09-21 20:02 52,224 --a------ C:\WINDOWS2\system32\Crypserv.exe
2007-09-21 20:02 27,648 -ra------ C:\WINDOWS2\Setup_ck.exe
2007-09-21 20:02 24,608 --a------ C:\WINDOWS2\system32\Ckldrv.sys
2007-09-21 20:02 18,432 --a------ C:\WINDOWS2\Setup_ck.dll
2007-09-21 20:02 165,888 --a------ C:\WINDOWS2\Ckconfig.exe
2007-09-21 20:02 11,776 --a------ C:\WINDOWS2\Ckrfresh.exe
2007-09-20 23:02 <DIR> d-------- C:\Program Files\XoftSpySE
2007-09-20 21:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2007-09-20 20:51 10,872 --a------ C:\WINDOWS2\system32\drivers\AvgAsCln.sys
2007-09-20 19:24 <DIR> d-------- C:\WINDOWS2\SxsCaPendDel
2007-09-20 18:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2007-09-19 21:22 <DIR> d-------- C:\Program Files\QuickTime
2007-09-19 21:21 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-19 21:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Apple
2007-09-16 23:12 <DIR> d-------- C:\Program Files\DirectAccess
2007-09-16 19:56 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-09-16 19:53 <DIR> d-------- C:\WINDOWS2\system32\drivers\UMDF
2007-09-14 17:15 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-13 20:04 86,016 --a------ C:\WINDOWS2\unvise32.exe
2007-09-13 20:04 <DIR> d-------- C:\Program Files\Skunk Studios
2007-09-13 20:01 33,408 --a------ C:\WINDOWS2\system32\drivers\freedom.sys
2007-09-13 20:00 <DIR> d-------- C:\Program Files\Common Files\PestPatrol
2007-09-13 20:00 <DIR> d-------- C:\Program Files\Common Files\Command Software
2007-09-13 19:58 <DIR> d-------- C:\Windows
2007-09-13 19:55 <DIR> d-------- C:\Program Files\Virgin Broadband
2007-09-13 19:55 <DIR> d-------- C:\DOCUME~1\gg\APPLIC~1\Virgin Broadband
2007-09-13 19:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Virgin Broadband
2007-09-13 19:54 <DIR> d-------- C:\Program Files\VirginBroadband
2007-09-13 19:18 663,552 --a------ C:\WINDOWS2\system32\libeay32_1-1-0_DDR.dll
2007-09-13 19:18 532,594 --a------ C:\WINDOWS2\system32\xerces-c_1_40_0_DDR.dll
2007-09-13 19:18 524,377 --a------ C:\WINDOWS2\system32\stlport_4_0_0_DDR.dll
2007-09-13 19:18 307,329 --a------ C:\WINDOWS2\system32\BJBase_2-2-2_DDR.dll
2007-09-13 19:18 159,744 --a------ C:\WINDOWS2\system32\ssleay32_1-1-0_DDR.dll
2007-09-13 19:18 <DIR> d-------- C:\Program Files\Common Files\Motive
2007-09-13 19:18 <DIR> d-------- C:\Program Files\BroadJump

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-21 20:14 --------- d-------- C:\Program Files\SWiSH v2.0
2007-09-20 20:07 --------- d-------- C:\Program Files\RingBearers Script
2007-09-20 20:01 12400 --a------ C:\WINDOWS2\system32\drivers\secdrv.sys
2007-09-20 19:58 --------- d-------- C:\Program Files\3IABWL
2007-09-20 19:29 --------- d-------- C:\Program Files\Common Files\Real
2007-09-20 19:29 --------- d-------- C:\DOCUME~1\gg\APPLIC~1\Real
2007-09-20 18:34 --------- d-------- C:\Program Files\Lavasoft
2007-09-20 18:34 --------- d-------- C:\DOCUME~1\gg\APPLIC~1\Lavasoft
2007-09-20 18:33 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 21:24 --------- d-------- C:\Program Files\iTunes
2007-09-19 21:24 --------- d-------- C:\Program Files\iPod
2007-09-15 00:23 --------- d-------- C:\Program Files\LimeWire
2007-08-07 13:58 8320 --a------ C:\WINDOWS2\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS2\system32\drivers\NSDriver.sys
2005-01-29 16:52 1096087 --a------ C:\Program Files\slsk155-222.exe
2004-01-04 18:51 1849344 --a------ C:\Program Files\RBScript.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-14 16:55]
"CTHelper "= "CTHELPER.EXE" [2006-08-11 14:56 C:\WINDOWS2\CTHELPER.EXE]
"NeroFilterCheck "= "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"Broadbandadvisor.exe "= "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 14:12]
"AAWTray "= "C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage "=0 (0x0)
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize "=0 (0x0)
"NoToolbarCustomize "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize "=0 (0x0)
"NoToolbarCustomize "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnl]
C:\WINDOWS2\system32\pmnnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS2^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users.WINDOWS2\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS2\pss\Last.fm Helper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
rundll32.exe "C:\WINDOWS2\system32\tdbayjwb.dll ",forkonce

R3 ctgame;Game Port;C:\WINDOWS2\system32\DRIVERS\ctgame.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 20:21:08 C:\WINDOWS2\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-21 23:39:35 C:\WINDOWS2\Tasks\XoftSpySE 2.job "
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-09-21 17:29:37 C:\WINDOWS2\Tasks\XoftSpySE.job "
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-22 00:40:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-22 0:43:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-22 00:43
.
--- E O F ---

And the new hijackthis log .........

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 00:46:21, on 22/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS2\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS2\system32\crypserv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS2\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS2\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS2\system32\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gg\Desktop\HiJackThis_v2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F1F2026-646A-4269-B341-927A75A139A6}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1CC9E51-3EEB-4BFD-8FBA-88D88AD9E252}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: pmnnl - C:\WINDOWS2\system32\pmnnl.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS2\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS2\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS2\SYSTEM32\crypserv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

--
End of file - 6801 bytes

noahdfear · 2007/09/21

Do you know what the following file is? If not, please upload it to jotti for analysis. Wait for the analysis to complete, then copy the results and post them back here.

C:\Program Files\RBScript.exe

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
C:\WINDOWS2\system32\pmnnl.dll
C:\WINDOWS2\system32\tdbayjwb.dll

DirLook::
C:\WINDOWS2\SxsCaPendDel
C:\Program Files\3IABWL

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnl]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
 "DisableTaskMgr "=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
 "DisableRegistryTools "=-
 "DisableTaskMgr "=-
 "NoDispAppearancePage "=-
 "NoColorChoice "=-
 "NoSizeChoice "=-
 "NoDispBackgroundPage "=-
 "NoDispScrSavPage "=-
 "NoDispCPL "=-
 "NoVisualStyleChoice "=-
 "NoDispSettingsPage "=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
 "NoBandCustomize "=-
 "NoToolbarCustomize "=-
 "NoActiveDesktopChanges "=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
 "NoBandCustomize "=-
 "NoToolbarCustomize "=-
 "NoActiveDesktop "=-
 "NoSaveSettings "=-
 "NoThemesTab "=-
 "ForceActiveDesktopOn "=-
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Let me know how your computer is running, and if the redirects have stopped.

hayeslockett · 2007/09/22

Morning,

Ok, the RBScript.exe thing is fine. I did a check anyway like u said but it has been on the PC for approx 4 years.

Could see a query on the 3IABWL. Thats some stoopid online darts thing but again has been there ages but i'll remove just in case. Doesnt really get used.

** Good news is that the problem seems to be fixed. Not sure what did it, maybe you have an idea? ** Tried about 20 times just to make sure with lots of different searches and its gone. Here are the logs as you requested. Combofix log first ...

ComboFix 07-09-21.2 - "gg" 2007-09-22 11:56:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.193 [GMT 1:00]
Command switches used :: C:\Documents and Settings\gg\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS2\system32\pmnnl.dll
C:\WINDOWS2\system32\tdbayjwb.dll
.

((((((((((((((((((((((((( Files Created from 2007-08-22 to 2007-09-22 )))))))))))))))))))))))))))))))
.

2007-09-22 00:31 51,200 --a------ C:\WINDOWS2\NirCmd.exe
2007-09-21 23:07 <DIR> d-------- C:\Deckard
2007-09-21 21:21 <DIR> d-------- C:\Program Files\Browser Hijack Recover
2007-09-21 20:02 52,224 --a------ C:\WINDOWS2\system32\Crypserv.exe
2007-09-21 20:02 27,648 -ra------ C:\WINDOWS2\Setup_ck.exe
2007-09-21 20:02 24,608 --a------ C:\WINDOWS2\system32\Ckldrv.sys
2007-09-21 20:02 18,432 --a------ C:\WINDOWS2\Setup_ck.dll
2007-09-21 20:02 165,888 --a------ C:\WINDOWS2\Ckconfig.exe
2007-09-21 20:02 11,776 --a------ C:\WINDOWS2\Ckrfresh.exe
2007-09-20 23:02 <DIR> d-------- C:\Program Files\XoftSpySE
2007-09-20 21:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2007-09-20 20:51 10,872 --a------ C:\WINDOWS2\system32\drivers\AvgAsCln.sys
2007-09-20 19:24 <DIR> d-------- C:\WINDOWS2\SxsCaPendDel
2007-09-20 18:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2007-09-19 21:22 <DIR> d-------- C:\Program Files\QuickTime
2007-09-19 21:21 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-19 21:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Apple
2007-09-16 23:12 <DIR> d-------- C:\Program Files\DirectAccess
2007-09-16 19:56 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-09-16 19:53 <DIR> d-------- C:\WINDOWS2\system32\drivers\UMDF
2007-09-14 17:15 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-13 20:04 86,016 --a------ C:\WINDOWS2\unvise32.exe
2007-09-13 20:04 <DIR> d-------- C:\Program Files\Skunk Studios
2007-09-13 20:01 33,408 --a------ C:\WINDOWS2\system32\drivers\freedom.sys
2007-09-13 20:00 <DIR> d-------- C:\Program Files\Common Files\PestPatrol
2007-09-13 20:00 <DIR> d-------- C:\Program Files\Common Files\Command Software
2007-09-13 19:58 <DIR> d-------- C:\Windows
2007-09-13 19:55 <DIR> d-------- C:\Program Files\Virgin Broadband
2007-09-13 19:55 <DIR> d-------- C:\DOCUME~1\gg\APPLIC~1\Virgin Broadband
2007-09-13 19:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Virgin Broadband
2007-09-13 19:54 <DIR> d-------- C:\Program Files\VirginBroadband
2007-09-13 19:18 663,552 --a------ C:\WINDOWS2\system32\libeay32_1-1-0_DDR.dll
2007-09-13 19:18 532,594 --a------ C:\WINDOWS2\system32\xerces-c_1_40_0_DDR.dll
2007-09-13 19:18 524,377 --a------ C:\WINDOWS2\system32\stlport_4_0_0_DDR.dll
2007-09-13 19:18 307,329 --a------ C:\WINDOWS2\system32\BJBase_2-2-2_DDR.dll
2007-09-13 19:18 159,744 --a------ C:\WINDOWS2\system32\ssleay32_1-1-0_DDR.dll
2007-09-13 19:18 <DIR> d-------- C:\Program Files\Common Files\Motive
2007-09-13 19:18 <DIR> d-------- C:\Program Files\BroadJump

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-21 20:14 --------- d-------- C:\Program Files\SWiSH v2.0
2007-09-20 20:07 --------- d-------- C:\Program Files\RingBearers Script
2007-09-20 20:01 12400 --a------ C:\WINDOWS2\system32\drivers\secdrv.sys
2007-09-20 19:58 --------- d-------- C:\Program Files\3IABWL
2007-09-20 19:29 --------- d-------- C:\Program Files\Common Files\Real
2007-09-20 19:29 --------- d-------- C:\DOCUME~1\gg\APPLIC~1\Real
2007-09-20 18:34 --------- d-------- C:\Program Files\Lavasoft
2007-09-20 18:34 --------- d-------- C:\DOCUME~1\gg\APPLIC~1\Lavasoft
2007-09-20 18:33 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 21:24 --------- d-------- C:\Program Files\iTunes
2007-09-19 21:24 --------- d-------- C:\Program Files\iPod
2007-09-15 00:23 --------- d-------- C:\Program Files\LimeWire
2007-08-07 13:58 8320 --a------ C:\WINDOWS2\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS2\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS2\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS2\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS2\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS2\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS2\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS2\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS2\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS2\system32\wups.dll
2007-07-19 16:48 1225271 --ahs---- C:\WINDOWS2\system32\lnnmp.bak2
2007-07-18 16:40 6365 --ahs---- C:\WINDOWS2\system32\lnnmp.bak1
2007-07-08 13:54 86016 --a------ C:\WINDOWS2\system32\OpenAL32.dll
2007-07-08 13:54 409600 --a------ C:\WINDOWS2\system32\wrap_oal.dll
2007-06-26 07:08 1104896 --a------ C:\WINDOWS2\system32\msxml3.dll
2005-01-29 16:52 1096087 --a------ C:\Program Files\slsk155-222.exe
2004-01-04 18:51 1849344 --a------ C:\Program Files\RBScript.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

---- Directory of C:\WINDOWS2\SxsCaPendDel ----

---- Directory of C:\Program Files\3IABWL ----

2007-09-20 19:58 20480 --ahs---- C:\Program Files\3IABWL\Thumbs.db
2007-04-19 10:09 1712128 --a------ C:\Program Files\3IABWL\3IABWL.exe
2007-04-05 20:09 640957 --a------ C:\Program Files\3IABWL\unins000.exe
2007-04-05 20:09 15428 --a------ C:\Program Files\3IABWL\unins000.dat
2004-01-12 21:52 5226 --a------ C:\Program Files\3IABWL\DartBig2.gif
2004-01-12 21:52 3553 --a------ C:\Program Files\3IABWL\DartMediumBig2.gif
2004-01-12 21:52 2215 --a------ C:\Program Files\3IABWL\DartMediumSmall2.gif
2004-01-12 21:41 2452 --a------ C:\Program Files\3IABWL\DartMediumSmall1.gif
2004-01-12 21:40 5987 --a------ C:\Program Files\3IABWL\DartBig1.gif
2004-01-12 21:40 4023 --a------ C:\Program Files\3IABWL\DartMediumBig1.gif
2003-12-27 17:10 1110 --a------ C:\Program Files\3IABWL\DartSmall1d.gif
2003-12-27 17:09 1130 --a------ C:\Program Files\3IABWL\DartSmall1b.gif
2003-12-27 17:09 1114 --a------ C:\Program Files\3IABWL\DartSmall2b.gif
2003-12-27 17:09 1109 --a------ C:\Program Files\3IABWL\DartSmall1c.gif
2003-12-27 17:09 1092 --a------ C:\Program Files\3IABWL\DartSmall2d.gif
2003-12-27 17:08 1127 --a------ C:\Program Files\3IABWL\DartSmall1a.gif
2003-12-27 17:08 1114 --a------ C:\Program Files\3IABWL\DartSmall2a.gif
2003-12-27 17:08 1091 --a------ C:\Program Files\3IABWL\DartSmall2c.gif
2003-04-22 19:34 29078 --a------ C:\Program Files\3IABWL\sounds\referee\General\Bullseye.wav
2003-03-27 21:15 3069 --a------ C:\Program Files\3IABWL\License.txt
2002-05-21 21:10 41330 --a------ C:\Program Files\3IABWL\sounds\referee\General\Set.wav
2002-05-21 21:09 53342 --a------ C:\Program Files\3IABWL\sounds\referee\General\Match.wav
2002-05-21 21:09 30542 --a------ C:\Program Files\3IABWL\sounds\referee\General\Leg.wav
2002-05-21 21:09 18690 --a------ C:\Program Files\3IABWL\sounds\referee\General\Game.wav
2002-05-21 21:05 24020 --a------ C:\Program Files\3IABWL\sounds\referee\score\5.wav
2002-05-21 21:05 22838 --a------ C:\Program Files\3IABWL\sounds\referee\score\44.wav
2002-05-21 21:05 22402 --a------ C:\Program Files\3IABWL\sounds\referee\score\6.wav
2002-05-21 21:05 21222 --a------ C:\Program Files\3IABWL\sounds\referee\score\52.wav
2002-05-21 21:05 21080 --a------ C:\Program Files\3IABWL\sounds\referee\score\48.wav
2002-05-21 21:05 18580 --a------ C:\Program Files\3IABWL\sounds\referee\score\50.wav
2002-05-21 21:04 25930 --a------ C:\Program Files\3IABWL\sounds\referee\score\74.wav
2002-05-21 21:04 24308 --a------ C:\Program Files\3IABWL\sounds\referee\score\77.wav
2002-05-21 21:04 23578 --a------ C:\Program Files\3IABWL\sounds\referee\score\7.wav
2002-05-21 21:04 22990 --a------ C:\Program Files\3IABWL\sounds\referee\score\8.wav
2002-05-21 21:04 22990 --a------ C:\Program Files\3IABWL\sounds\referee\score\64.wav
2002-05-21 21:04 22838 --a------ C:\Program Files\3IABWL\sounds\referee\score\69.wav
2002-05-21 21:04 22250 --a------ C:\Program Files\3IABWL\sounds\referee\score\78.wav
2002-05-21 21:04 19752 --a------ C:\Program Files\3IABWL\sounds\referee\score\71.wav
2002-05-21 21:04 18722 --a------ C:\Program Files\3IABWL\sounds\referee\score\80.wav
2002-05-21 21:04 17698 --a------ C:\Program Files\3IABWL\sounds\referee\score\60.wav
2002-05-21 21:03 23280 --a------ C:\Program Files\3IABWL\sounds\referee\score\54.wav
2002-05-21 21:03 22990 --a------ C:\Program Files\3IABWL\sounds\referee\score\83.wav
2002-05-21 21:03 21662 --a------ C:\Program Files\3IABWL\sounds\referee\score\66.wav
2002-05-21 21:03 21662 --a------ C:\Program Files\3IABWL\sounds\referee\score\49.wav
2002-05-21 21:03 21368 --a------ C:\Program Files\3IABWL\sounds\referee\score\82.wav
2002-05-21 21:03 21222 --a------ C:\Program Files\3IABWL\sounds\referee\score\65.wav
2002-05-21 21:03 19898 --a------ C:\Program Files\3IABWL\sounds\referee\score\68.wav
2002-05-21 21:03 16522 --a------ C:\Program Files\3IABWL\sounds\referee\score\62.wav
2002-05-21 21:03 15782 --a------ C:\Program Files\3IABWL\sounds\referee\score\61.wav
2002-05-21 21:02 26220 --a------ C:\Program Files\3IABWL\sounds\referee\score\75.wav
2002-05-21 21:02 25778 --a------ C:\Program Files\3IABWL\sounds\referee\score\76.wav
2002-05-21 21:02 25190 --a------ C:\Program Files\3IABWL\sounds\referee\score\73.wav
2002-05-21 21:02 24902 --a------ C:\Program Files\3IABWL\sounds\referee\score\57.wav
2002-05-21 21:02 24020 --a------ C:\Program Files\3IABWL\sounds\referee\score\79.wav
2002-05-21 21:02 22838 --a------ C:\Program Files\3IABWL\sounds\referee\score\67.wav
2002-05-21 21:02 21810 --a------ C:\Program Files\3IABWL\sounds\referee\score\47.wav
2002-05-21 21:02 21810 --a------ C:\Program Files\3IABWL\sounds\referee\score\42.wav
2002-05-21 21:02 19752 --a------ C:\Program Files\3IABWL\sounds\referee\score\81.wav
2002-05-21 21:02 19462 --a------ C:\Program Files\3IABWL\sounds\referee\score\51.wav
2002-05-21 21:01 24602 --a------ C:\Program Files\3IABWL\sounds\referee\score\9.wav
2002-05-21 21:01 24020 --a------ C:\Program Files\3IABWL\sounds\referee\score\72.wav
2002-05-21 21:01 22838 --a------ C:\Program Files\3IABWL\sounds\referee\score\85.wav
2002-05-21 21:01 22838 --a------ C:\Program Files\3IABWL\sounds\referee\score\84.wav
2002-05-21 21:01 22108 --a------ C:\Program Files\3IABWL\sounds\referee\score\70.wav
2002-05-21 21:01 22108 --a------ C:\Program Files\3IABWL\sounds\referee\score\53.wav
2002-05-21 21:01 20932 --a------ C:\Program Files\3IABWL\sounds\referee\score\86.wav
2002-05-21 21:01 20780 --a------ C:\Program Files\3IABWL\sounds\referee\score\87.wav
2002-05-21 21:01 19898 --a------ C:\Program Files\3IABWL\sounds\referee\score\89.wav
2002-05-21 21:00 19898 --a------ C:\Program Files\3IABWL\sounds\referee\score\94.wav
2002-05-21 21:00 18282 --a------ C:\Program Files\3IABWL\sounds\referee\score\92.wav
2002-05-21 21:00 17552 --a------ C:\Program Files\3IABWL\sounds\referee\score\91.wav
2002-05-21 21:00 16958 --a------ C:\Program Files\3IABWL\sounds\referee\score\88.wav
2002-05-21 21:00 15488 --a------ C:\Program Files\3IABWL\sounds\referee\score\90.wav
2002-05-21 20:59 18428 --a------ C:\Program Files\3IABWL\sounds\referee\score\96.wav
2002-05-21 20:59 17992 --a------ C:\Program Files\3IABWL\sounds\referee\score\97.wav
2002-05-21 20:59 17840 --a------ C:\Program Files\3IABWL\sounds\referee\score\95.wav
2002-05-21 20:59 17698 --a------ C:\Program Files\3IABWL\sounds\referee\score\99.wav
2002-05-21 20:59 16958 --a------ C:\Program Files\3IABWL\sounds\referee\score\98.wav
2002-05-21 20:59 16228 --a------ C:\Program Files\3IABWL\sounds\referee\score\93.wav
2002-05-21 20:58 28130 --a------ C:\Program Files\3IABWL\sounds\referee\score\134.wav
2002-05-21 20:58 27102 --a------ C:\Program Files\3IABWL\sounds\referee\score\126.wav
2002-05-21 20:58 24308 --a------ C:\Program Files\3IABWL\sounds\referee\score\10.wav
2002-05-21 20:58 23132 --a------ C:\Program Files\3IABWL\sounds\referee\score\105.wav
2002-05-21 20:58 23132 --a------ C:\Program Files\3IABWL\sounds\referee\score\104.wav
2002-05-21 20:58 22990 --a------ C:\Program Files\3IABWL\sounds\referee\score\109.wav
2002-05-21 20:58 22838 --a------ C:\Program Files\3IABWL\sounds\referee\score\106.wav
2002-05-21 20:58 21368 --a------ C:\Program Files\3IABWL\sounds\referee\score\101.wav
2002-05-21 20:58 16812 --a------ C:\Program Files\3IABWL\sounds\referee\score\1.wav
2002-05-21 20:57 30782 --a------ C:\Program Files\3IABWL\sounds\referee\score\147.wav
2002-05-21 20:57 28718 --a------ C:\Program Files\3IABWL\sounds\referee\score\123.wav
2002-05-21 20:57 28572 --a------ C:\Program Files\3IABWL\sounds\referee\score\161.wav
2002-05-21 20:57 26960 --a------ C:\Program Files\3IABWL\sounds\referee\score\115.wav
2002-05-21 20:57 24902 --a------ C:\Program Files\3IABWL\sounds\referee\score\114.wav
2002-05-21 20:57 24750 --a------ C:\Program Files\3IABWL\sounds\referee\score\130.wav
2002-05-21 20:57 22692 --a------ C:\Program Files\3IABWL\sounds\referee\score\103.wav
2002-05-21 20:57 21810 --a------ C:\Program Files\3IABWL\sounds\referee\score\15.wav
2002-05-21 20:57 19898 --a------ C:\Program Files\3IABWL\sounds\referee\score\100.wav
2002-05-21 20:56 34310 --a------ C:\Program Files\3IABWL\sounds\referee\score\154.wav
2002-05-21 20:56 28430 --a------ C:\Program Files\3IABWL\sounds\referee\score\158.wav
2002-05-21 20:55 29600 --a------ C:\Program Files\3IABWL\sounds\referee\score\144.wav
2002-05-21 20:55 24020 --a------ C:\Program Files\3IABWL\sounds\referee\score\16.wav
2002-05-21 20:55 23432 --a------ C:\Program Files\3IABWL\sounds\referee\score\112.wav
2002-05-21 20:55 22550 --a------ C:\Program Files\3IABWL\sounds\referee\score\107.wav
2002-05-21 20:55 19752 --a------ C:\Program Files\3IABWL\sounds\referee\score\11.wav
2002-05-21 20:54 34750 --a------ C:\Program Files\3IABWL\sounds\referee\score\162.wav
2002-05-21 20:54 32982 --a------ C:\Program Files\3IABWL\sounds\referee\score\152.wav
2002-05-21 20:54 32840 --a------ C:\Program Files\3IABWL\sounds\referee\score\153.wav
2002-05-21 20:54 30042 --a------ C:\Program Files\3IABWL\sounds\referee\score\142.wav
2002-05-21 20:54 29160 --a------ C:\Program Files\3IABWL\sounds\referee\score\133.wav
2002-05-21 20:54 27988 --a------ C:\Program Files\3IABWL\sounds\referee\score\138.wav
2002-05-21 20:54 24382 --a------ C:\Program Files\3IABWL\sounds\referee\score\120.wav
2002-05-21 20:54 18870 --a------ C:\Program Files\3IABWL\sounds\referee\score\20.wav
2002-05-21 20:54 16522 --a------ C:\Program Files\3IABWL\sounds\referee\score\0.wav
2002-05-21 20:53 36808 --a------ C:\Program Files\3IABWL\sounds\referee\score\164.wav
2002-05-21 20:53 32982 --a------ C:\Program Files\3IABWL\sounds\referee\score\139.wav
2002-05-21 20:53 30782 --a------ C:\Program Files\3IABWL\sounds\referee\score\143.wav
2002-05-21 20:53 28718 --a------ C:\Program Files\3IABWL\sounds\referee\score\151.wav
2002-05-21 20:53 25342 --a------ C:\Program Files\3IABWL\sounds\referee\score\116.wav
2002-05-21 20:53 23872 --a------ C:\Program Files\3IABWL\sounds\referee\score\118.wav
2002-05-21 20:53 22108 --a------ C:\Program Files\3IABWL\sounds\referee\score\23.wav
2002-05-21 20:53 21962 --a------ C:\Program Files\3IABWL\sounds\referee\score\110.wav
2002-05-21 20:53 21662 --a------ C:\Program Files\3IABWL\sounds\referee\score\12.wav
2002-05-21 20:52 31658 --a------ C:\Program Files\3IABWL\sounds\referee\score\146.wav
2002-05-21 20:52 30782 --a------ C:\Program Files\3IABWL\sounds\referee\score\136.wav
2002-05-21 20:52 30482 --a------ C:\Program Files\3IABWL\sounds\referee\score\129.wav
2002-05-21 20:52 25190 --a------ C:\Program Files\3IABWL\sounds\referee\score\131.wav
2002-05-21 20:52 22402 --a------ C:\Program Files\3IABWL\sounds\referee\score\22.wav
2002-05-21 20:52 21080 --a------ C:\Program Files\3IABWL\sounds\referee\score\14.wav
2002-05-21 20:52 20780 --a------ C:\Program Files\3IABWL\sounds\referee\score\108.wav
2002-05-21 20:52 17552 --a------ C:\Program Files\3IABWL\sounds\referee\score\28.wav
2002-05-21 20:51 31658 --a------ C:\Program Files\3IABWL\sounds\referee\score\137.wav
2002-05-21 20:51 30188 --a------ C:\Program Files\3IABWL\sounds\referee\score\135.wav
2002-05-21 20:51 28870 --a------ C:\Program Files\3IABWL\sounds\referee\score\132.wav
2002-05-21 20:51 25190 --a------ C:\Program Files\3IABWL\sounds\referee\score\128.wav
2002-05-21 20:51 24902 --a------ C:\Program Files\3IABWL\sounds\referee\score\117.wav
2002-05-21 20:51 24750 --a------ C:\Program Files\3IABWL\sounds\referee\score\141.wav
2002-05-21 20:51 24162 --a------ C:\Program Files\3IABWL\sounds\referee\score\102.wav
2002-05-21 20:51 23872 --a------ C:\Program Files\3IABWL\sounds\referee\score\113.wav
2002-05-21 20:50 33128 --a------ C:\Program Files\3IABWL\sounds\referee\score\160.wav
2002-05-21 20:50 32100 --a------ C:\Program Files\3IABWL\sounds\referee\score\157.wav
2002-05-21 20:50 30928 --a------ C:\Program Files\3IABWL\sounds\referee\score\159.wav
2002-05-21 20:50 30928 --a------ C:\Program Files\3IABWL\sounds\referee\score\145.wav
2002-05-21 20:50 29600 --a------ C:\Program Files\3IABWL\sounds\referee\score\149.wav
2002-05-21 20:50 28282 --a------ C:\Program Files\3IABWL\sounds\referee\score\125.wav
2002-05-21 20:50 27542 --a------ C:\Program Files\3IABWL\sounds\referee\score\127.wav
2002-05-21 20:50 27102 --a------ C:\Program Files\3IABWL\sounds\referee\score\124.wav
2002-05-21 20:50 23280 --a------ C:\Program Files\3IABWL\sounds\referee\score\32.wav
2002-05-21 20:49 36068 --a------ C:\Program Files\3IABWL\sounds\referee\score\167.wav
2002-05-21 20:49 32982 --a------ C:\Program Files\3IABWL\sounds\referee\score\155.wav
2002-05-21 20:49 28830 --a------ C:\Program Files\3IABWL\sounds\referee\score\121.wav
2002-05-21 20:49 21368 --a------ C:\Program Files\3IABWL\sounds\referee\score\13.wav
2002-05-21 20:49 18282 --a------ C:\Program Files\3IABWL\sounds\referee\score\29.wav
2002-05-21 20:48 41660 --a------ C:\Program Files\3IABWL\sounds\referee\score\177.wav
2002-05-21 20:48 30928 --a------ C:\Program Files\3IABWL\sounds\referee\score\140.wav
2002-05-21 20:48 28718 --a------ C:\Program Files\3IABWL\sounds\referee\score\148.wav
2002-05-21 20:48 25490 --a------ C:\Program Files\3IABWL\sounds\referee\score\3.wav
2002-05-21 20:48 25342 --a------ C:\Program Files\3IABWL\sounds\referee\score\122.wav
2002-05-21 20:48 23720 --a------ C:\Program Files\3IABWL\sounds\referee\score\33.wav
2002-05-21 20:48 23720 --a------ C:\Program Files\3IABWL\sounds\referee\score\119.wav
2002-05-21 20:48 22250 --a------ C:\Program Files\3IABWL\sounds\referee\score\111.wav
2002-05-21 20:48 11230 --a------ C:\Program Files\3IABWL\sounds\referee\score\30.wav
2002-05-21 20:47 35480 --a------ C:\Program Files\3IABWL\sounds\referee\score\170.wav
2002-05-21 20:47 22838 --a------ C:\Program Files\3IABWL\sounds\referee\score\36.wav
2002-05-21 20:47 21222 --a------ C:\Program Files\3IABWL\sounds\referee\score\19.wav
2002-05-21 20:47 20492 --a------ C:\Program Files\3IABWL\sounds\referee\score\27.wav
2002-05-21 20:47 20492 --a------ C:\Program Files\3IABWL\sounds\referee\score\25.wav
2002-05-21 20:47 20192 --a------ C:\Program Files\3IABWL\sounds\referee\score\26.wav
2002-05-21 20:47 19462 --a------ C:\Program Files\3IABWL\sounds\referee\score\21.wav
2002-05-21 20:47 19310 --a------ C:\Program Files\3IABWL\sounds\referee\score\18.wav
2002-05-21 20:47 18722 --a------ C:\Program Files\3IABWL\sounds\referee\score\34.wav
2002-05-21 20:46 50498 --a------ C:\Program Files\3IABWL\sounds\referee\score\180.wav
2002-05-21 20:46 39008 --a------ C:\Program Files\3IABWL\sounds\referee\score\174.wav
2002-05-21 20:46 36662 --a------ C:\Program Files\3IABWL\sounds\referee\score\166.wav
2002-05-21 20:46 35922 --a------ C:\Program Files\3IABWL\sounds\referee\score\168.wav
2002-05-21 20:46 35632 --a------ C:\Program Files\3IABWL\sounds\referee\score\171.wav
2002-05-21 20:46 26072 --a------ C:\Program Files\3IABWL\sounds\referee\score\2.wav
2002-05-21 20:46 20050 --a------ C:\Program Files\3IABWL\sounds\referee\score\24.wav
2002-05-21 20:46 18580 --a------ C:\Program Files\3IABWL\sounds\referee\score\40.wav
2002-05-21 20:46 16370 --a------ C:\Program Files\3IABWL\sounds\referee\score\35.wav
2002-05-21 20:45 36808 --a------ C:\Program Files\3IABWL\sounds\referee\score\169.wav
2002-05-21 20:45 30188 --a------ C:\Program Files\3IABWL\sounds\referee\score\150.wav
2002-05-21 20:45 24020 --a------ C:\Program Files\3IABWL\sounds\referee\score\37.wav
2002-05-21 20:45 23432 --a------ C:\Program Files\3IABWL\sounds\referee\score\4.wav
2002-05-21 20:45 21368 --a------ C:\Program Files\3IABWL\sounds\referee\score\43.wav
2002-05-21 20:45 20780 --a------ C:\Program Files\3IABWL\sounds\referee\score\46.wav
2002-05-21 20:45 15640 --a------ C:\Program Files\3IABWL\sounds\referee\score\31.wav
2002-05-21 20:44 41218 --a------ C:\Program Files\3IABWL\sounds\referee\score\163.wav
2002-05-21 20:44 39302 --a------ C:\Program Files\3IABWL\sounds\referee\score\165.wav
2002-05-21 20:44 23720 --a------ C:\Program Files\3IABWL\sounds\referee\score\59.wav
2002-05-21 20:44 23578 --a------ C:\Program Files\3IABWL\sounds\referee\score\58.wav
2002-05-21 20:44 22250 --a------ C:\Program Files\3IABWL\sounds\referee\score\55.wav
2002-05-21 20:44 21962 --a------ C:\Program Files\3IABWL\sounds\referee\score\39.wav
2002-05-21 20:44 20932 --a------ C:\Program Files\3IABWL\sounds\referee\score\45.wav
2002-05-21 20:44 17552 --a------ C:\Program Files\3IABWL\sounds\referee\score\17.wav
2002-05-21 20:43 30928 --a------ C:\Program Files\3IABWL\sounds\referee\score\156.wav
2002-05-21 20:43 21962 --a------ C:\Program Files\3IABWL\sounds\referee\score\38.wav
2002-05-21 20:43 21810 --a------ C:\Program Files\3IABWL\sounds\referee\score\56.wav
2002-05-21 20:43 21368 --a------ C:\Program Files\3IABWL\sounds\referee\score\63.wav
2002-05-21 20:43 20780 --a------ C:\Program Files\3IABWL\sounds\referee\score\41.wav
2002-05-21 14:09 2618 --a------ C:\Program Files\3IABWL\sounds\Dart\Bounce.wav
2002-04-05 13:34 788 --a------ C:\Program Files\3IABWL\blade2.ico
2002-03-04 19:58 55274 --a------ C:\Program Files\3IABWL\sounds\Dart\Clash5.wav
2002-03-04 19:58 55270 --a------ C:\Program Files\3IABWL\sounds\Dart\Clean4.wav
2002-03-04 19:58 41862 --a------ C:\Program Files\3IABWL\sounds\Dart\Clash4.wav
2002-03-04 19:58 41862 --a------ C:\Program Files\3IABWL\sounds\Dart\Clash1.wav
2002-03-04 19:58 39218 --a------ C:\Program Files\3IABWL\sounds\Dart\Clean5.wav
2002-03-04 19:58 36394 --a------ C:\Program Files\3IABWL\sounds\Dart\Clean2.wav
2002-03-04 19:58 33750 --a------ C:\Program Files\3IABWL\sounds\Dart\Clash3.wav
2002-03-04 19:58 33750 --a------ C:\Program Files\3IABWL\sounds\Dart\Clash2.wav
2002-03-04 19:58 31106 --a------ C:\Program Files\3IABWL\sounds\Dart\Clean3.wav
2002-03-04 19:58 25634 --a------ C:\Program Files\3IABWL\sounds\Dart\Clean1.wav

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-14 16:55]
"CTHelper "= "CTHELPER.EXE" [2006-08-11 14:56 C:\WINDOWS2\CTHELPER.EXE]
"NeroFilterCheck "= "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"Broadbandadvisor.exe "= "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 14:12]
"AAWTray "= "C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS2^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users.WINDOWS2\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS2\pss\Last.fm Helper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "

R3 ctgame;Game Port;C:\WINDOWS2\system32\DRIVERS\ctgame.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 20:21:08 C:\WINDOWS2\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-22 10:45:28 C:\WINDOWS2\Tasks\XoftSpySE 2.job "
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-09-21 17:29:37 C:\WINDOWS2\Tasks\XoftSpySE.job "
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-22 11:58:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-22 12:00:32
C:\ComboFix-quarantined-files.txt ... 2007-09-22 12:00
C:\ComboFix2.txt ... 2007-09-22 00:43
.
--- E O F ---

And the new hijackthis log ....

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:08:17, on 22/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS2\system32\crypserv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS2\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS2\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gg\Desktop\HiJackThis_v2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F1F2026-646A-4269-B341-927A75A139A6}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1CC9E51-3EEB-4BFD-8FBA-88D88AD9E252}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS2\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS2\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS2\SYSTEM32\crypserv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

--
End of file - 6487 bytes

Just want to say a massive thank you to you Dave. I really admire the time and effort you put into helping people like me. Your a credit to mankind!

noahdfear · 2007/09/22

You can keep the darts game. We are going to get rid if that other folder though, and a couple of files that showed up in the last combofix log. Please create another CFScript.txt file with the conents of the code box below, then drag-n-drop it onto combofix.exe after closing all other open windows and programs. Post the new log when complete.
Code:
File::
C:\WINDOWS2\system32\lnnmp.bak2
C:\WINDOWS2\system32\lnnmp.bak1

Folder::
C:\WINDOWS2\SxsCaPendDel
It was likely the removal of C:\WINDOWS2\system32\kdaco.exe in ComboFix's first run that fixed the redirect issue. Glad to hear that too!

Thanks Hayes

hayeslockett · 2007/09/22

Gr8 stuff. Ok, so here is the new Combofix log then ..........

ComboFix 07-09-21.2 - "gg" 2007-09-22 17:18:56.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.206 [GMT 1:00]
Command switches used :: C:\Documents and Settings\gg\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS2\system32\lnnmp.bak2
C:\WINDOWS2\system32\lnnmp.bak1
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS2\SxsCaPendDel
C:\WINDOWS2\system32\lnnmp.bak1
C:\WINDOWS2\system32\lnnmp.bak2

.
((((((((((((((((((((((((( Files Created from 2007-08-22 to 2007-09-22 )))))))))))))))))))))))))))))))
.

2007-09-22 00:31 51,200 --a------ C:\WINDOWS2\NirCmd.exe
2007-09-21 23:07 <DIR> d-------- C:\Deckard
2007-09-21 21:21 <DIR> d-------- C:\Program Files\Browser Hijack Recover
2007-09-21 20:02 52,224 --a------ C:\WINDOWS2\system32\Crypserv.exe
2007-09-21 20:02 27,648 -ra------ C:\WINDOWS2\Setup_ck.exe
2007-09-21 20:02 24,608 --a------ C:\WINDOWS2\system32\Ckldrv.sys
2007-09-21 20:02 18,432 --a------ C:\WINDOWS2\Setup_ck.dll
2007-09-21 20:02 165,888 --a------ C:\WINDOWS2\Ckconfig.exe
2007-09-21 20:02 11,776 --a------ C:\WINDOWS2\Ckrfresh.exe
2007-09-20 23:02 <DIR> d-------- C:\Program Files\XoftSpySE
2007-09-20 21:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2007-09-20 20:51 10,872 --a------ C:\WINDOWS2\system32\drivers\AvgAsCln.sys
2007-09-20 18:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2007-09-19 21:22 <DIR> d-------- C:\Program Files\QuickTime
2007-09-19 21:21 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-19 21:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Apple
2007-09-16 23:12 <DIR> d-------- C:\Program Files\DirectAccess
2007-09-16 19:56 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-09-16 19:53 <DIR> d-------- C:\WINDOWS2\system32\drivers\UMDF
2007-09-14 17:15 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-13 20:04 86,016 --a------ C:\WINDOWS2\unvise32.exe
2007-09-13 20:04 <DIR> d-------- C:\Program Files\Skunk Studios
2007-09-13 20:01 33,408 --a------ C:\WINDOWS2\system32\drivers\freedom.sys
2007-09-13 20:00 <DIR> d-------- C:\Program Files\Common Files\PestPatrol
2007-09-13 20:00 <DIR> d-------- C:\Program Files\Common Files\Command Software
2007-09-13 19:58 <DIR> d-------- C:\Windows
2007-09-13 19:55 <DIR> d-------- C:\Program Files\Virgin Broadband
2007-09-13 19:55 <DIR> d-------- C:\DOCUME~1\gg\APPLIC~1\Virgin Broadband
2007-09-13 19:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Virgin Broadband
2007-09-13 19:54 <DIR> d-------- C:\Program Files\VirginBroadband
2007-09-13 19:18 663,552 --a------ C:\WINDOWS2\system32\libeay32_1-1-0_DDR.dll
2007-09-13 19:18 532,594 --a------ C:\WINDOWS2\system32\xerces-c_1_40_0_DDR.dll
2007-09-13 19:18 524,377 --a------ C:\WINDOWS2\system32\stlport_4_0_0_DDR.dll
2007-09-13 19:18 307,329 --a------ C:\WINDOWS2\system32\BJBase_2-2-2_DDR.dll
2007-09-13 19:18 159,744 --a------ C:\WINDOWS2\system32\ssleay32_1-1-0_DDR.dll
2007-09-13 19:18 <DIR> d-------- C:\Program Files\Common Files\Motive
2007-09-13 19:18 <DIR> d-------- C:\Program Files\BroadJump

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-21 20:14 --------- d-------- C:\Program Files\SWiSH v2.0
2007-09-20 20:07 --------- d-------- C:\Program Files\RingBearers Script
2007-09-20 20:01 12400 --a------ C:\WINDOWS2\system32\drivers\secdrv.sys
2007-09-20 19:58 --------- d-------- C:\Program Files\3IABWL
2007-09-20 19:29 --------- d-------- C:\Program Files\Common Files\Real
2007-09-20 19:29 --------- d-------- C:\DOCUME~1\gg\APPLIC~1\Real
2007-09-20 18:34 --------- d-------- C:\Program Files\Lavasoft
2007-09-20 18:34 --------- d-------- C:\DOCUME~1\gg\APPLIC~1\Lavasoft
2007-09-20 18:33 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 21:24 --------- d-------- C:\Program Files\iTunes
2007-09-19 21:24 --------- d-------- C:\Program Files\iPod
2007-09-15 00:23 --------- d-------- C:\Program Files\LimeWire
2007-08-07 13:58 8320 --a------ C:\WINDOWS2\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS2\system32\drivers\NSDriver.sys
2005-01-29 16:52 1096087 --a------ C:\Program Files\slsk155-222.exe
2004-01-04 18:51 1849344 --a------ C:\Program Files\RBScript.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-14 16:55]
"CTHelper "= "CTHELPER.EXE" [2006-08-11 14:56 C:\WINDOWS2\CTHELPER.EXE]
"NeroFilterCheck "= "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"Broadbandadvisor.exe "= "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 14:12]
"AAWTray "= "C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]

C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS2^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users.WINDOWS2\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS2\pss\Last.fm Helper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "

R3 ctgame;Game Port;C:\WINDOWS2\system32\DRIVERS\ctgame.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 20:21:08 C:\WINDOWS2\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-22 17:21:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP "
"CTHelper "= "CTHELPER.EXE "
"NeroFilterCheck "= "C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime "
"iTunesHelper "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"SunJavaUpdateSched "= "\ "C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\" "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "
"Broadbandadvisor.exe "= "\ "C:\\Program Files\\Virgin Broadband\\advisor\\Broadbandadvisor.exe\" /AUTORUN "
"AAWTray "= "C:\\Program Files\\Lavasoft\\Ad-Aware 2007\\AAWTray.exe "
.
Completion time: 2007-09-22 17:23:06
C:\ComboFix-quarantined-files.txt ... 2007-09-22 17:22
C:\ComboFix2.txt ... 2007-09-22 12:00
C:\ComboFix3.txt ... 2007-09-22 00:43
.
--- E O F ---

And i've popped another hijackthis log on. Not sure if you wanted that or not?....

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:25:59, on 22/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS2\system32\crypserv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS2\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS2\explorer.exe
C:\WINDOWS2\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gg\Desktop\HiJackThis_v2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F1F2026-646A-4269-B341-927A75A139A6}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1CC9E51-3EEB-4BFD-8FBA-88D88AD9E252}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS2\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS2\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS2\SYSTEM32\crypserv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

--
End of file - 5945 bytes

Regards

Hayes

noahdfear · 2007/09/22

Logs look great!

Lets start cleaning up after ourselves now.

Delete all of the following tools we have used, and the files/folders they created, if they exist.

combofix.exe
dss.exe
C:\Deckard
C:\ComboFix
C:\QOOBOX
C:\WINDOWS\nircmd.exe
all combofix logs

Download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".

Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot

Lets double check something now. Please open Spybot, then click Mode on the menu and select Advanced mode. Click Tools in the left pane, then select IE Tweaks. Let me know if any of the Miscellaneous Locks are selected.

hayeslockett · 2007/09/22

Ok, all done as requested.

Files Deleted.
ATF Cleaner done.

Now, your spybot query....

None of the 3 miscellaneous locks are selected

Cheers

Hayes

noahdfear · 2007/09/22

Thanks.

Create a new folder on the desktop named HJT, then move HijackThis.exe to that folder and run it from there. Scan again with HijackThis and place a check next to the following entries, then click Fix Checked.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close HijackThis.

Lets run an online virus scan to be sure we haven't missed anything.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will program will start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.

hayeslockett · 2007/09/22

Alrighty,

Fixed those 4 entries you mentioned.

The Kaspersky Virus scan has been runnning for 1 hour 30 mins so far. Bout 80 percent done.
Seems weied though. Races through some things then gets really hung up on certain files, like .cab and .chm ?? Presume this is normal.

Anyways, shouldnt be too long now. Will post the log with a fresh hijackthis as well.

Thanks again

Hayes

noahdfear · 2007/09/22

Sorry it's so time consuming

It is however, a necessary evil, IMO.

hayeslockett · 2007/09/22

Hey, dont apologise for the time its takin!

I'm jus chillin. Watchin Elton John's 60th B'day gig which got delivered today!
Eek, bad thing to admit to depending on the company i'm in ! :S

noahdfear · 2007/09/22

I've always enjoyed his music.

hayeslockett · 2007/09/22

Right then..... doesnt look like good news to me, but then your the expert...

Kaspersky log first

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, September 23, 2007 12:58:59 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 23/09/2007
Kaspersky Anti-Virus database records: 422310
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 65133
Number of viruses found: 21
Number of infected objects: 58
Number of suspicious objects: 0
Duration of the scan process: 02:29:27

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Microsoft\Crypto\RSA\MachineKeys\01f5af3f28aa21eab66374bffbd71cf8_cb675585-6b58-4891-a3c8-54ae27c48362 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Microsoft\Crypto\RSA\MachineKeys\0a6ed5299b3ad8d6fb68b485273dae00_cb675585-6b58-4891-a3c8-54ae27c48362 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Microsoft\Crypto\RSA\MachineKeys\1ecfb5887abd275bb8b111179c818f03_cb675585-6b58-4891-a3c8-54ae27c48362 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Microsoft\Crypto\RSA\MachineKeys\247aa42461f7f0e14f45f4050054b376_cb675585-6b58-4891-a3c8-54ae27c48362 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Microsoft\Crypto\RSA\MachineKeys\296445ef719933e77a01ad0cb3b8dbd2_cb675585-6b58-4891-a3c8-54ae27c48362 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Microsoft\Crypto\RSA\MachineKeys\2ffd55c0b28e018fe84f2348310513ae_cb675585-6b58-4891-a3c8-54ae27c48362 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Microsoft\Crypto\RSA\MachineKeys\4fdb66d0ca1e9eae7eb76dc6b585118f_cb675585-6b58-4891-a3c8-54ae27c48362 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Microsoft\Crypto\RSA\MachineKeys\556abd1e121828d57307a779c851c97c_cb675585-6b58-4891-a3c8-54ae27c48362 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Microsoft\Crypto\RSA\MachineKeys\71902a6ec1d662080cfb8914742bc18b_cb675585-6b58-4891-a3c8-54ae27c48362 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Microsoft\Crypto\RSA\MachineKeys\92a302b1636889845519ac40c60c2191_cb675585-6b58-4891-a3c8-54ae27c48362 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Microsoft\Crypto\RSA\MachineKeys\9dd04d2d0f87618356f38a533c060eae_cb675585-6b58-4891-a3c8-54ae27c48362 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Microsoft\Crypto\RSA\MachineKeys\c57fcf865735a85b5c477449565ba799_cb675585-6b58-4891-a3c8-54ae27c48362 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Microsoft\Crypto\RSA\MachineKeys\e86bcd318eb9b93088cc5b773ff68eb9_cb675585-6b58-4891-a3c8-54ae27c48362 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Microsoft\Crypto\RSA\MachineKeys\fc5bd3fd675fc50921e60041235b8255_cb675585-6b58-4891-a3c8-54ae27c48362 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS2\Application Data\Virgin Broadband\PCguard\logs\FirewallService09-22-2007--22-12-10.log Object is locked skipped
C:\Documents and Settings\gg\Application Data\Mozilla\Firefox\Profiles\gc1fye0e.default\cert8.db Object is locked skipped
C:\Documents and Settings\gg\Application Data\Mozilla\Firefox\Profiles\gc1fye0e.default\history.dat Object is locked skipped
C:\Documents and Settings\gg\Application Data\Mozilla\Firefox\Profiles\gc1fye0e.default\key3.db Object is locked skipped
C:\Documents and Settings\gg\Application Data\Mozilla\Firefox\Profiles\gc1fye0e.default\parent.lock Object is locked skipped
C:\Documents and Settings\gg\Application Data\Virgin Broadband\advisor\client_gateway.log Object is locked skipped
C:\Documents and Settings\gg\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\gg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\gg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\gg\Local Settings\Application Data\Mozilla\Firefox\Profiles\gc1fye0e.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\gg\Local Settings\Application Data\Mozilla\Firefox\Profiles\gc1fye0e.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\gg\Local Settings\Application Data\Mozilla\Firefox\Profiles\gc1fye0e.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\gg\Local Settings\Application Data\Mozilla\Firefox\Profiles\gc1fye0e.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\gg\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\gg\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\gg\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\gg\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Lockett\My Documents\RingBearers Script\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\Documents and Settings\Lockett\My Documents\RingBearers Script\RingBearers Script.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.602 skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\LookSmart Toolbar\tbu12\tbupdate.cab/toolbar.dll Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\Program Files\LookSmart Toolbar\tbu12\tbupdate.cab CAB: infected - 1 skipped
C:\Program Files\LookSmart Toolbar\tbu12\toolbar.dll Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\Program Files\LookSmart Toolbar\toolbar.dll Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\Program Files\MSN Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\RingBearers Script\RingBearers Script.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.602 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP146\A0037893.exe Object is locked skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP147\A0037913.exe Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP147\A0037914.dll Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0038755.exe/Stream/data0005 Infected: not-a-virus:Server-FTP.Win32.BulletProof.231 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0038755.exe/Stream Infected: not-a-virus:Server-FTP.Win32.BulletProof.231 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0038755.exe Inno: infected - 2 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0038885.exe/Stream/data0076/stream/data0006 Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0038885.exe/Stream/data0076/stream Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0038885.exe/Stream/data0076 Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0038885.exe/Stream Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0038885.exe Inno: infected - 4 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039404.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039405.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039406.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039407.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039408.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039409.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039411.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039412.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039413.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039414.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039415.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039416.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039417.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039418.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039419.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039420.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039421.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039422.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039423.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039425.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039426.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039428.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039430.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039431.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039432.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039434.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039435.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039436.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ba skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039437.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039438.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039439.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039442.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039494.exe/stream/data0007/stream/data0019 Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039494.exe/stream/data0007/stream Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039494.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039494.exe/stream Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039494.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039500.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039500.exe mIRC: infected - 1 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP158\change.log Object is locked skipped
C:\WINDOWS2\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS2\SchedLgU.Txt Object is locked skipped
C:\WINDOWS2\SoftwareDistribution\EventCache\{AA3BB7B7-15CA-4D54-801B-C36A6BB14E3F}.bin Object is locked skipped
C:\WINDOWS2\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS2\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS2\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS2\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS2\system32\config\default Object is locked skipped
C:\WINDOWS2\system32\config\default.LOG Object is locked skipped
C:\WINDOWS2\system32\config\SAM Object is locked skipped
C:\WINDOWS2\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS2\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS2\system32\config\SECURITY Object is locked skipped
C:\WINDOWS2\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS2\system32\config\software Object is locked skipped
C:\WINDOWS2\system32\config\software.LOG Object is locked skipped
C:\WINDOWS2\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS2\system32\config\system Object is locked skipped
C:\WINDOWS2\system32\config\system.LOG Object is locked skipped
C:\WINDOWS2\system32\h323log.txt Object is locked skipped
C:\WINDOWS2\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS2\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS2\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS2\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS2\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS2\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS2\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS2\WindowsUpdate.log Object is locked skipped
C:\WINDOWS2\{00000000-00000000-00000009-00001102-00000004-10071102}.CDF Object is locked skipped

Scan process completed.

And the new hijackthis log...

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 01:01:33, on 23/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS2\system32\crypserv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS2\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS2\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS2\system32\NOTEPAD.EXE
C:\Documents and Settings\gg\Desktop\HJT\HiJackThis_v2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F1F2026-646A-4269-B341-927A75A139A6}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1CC9E51-3EEB-4BFD-8FBA-88D88AD9E252}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS2\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS2\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS2\SYSTEM32\crypserv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe

--
End of file - 5118 bytes

Good luck!

noahdfear · 2007/09/22

Not nearly as bad as it appears.

Code:

C:\Documents and Settings\Lockett\My Documents\RingBearers Script\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\Documents and Settings\Lockett\My Documents\RingBearers Script\RingBearers Script.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.602 skipped
C:\Program Files\RingBearers Script\RingBearers Script.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.602 skipped

C:\Program Files\LookSmart Toolbar\tbu12\tbupdate.cab/toolbar.dll Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\Program Files\LookSmart Toolbar\tbu12\tbupdate.cab CAB: infected - 1 skipped
C:\Program Files\LookSmart Toolbar\tbu12\toolbar.dll Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\Program Files\LookSmart Toolbar\toolbar.dll Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped

C:\Program Files\MSN Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP147\A0037913.exe Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP147\A0037914.dll Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0038755.exe/Stream/data0005 Infected: not-a-virus:Server-FTP.Win32.BulletProof.231 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0038755.exe/Stream Infected: not-a-virus:Server-FTP.Win32.BulletProof.231 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0038755.exe Inno: infected - 2 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0038885.exe/Stream/data0076/stream/data0006 Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0038885.exe/Stream/data0076/stream Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0038885.exe/Stream/data0076 Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0038885.exe/Stream Infected: not-a-virus:AdWare.Win32.SearchIt.p skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0038885.exe Inno: infected - 4 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039404.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039405.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039406.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039407.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039408.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039409.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039411.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039412.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039413.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039414.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039415.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039416.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039417.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039418.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039419.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039420.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039421.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039422.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039423.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039425.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039426.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039428.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039430.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039431.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039432.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039434.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039435.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039436.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ba skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039437.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039438.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039439.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039442.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039494.exe/stream/data0007/stream/data0019 Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039494.exe/stream/data0007/stream Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039494.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039494.exe/stream Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039494.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039500.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\System Volume Information\_restore{BC8D5196-8359-43FC-9CD9-314307E26B03}\RP151\A0039500.exe mIRC: infected - 1 skipped

Do you know what this is?
C:\Program Files\RingBearers Script\RingBearers Script.exe
Looks like a chat client, but I'm not finding any info on it. If unknown to you, see if it's listed in Add/Remove and uninstall it, then remove the RingBearers Script folders in both Program Files and My Documents. If you know it to be safe, keep it if you wish.

Recommend you uninstall the LookSmart Toolbar then remove the C:\Program Files\LookSmart Toolbar folder.

Both of these are part of MyWebSearch, which in my opinion is more of a nuisance than anything.

C:\Program Files\MSN Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

MyWebSearch generally gets installed when you install the smilies for MSN Messenger. If you can do without them, recommend you uninstall it as well.

The rest of the scan found files within your System Restore points. Let's deal with those now.

If you're satisfied that the computer is working properly, clear the System Restore points. They are infected.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.

Your computer is now clean! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showpost.php?p=356653&postcount=49

Surf safe!

hayeslockett · 2007/09/23

Actioned everything you recommended.

The Ringbearers script was the same thing as the RBScript.exe which i mentioned has been on there for a few years. Doesnt get used at all though anymore so i binned that as well.

Also did the system restore procedure as you suggested.

So thats it? All done. Absolutely fantastic.
Computer is indeed running really well. Not only has the browser redirects completely stopped...there also seems to be a general speed up in internet browsing.

Just about to read through Geri's post about recommendations regarding future protection. Thanks again Sir

Hayes

noahdfear · 2007/09/23

Yep, that's it. Glad to hear things are back to normal, and happy I could help. You're most welcome.

Log in or Sign up

Solved Help!! Think i have browser hijack? Calling clever people :)

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Solved Help!! Think i have browser hijack? Calling clever people :)

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

hayeslockett Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches