Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan trouble

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan trouble

Unread postby jc1303 » December 1st, 2007, 4:58 pm

Hi,
been having trouble with Trojan infection and I stumbled across this site so Im hoping you good people can help me.

So far I have run:
Spy Sweeper
CW Shredder
Rogue Remover
Adaware
Spybot S+D
AVG antispyware
AVG antivirus
Trojan Hunter
A Squared
Housecall antivirus
Bitdefender antivirus

Anyway, after all that my Hijack This log is as follows.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:53:06, on 01/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PC-TV\WinManager\WinManager.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.plus.net/index_portal.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {8B68564D-53FD-4293-B80C-993A9F3988EE} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {164B7670-301E-11D4-AF4E-005056B6005A} (Svsainst Control) - http://www.swiftview.com/product/curren ... lassic.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/ins ... _v01_5.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9896692968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install ... stallX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: inetdb - C:\WINDOWS\
O20 - Winlogon Notify: wintvf32 - wintvf32.dll (file missing)
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11158 bytes



Hope someone can help, Thanks in advance!

jc1303
jc1303
Active Member
 
Posts: 8
Joined: December 1st, 2007, 4:49 pm
Advertisement
Register to Remove

Re: Trojan trouble

Unread postby askey127 » December 6th, 2007, 7:30 am

Hi jc1303,
-----------------------------------------------------------
Set Your Computer to Show All Files
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading, select Show hidden files and folders.
  6. Uncheck Hide protected operating system files (recommended).
  7. Click Yes to confirm.
  8. Uncheck the Hide file extensions for known file types.
  9. Click OK.
In addition, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
-----------------------------------------------------------
Disable Trojan Hunter Guard
Go to TrojanHunter Guard in the lower right corner of your screen. It is a light blue icon with a magnifying glass that can be difficult to see but the handle is red. Right click it and select settings. Uncheck "Load at startup" and "Enabled".
-----------------------------------------------------------
Disable A-Squared Guard
- Open a-square
- Click on "Configure Background-Guard"
- Deselect "Enable background guard on system startup"
- Close window
- Close a-square
- Reboot your machine for the changes to take effect before running HiJackThis.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

O20 - Winlogon Notify: inetdb - C:\WINDOWS\
O20 - Winlogon Notify: wintvf32 - wintvf32.dll (file missing)

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
Download and Run ComboFix-----------------------------------------------------------
Post a New HiJackThis Log
Reboot your computer. Start HijackThis
Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply, along with the entire contents of C:\combofix.txt.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Trojan trouble

Unread postby jc1303 » December 6th, 2007, 9:42 am

Hi,

thanks for replying. Ive done all that you suggested.

My new Hijack This log is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:40:19, on 06/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PC-TV\WinManager\WinManager.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.plus.net/index_portal.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {8B68564D-53FD-4293-B80C-993A9F3988EE} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {164B7670-301E-11D4-AF4E-005056B6005A} (Svsainst Control) - http://www.swiftview.com/product/curren ... lassic.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/ins ... _v01_5.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9896692968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install ... stallX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10915 bytes


The contents of combofix.txt are

ComboFix 07-12-02.6 - J & Liza 2007-12-06 13:23:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.522 [GMT 0:00]
Running from: C:\Documents and Settings\J & Liza\Local Settings\Temporary Internet Files\Content.IE5\EDARCVD0\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.

2007-12-06 12:56 . <DIR> C:\Documents and Settings\J 2007-12-06 12:56 <DIR> Liza\Recent
2007-12-01 20:41 . 2007-12-01 20:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-01 18:52 . 2007-12-01 20:40 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-01 18:41 . 2007-12-01 18:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-01 18:41 . 2007-12-01 18:41 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-01 18:41 . 2007-12-01 18:41 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-01 17:00 . <DIR> C:\Documents and Settings\J 2007-12-01 17:00 <DIR> Liza\.housecall6.6
2007-12-01 16:58 . 2007-12-01 16:58 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-12-01 13:28 . <DIR> C:\Documents and Settings\J 2007-12-01 13:28 <DIR> Liza\Application Data\TrojanHunter
2007-12-01 12:15 . 2007-12-01 16:40 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2007-12-01 12:11 . 2007-12-01 13:28 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-11-30 22:24 . <DIR> C:\Documents and Settings\J 2007-11-30 22:24 <DIR> Liza\Application Data\Grisoft
2007-11-30 22:23 . 2007-11-30 22:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-30 22:23 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-30 22:07 . 2007-11-30 22:07 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-11-30 19:48 . 2007-11-30 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-11-30 12:44 . 2007-12-03 12:20 <DIR> d-------- C:\Program Files\EMDB
2007-11-30 09:53 . <DIR> C:\Documents and Settings\J 2007-11-30 09:53 <DIR> Liza\Application Data\FrostWire
2007-11-30 09:53 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-28 19:20 . <DIR> C:\Documents and Settings\J 2007-11-28 19:20 <DIR> Liza\Application Data\GlarySoft
2007-11-28 19:19 . 2007-11-28 19:19 <DIR> d-------- C:\Program Files\Quick StartUp
2007-11-28 18:55 . 2007-11-28 19:00 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2007-11-28 18:52 . 2007-12-01 13:28 <DIR> d-------- C:\Program Files\MzRam
2007-11-27 07:56 . 2007-11-27 08:49 <DIR> d-------- C:\Program Files\UltraISO
2007-11-27 07:56 . 2007-11-27 08:49 <DIR> d-------- C:\Program Files\Common Files\EZB Systems
2007-11-26 16:23 . 2007-12-06 10:39 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-11-26 14:29 . 2007-11-26 14:29 <DIR> d-------- C:\Program Files\Eidos
2007-11-13 17:00 . 2007-11-13 17:00 <DIR> d-------- C:\Program Files\Wondershare

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-06 13:28 86,356,000 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-06 13:12 --------- d-----w C:\Program Files\Lx_cats
2007-12-06 13:09 1,012,844 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-04 16:55 --------- d-----w C:\Program Files\OrangeCD
2007-12-03 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-03 19:13 --------- d-----w C:\Program Files\Soulseek
2007-12-03 13:50 --------- d-----w C:\Documents and Settings\J & Liza\Application Data\Vso
2007-12-02 10:39 --------- d-----w C:\Documents and Settings\J & Liza\Application Data\uTorrent
2007-12-01 16:41 --------- d-----w C:\Program Files\ElcomSoft
2007-12-01 13:28 --------- d-----w C:\Documents and Settings\J & Liza\Application Data\TrojanHunter
2007-12-01 11:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-01 11:23 --------- d-----w C:\Documents and Settings\J & Liza\Application Data\AVG7
2007-11-30 22:24 --------- d-----w C:\Documents and Settings\J & Liza\Application Data\Grisoft
2007-11-30 12:20 --------- d-----w C:\Documents and Settings\J & Liza\Application Data\MediaMan
2007-11-30 10:46 --------- d-----w C:\Documents and Settings\J & Liza\Application Data\FrostWire
2007-11-30 09:53 --------- d-----w C:\Program Files\Java
2007-11-30 09:51 --------- d-----w C:\Program Files\LimeWire
2007-11-28 19:20 --------- d-----w C:\Documents and Settings\J & Liza\Application Data\GlarySoft
2007-11-28 06:34 31,610,791 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-11-12 16:19 --------- d-----w C:\Documents and Settings\J & Liza\Application Data\IE7Pro
2007-11-12 16:16 --------- d-----w C:\Program Files\IE7Pro
2007-11-10 20:29 --------- d-----w C:\Documents and Settings\J & Liza\Application Data\U3
2007-11-10 18:05 --------- d-----w C:\Program Files\Google
2007-10-31 13:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-10-25 10:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-21 21:25 --------- d-----w C:\Program Files\Championship Manager 99-00
2007-09-26 16:34 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-06 15:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 15:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-06-02 07:21 120,106 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_06_02_01_42_02_small.dmp.zip
2007-05-28 02:52 120,072 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_05_27_02_54_14_small.dmp.zip
2007-05-13 07:21 122,053 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_05_12_06_46_13_small.dmp.zip
2007-05-13 07:21 116,638 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_05_12_08_45_47_small.dmp.zip
2007-05-13 07:21 115,905 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_05_12_08_57_56_small.dmp.zip
2007-05-11 16:13 16,974,574 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_11_06_23_42_full.dmp.zip
2007-05-11 16:13 122,133 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_05_11_06_21_24_small.dmp.zip
2007-04-09 17:11 18,898,279 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_04_09_08_35_41_full.dmp.zip
2007-04-09 17:10 17,060,800 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_04_09_07_33_18_full.dmp.zip
2007-04-09 17:10 114,515 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_04_09_07_32_46_small.dmp.zip
2006-12-26 08:41 47,360 ----a-w C:\Documents and Settings\J & Liza\Application Data\pcouffin.sys
2006-12-07 07:10 72,440 ----a-w C:\Documents and Settings\J & Liza\Application Data\GDIPFONTCACHEV1.DAT
2006-03-15 22:27 315 ----a-w C:\Documents and Settings\J & Liza\Application Data\DelAll.bat
2005-10-24 06:16 98 ---h--w C:\Documents and Settings\J & Liza\Application Data\srfvdo.dat
2005-05-13 16:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 10:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-07-14 11:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 14:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2004-01-24 23:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 11:47 31,744 --sh--r C:\WINDOWS\system32\msfDX.dll
2005-02-28 12:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-24 23:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
2005-04-16 07:12 25,677 --sh--w C:\WINDOWS\Web\smwbew.bak1
2005-04-17 07:30 27,667 --sh--w C:\WINDOWS\Web\smwbew.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 11:53]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowWnd"="ShowWnd.exe" [2003-09-19 15:09 C:\WINDOWS\ShowWnd.exe]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-03-11 21:18]
"nwiz"="nwiz.exe" [2006-10-22 11:22 C:\WINDOWS\system32\nwiz.exe]
"CHotkey"="zHotkey.exe" [2005-02-22 15:32 C:\WINDOWS\zHotkey.exe]
"lxcemon.exe"="C:\Program Files\Lexmark 4300 Series\lxcemon.exe" [2005-08-02 17:45]
"EzPrint"="C:\Program Files\Lexmark 4300 Series\ezprint.exe" [2005-07-26 12:17]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 09:36]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 12:00 C:\WINDOWS\system32\rundll32.exe]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 08:05 C:\WINDOWS\ALCWZRD.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-30 22:47]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2007-08-31 20:24]
"LXCECATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 13:46]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-30 22:47]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinManager.lnk - C:\Program Files\PC-TV\WinManager\WinManager.exe [2006-11-07 20:41:31]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinManager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinManager.lnk
backup=C:\WINDOWS\pss\WinManager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2006-10-25 05:46 470016 --a------ C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-11-03 15:22 77824 --a------ C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-11-03 15:26 118784 --a------ C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-11-03 15:25 98304 --a------ C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2007-08-14 00:04 5562368 --a------ C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ppmate]
C:\Program Files\PPMate\PPMate\ppmate.exe -autoplay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 01:42 32768 --a------ C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe /icon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STManager]
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-04-13 03:48 36975 --a------ C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R3 AUD;DTV-DVB 3054 Analog Audio Capture;C:\WINDOWS\system32\DRIVERS\3054AudCap.sys
R3 CX23880;DTV-DVB 3054 Video Capture;C:\WINDOWS\system32\drivers\3054VidCap.sys
R3 CXAVSTS;DTV-DVB 3054 Digital TS Capture;C:\WINDOWS\system32\drivers\3054BDACap.sys
R3 THAVXBar;DTV-DVB 3054 Analog AVStream Crossbar;C:\WINDOWS\system32\drivers\3054AVXBar.sys
R3 THBDATUNE;DTV-DVB 3054 Digital Tuner/Demod;C:\WINDOWS\system32\drivers\3054BDATune.sys
R3 THIR;DTV-DVB 3054 IR Decoder;C:\WINDOWS\system32\drivers\3054IR.sys
R3 THTUNE;DTV-DVB 3054 Analog Tuner;C:\WINDOWS\system32\drivers\3054Tune.sys
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 ewdmaudn;ewdmaudn;\??\C:\DOCUME~1\J&LIZA~1\LOCALS~1\Temp\ewdmaudn.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9175a1f-8c1c-11db-8f16-000e501492a9}]
\Shell\AutoRun\command - wd_windows_tools\setup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-03 09:43:53 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 13:30:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCECATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-06 13:32:52
.
--- E O F ---


Thanks again
jc1303
jc1303
Active Member
 
Posts: 8
Joined: December 1st, 2007, 4:49 pm

Re: Trojan trouble

Unread postby askey127 » December 6th, 2007, 12:45 pm

jc1303,
I want to be sure we don't have anything else here.
------------------------------------------------------------
Update your Java.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Java components.
  • Close any programs you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel > Add/Remove Programs.
  • Check any item with Java Runtime Environment, JRE, J2SE, or Java Webstart in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove all installed versions of Java.
  • Reboot your computer
Then download the latest version of Java Runtime Environment(JRE), and install it to your computer. It is the 4th one down on the page, called Java Runtime Environment (JRE) 6 Update 3
Download it, choose save, and save it to your desktop.Then doubleclick it, and it will install the newest version of Java for you to use.
-----------------------------------------------------------
Download and Run FindAWF
Click here to download FindAWF.exe and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to Press any key to continue.
  • Press any key and you will be presented with a menu that looks like this:
    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT
Press 1 then Enter
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
  • Copy and paste the contents of the AWF.txt file in your next reply.
-----------------------------------------------------
Using Internet Explorer, Please Do an Online Scan with Kaspersky WebScanner.
Go here to run an online scanner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log to your Desktop as filename KAV.txt
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

So we are looking for the contents of AWF.txt and Kav.txt in your next reply.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Trojan trouble

Unread postby jc1303 » December 6th, 2007, 2:56 pm

Hi,

Ok, Ive done the Java stuff without any problem.
Ive downloaded FindAWF but when I double click, it opens a command prompt which then closes almost immediately.
It says something about 'not recognized as internal or external command,operable program or batch file. The system cannot find the path specified'

Any idea whats going wrong?

thanks

jc1303
jc1303
Active Member
 
Posts: 8
Joined: December 1st, 2007, 4:49 pm

Re: Trojan trouble

Unread postby askey127 » December 6th, 2007, 6:04 pm

Please run the kaspersky scan and post the log kav.txt.
Thanks,
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Trojan trouble

Unread postby jc1303 » December 7th, 2007, 5:45 am

KAV.txt is as follows

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, December 07, 2007 9:44:04 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/12/2007
Kaspersky Anti-Virus database records: 474977
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
L:\

Scan Statistics:
Total number of scanned objects: 118531
Number of viruses found: 1
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 02:19:21

Infected Object Name / Virus Name / Last Action
C:\AVG7QT.DAT Infected: Trojan.Win32.Qhost.r skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\J & Liza\Application Data\Microsoft\Windows Defender\FileTracker\{326BB252-4514-406E-9B36-C8DCBCDA9A37} Infected: Trojan.Win32.Qhost.r skipped
C:\Documents and Settings\J & Liza\Application Data\Microsoft\Windows Defender\FileTracker\{3A6C1C63-CD15-4332-B1A1-FA4BDB2281A6} Infected: Trojan.Win32.Qhost.r skipped
C:\Documents and Settings\J & Liza\Application Data\Microsoft\Windows Defender\FileTracker\{4476B3CB-34DA-4A87-A30E-DB5368885C47} Infected: Trojan.Win32.Qhost.r skipped
C:\Documents and Settings\J & Liza\Application Data\Microsoft\Windows Defender\FileTracker\{4C500FF7-42E7-46E1-AAF4-1DD6B8383CAC} Infected: Trojan.Win32.Qhost.r skipped
C:\Documents and Settings\J & Liza\Application Data\Microsoft\Windows Defender\FileTracker\{975AD193-020B-4EEF-9D93-2E9BE6FE9AD0} Infected: Trojan.Win32.Qhost.r skipped
C:\Documents and Settings\J & Liza\Application Data\Microsoft\Windows Defender\FileTracker\{B65F50BA-8BFC-4781-9E01-15786684C6EC} Infected: Trojan.Win32.Qhost.r skipped
C:\Documents and Settings\J & Liza\Application Data\Microsoft\Windows Defender\FileTracker\{C634E700-521E-4A65-9161-17D10087F8DA} Infected: Trojan.Win32.Qhost.r skipped
C:\Documents and Settings\J & Liza\Application Data\Microsoft\Windows Defender\FileTracker\{E58D4DB2-EF83-48BC-8B5D-D2946899AC93} Infected: Trojan.Win32.Qhost.r skipped
C:\Documents and Settings\J & Liza\Application Data\Microsoft\Windows Defender\FileTracker\{F3A76DC4-87C0-4456-AD11-598D72C9CFA7} Infected: Trojan.Win32.Qhost.r skipped
C:\Documents and Settings\J & Liza\Application Data\Microsoft\Windows Defender\FileTracker\{FCC2B946-6DB5-4DDD-8D4F-2697D1B398D3} Infected: Trojan.Win32.Qhost.r skipped
C:\Documents and Settings\J & Liza\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\J & Liza\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\J & Liza\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\J & Liza\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\J & Liza\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\J & Liza\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\J & Liza\ntuser.dat Object is locked skipped
C:\Documents and Settings\J & Liza\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C11E9C87-DF7E-469C-A112-5CC50FAE0C37}\RP14\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\YOUR-E641889C92.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{818E632E-FEA5-4794-B727-E208346FDF33}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.bak Infected: Trojan.Win32.Qhost.r skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT00a90.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT00a93.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



Thanks
jc1303
jc1303
Active Member
 
Posts: 8
Joined: December 1st, 2007, 4:49 pm

Re: Trojan trouble

Unread postby askey127 » December 7th, 2007, 7:23 am

----------------------------------------------------------
Download and Install CCleaner
  • Download CCleaner from here Choose the "Slim" version.
  • Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
  • Click OK
  • Click Next
  • Click I agree
  • Click Next
  • Click Install
  • Once the installation has finished, click Finish
-----------------------------------------------------------
Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
( Do not use the Registry block to clean anything with this program. It is for experts only and it is risky).
  • Select Cleaner Settings.
    Check Internet Explorer, Windows Explorer, and System so that all items are checked. In the Advanced section, have a check only on Old PreFetch Data.
  • Click on the Options block on the left. Select Advanced.
    Uncheck Only delete files in Windows Temp folders older than 48 hours.
  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
-----------------------------------------------------------
Retrieve the Installed Programs List from CCleaner
Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.

Please post the contents of CCleaner's install.txt
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Trojan trouble

Unread postby jc1303 » December 7th, 2007, 7:51 am

Contents of install.txt


µTorrent
7-Zip 4.42
ABBYY FineReader 6.0 Sprint
Acala 3GP Movies Free 2.3.5
Ad-aware 6 Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.9
Adobe Shockwave Player
Adobe Stock Photos 1.0
Aimersoft DVD Ripper(Build 1.0.16)
AnyDVD
AOL UK (Choose which version to remove)
AOL You've Got Pictures Screensaver
Apple Software Update
a-squared Anti-Malware 3.0
Audacity 1.2.6
AVG 7.5
AVG Anti-Rootkit Free
AVG Anti-Spyware 7.5
AVI Screen Saver
AVS Disc Creator version 2.1
AVS Video Tools 5.2
Belarc Advisor 7.0
BigFix
Blade Trinity Screen Saver
BlindWrite 6
BlueSoleil
Burn4Free CD and DVD
CCleaner (remove only)
CDex extraction audio
Championship Manager 99-00
Cisco Systems VPN Client 4.0.3 (A)
CloneCD
CloneDVD2
Compatibility Pack for the 2007 Office system
Cool Edit Pro 2.1
coverXP (remove only)
Crystal Player Professional 1.97
Crystal2Mobile Producer 2.1
CutePDF Writer 2.7
DCart32V4
Digital Media Reader
Disc2Phone
Dr SpeedTouch
DVD Decrypter (Remove Only)
Easy Video Splitter 1.28
EAX4 Unified Redist
Elprime Media Recovery 1.0
Eusing Free Registry Cleaner
Express Burn Uninstall
Express Rip Uninstall
Family Tree Maker 2005
FinePixViewer Ver.4.2
FM Scout
Football Manager 2006
Free Mp3 Wma Converter V 1.6.1
FUJIFILM USB Driver
GOM Player
Google Earth
Google Toolbar for Internet Explorer
GTK+ 2.10.13 runtime environment
Guitar Pro 5.2
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB926239)
HP Driver Diagnostics
IE7Pro
ImageConverter
ImageMixer VCD2 for FinePix
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
IsoBuster 2.1
Java(TM) 6 Update 3
Juniper Networks Host Checker
Kaspersky Online Scanner
K-Lite Codec Pack 2.81 Basic
Learn2 Player (Uninstall Only)
Lexmark 4300 Series
Lexmark Fax Solutions
LiveUpdate BVRP Software
Lock On: Modern Air Combat
Malwarebytes' RogueRemover 1.22
McAfee Shredder
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Money
Microsoft Money System Pack
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Small Business
Microsoft Office Professional Edition 2003
Microsoft Office Visio Professional 2003
Microsoft Office XP Professional
Microsoft Office XP Web Components
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works 7.0
mobile PhoneTools
Movies
Moyea DVD Ripper version 1.1.2.14
MP3 Player Utilities
MSN Messenger 7.5
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Multimedia Keyboard Driver
MySpaceIM
Mz Ram Booster
NeoDownloader 2.1c
Nero BurnRights
Nero OEM
Nuclear Coffee - VideoGet 2.0.2.26
NVIDIA Drivers
OLYMPUS CAMEDIA Master 4.1
OrangeCD Suite version 5.2.0
Paint.NET v3.10
Panda ActiveScan
PC Inspector File Recovery
Pcast P2P Á÷ýÌå¿Ø¼þ 1.0.0.17
Power Tab Editor 1.7
PowerDVD
PowerISO
PPLive 1.1.0.4
ppmate 1.6.3.25
PPStream
Pro Evolution Soccer 5
Quick StartUp 2.3
QuickTime
Race Driver 2
RAW FILE CONVERTER LE
RealPlayer
Realtek High Definition Audio Driver
RecordPad Sound Recorder Uninstall
Recuva (remove only)
Riva FLV Encoder 2.0
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Secure Application Manager
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
Shockwave
Smart Link 56K Voice Modem
SnapTrack
SolveigMM Video Splitter
Sony Ericsson PC Suite 1.20.224
SopCore 1.0.1
SpeedFan (remove only)
SpeedTouch USB Software
Spybot - Search & Destroy
SUPER © Version 2007.bld.22 (Mar 14, 2007)
SuperLetter Quick Letter Writer BFPO
SwiftView Viewer
Switch
Synacast Plug-in 1.1.0.4
The GIMP 2.2.17
TMPGEnc Plus 2.5
TrojanHunter 5.0
TSUNAMI-MPEG DVD Author PRO
TVAnts 1.0
TVUPlayer 2.3.2.52
TwinhanDTV
ubi.com
UltraISO Premium V8.65
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
USB Data Cable
VideoAvatar
Viewpoint Media Player
Virtual Earth 3D (Beta)
VirtualCloneDrive
WavePad Uninstall
Web Stream Recorder Pro 1.61
WebFldrs XP
Windows Backup Utility
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinPcap 3.1
WinRAR archiver
Wondershare AVI to DVD Burner(Build 2.1.15)
ZoneAlarm
Zoner GIF Animator 5
jc1303
Active Member
 
Posts: 8
Joined: December 1st, 2007, 4:49 pm

Re: Trojan trouble

Unread postby askey127 » December 7th, 2007, 8:19 am

jc1303,
-----------------------------------------------------------
Press Start->Run, copy/paste the following command into the box and press OK:
cmd /c dir C:\*.* /L /A:D /B /S|Find "bak" >> "%userprofile%\desktop\look.txt"

A file called look.txt should appear on your Desktop. Please post the contents of that file.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Trojan trouble

Unread postby jc1303 » December 7th, 2007, 8:50 am

look.txt is completely empty
jc1303
Active Member
 
Posts: 8
Joined: December 1st, 2007, 4:49 pm

Re: Trojan trouble

Unread postby askey127 » December 7th, 2007, 9:29 am

jc1303,
OK. Good. That says you do not have an AWF infection.
Your logs look OK to me.
How are things running?
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Trojan trouble

Unread postby jc1303 » December 7th, 2007, 10:57 am

Everything seems to be running ok, I havent had any infection warning for a few days now apart from the one thing that the Kaspersky scan found earlier
jc1303
Active Member
 
Posts: 8
Joined: December 1st, 2007, 4:49 pm

Re: Trojan trouble

Unread postby askey127 » December 7th, 2007, 1:23 pm

jc1303,
Kaspersky is only reporting the stuff already locked up by Defender and AVG. That should be OK.
-----------------------------------------------------------
Reset Options in CCleaner for Regular Use.
Open CCleaner if it's not already running.
  • Select Cleaner Settings.
    Check Internet Explorer, Windows Explorer, and System so that all items are checked. Then under Internet Explorer, Uncheck "History". In the Advanced section, have a check only on Old PreFetch Data.
  • Click on the Options block on the left. Select Advanced.
    Check Only delete files in Windows Temp folders older than 48 hours.
  • Set CCleaner to Run When Computer Starts. Click on the Options block on the left, then choose Settings. Check Run Ccleaner when computer starts.
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
-----------------------------------------------------------
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the Combofix and the /u
Image

When shown the disclaimer, Select "2"
-----------------------------------------------------------
Peer to Peer File Sharing
Please note that as long as you're using any form of Peer-to-Peer networking (utorrent, Azureus, Morpheus, Limewire, etc.) and downloading files from non-documented sources, you can expect infestations of malware to occur.

When you use Peer-to-peer (P2P) programs, you are downloading software from an UNKNOWN source directly onto your computer, bypassing your Firewall and Anti-Virus software. It's hardly surprising that many of the available downloads are being used by malware purveyors as a delivery method for their infections. Further, if your P2P program is not configured correctly you may be sharing more files than you realize. See here : http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html

Even if you have one of the SAFE P2P programs, the practice of file-sharing is very UNSAFE for the health of your PC.
You may decide to continue P2P sharing, but keep in mind that this practice may be the source of major PC infections.
Better ask yourself if you and your system CD are REALLY ready to reformat your Hard Drive and Re-install Windows.

The risks of using P2P programs are described here Sourceforge webpage and in this Information Week article.
Some malware help forums are now refusing to help those who show up with infections from P2P usage.

I think you should stop using and Uninstall utorrent, but it's your decision
-----------------------------------------------------------
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs. Available from http://www.javacoolsoftware.com/spywareblaster.html
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.
-----------------------------------------------------------
Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, just HOSTS (no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Whatever list your HOSTS file has will be used by your browser. You can open the HOSTS file with Notepad and look at it.
In Windows XP, it is located in this folder ==> C:\Windows\System32\Drivers\etc\

Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:
Stop and Disable the DNS Client Service
Go to Start, Run and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find this service.
DNS Client
Right-Click on the DNS Client Service. Choose Properties
Select the General tab. Click on the Stop button.
Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, click on Manual
Click the Apply tab, then click OK


Download BlueTack's HOSTS Manager here, using Internet Explorer:
http://www.bluetack.co.uk/forums/index.php?act=dscript&CODE=showdetails&f_id=5
A short distance down the page in the center, click on the Download button.
Agree to the license.
On the next page, to the right side of where it says "Download Estimates, right click on the underlined word "Hosts Manager" choose "Save Target As" and download the installer Hosts20setup.exe to your desktop.
Double click the Installer on your desktop and let it Install the Hosts Manager

After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the Hosts Switch icon).
When the manager comes up, got to the left pane, click Download.
It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then Save.
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.

If you have a firewall, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.
------------------------------------------------------------------------------------------------------------
IF YOU ARE INTERESTED, EXTRA INFORMATION ABOUT HOSTS FILES:
Read an excellent tutorial about HOSTS files (the Bluetack version) here:
http://www.bluetack.co.uk/forums/index.php?showtopic=8406

There is a very detailed resource for those wanting to spend more time reading up, or to have as a reference:
http://www.bluetack.co.uk/forums/index.php?showtopic=8337

You can see another HOSTS file tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
and choose to download the MVPS HOSTS File instead of using the BlueTack HOSTS.
The BlueTack version (80k+ entries) is more aggressive than the mvps (12k + entries), and targets adware sites as well as more dangerous ones.

You should be good to go.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Trojan trouble

Unread postby jc1303 » December 7th, 2007, 4:22 pm

Brilliant!
Thank you so much for all your help. I would have been really stuck without all your advice.

I will remove uTorrent as well, I dont want to have to go through all this again.

Thanks again

jc1303
jc1303
Active Member
 
Posts: 8
Joined: December 1st, 2007, 4:49 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 62 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware