Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan/Virus still remains after your help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan/Virus still remains after your help

Unread postby makem » January 2nd, 2008, 4:50 pm

Hi once again. My previous thread was 'Another Infected Computer. Please help' After your help all appear ok, however, today I hade an error message on startup saying that the file yujugjhw.dll could not be found. This is being loaded by 6cdc9ce0 and even though I deleted the registry entry it comes back. It appears that there is still more left on the machine and I would be grateful for your help again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:40:58, on 02/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Agnitum\Outpost Firewall\outpost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\SpywareGuard\sgmain.exe
F:\Program Files\SpywareGuard\sgbhp.exe
F:\PROGRA~1\Grisoft\AVG7\avgwb.dat
F:\Documents and Settings\makem.HAL\Desktop\FireFox Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - F:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [Cmaudio] -RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] -F:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] -F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] -"F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ICQ Lite] -"F:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Outpost Firewall] F:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [6cdc9ce0] rundll32.exe "F:\WINDOWS\system32\yujugjhw.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] -"F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Download All with FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - F:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - F:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0175246499
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0177533779
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: slczgvbi - F:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - -"F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - F:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - -F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"F:\Program Files\MSN Messenger\usnsvc.exe" (file missing)

--
End of file - 8238 bytes
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm
Advertisement
Register to Remove

Re: Trojan/Virus still remains after your help

Unread postby Trogan » January 3rd, 2008, 1:18 pm

Hello makem,

Please do the following...

1. I need to see another log from HijackThis.

  • Run Hijackthis.
  • Click on Open the Misc Tools section.
  • Next click on Open uninstall manager.
  • Press the Save list button.
  • Save the file to your desktop, with the default name of uninstall_list
  • Copy & Paste the entire contents of that file in your in your next post.
2. Please download ComboFix to your Desktop.

  • Double click on Combofix.exe & follow the prompts.
  • When the scan has finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

3. Please post the following...

Uninstall list
ComboFix log
New HijackThis log
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Re: Trojan/Virus still remains after your help

Unread postby makem » January 3rd, 2008, 2:12 pm

Logas as requested:

Absolute Uninstaller 1.51
ACDSee 7.0 PowerPack
ACE Mega CoDecS Pack
Ad-Aware SE Professional
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8
Adobe Stock Photos 1.0
Agnitum Outpost Firewall Pro
AnyDVD
Asus Probe V2.64.03
AVG 7.5
AVG Anti-Spyware 7.5
Azureus 2.0.7.1_CVS
BitTornado 0.3.17
Brad Smith Easy SFV Creator
C-Media WDM Audio Driver
Counter-Strike
Counter-Strike: Source
Day of Defeat
Day of Defeat: Source
Deathmatch Classic
Dell Color Printer 725
DigiGuide TV Guide
DIKO 0.78 Beta 1
Diskeeper Professional Edition
DivX Player
dvdSanta 4.00
eMule
Family Tree Maker 2006
ffdshow [rev 739] [2007-01-05]
FlashGet 1.9.0.1012
FTPRush 1.0.0.612 Unicode
GuildFTPd FTP Deamon
Half-Life 2: Deathmatch
Hauppauge WinTV NT4/Win2000 Drivers
Hauppauge WinTV2000
HijackThis 2.0.2
Hotfix for Windows XP (KB896344)
ICQ 5.1
ImgBurn (Remove Only)
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 5
Kaspersky Online Scanner
Lemmings for Windows 95
LimeWire PRO 4.12.6
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Dreamweaver MX
Macromedia Extension Manager
Magic DVD Ripper V3.0
MailWasher Pro
MainConcept MJPEG Codec Demo
MainConcept MJPG software codec (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft ActiveSync 3.8
Microsoft Bootvis
Microsoft Money
Microsoft Money for the Pocket PC
Microsoft Money System Pack
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Office Visio Professional 2003
mIRC
MobSync
Monkey's Audio
Mozilla Firefox (2.0.0.9)
Nero 7 Premium
NETGEAR Print Server Software
NewsLeecher
NewsLeecher v3.8 Final
nLite 1.0 RC5
No-IP.com DUC (remove only)
Norton AntiVirus 2004
NVIDIA Drivers
NVIDIA WDM Drivers
Poi Edit v4.0
Poi Edit v4.5.1
PowerISO
PowerQuest PartitionMagic 8.0
QuickTime
RealPlayer
Realtek AC'97 Audio
Resco Explorer 2003
Saved Folders (remove only)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
Sony Sound Forge Audio Studio 8.0a
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SpywareGuard v2.2
Steam
SUPERAntiSpyware Free Edition
System Requirements Lab
Total Commander (Remove or Repair)
TuneUp Utilities 2007
Ulead DVD Workshop 2
UltraISO V7.2 Media Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VideoLAN VLC media player 0.8.4a
WhereIsIP
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
XviD Video Codec 15012003-1 (Koepi's developer build)

ComboFix 08-01-03.3 - makem 2008-01-03 17:41:35.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.962 [GMT 0:00]
Running from: F:\Documents and Settings\makem.HAL\Desktop\FireFox Downloads\ComboFix.exe
* Created a new restore point
.
/wow section - STAGE 34A

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\WINDOWS\system32\aqjmqeik.ini
F:\WINDOWS\system32\whjgujuy.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-02 22:32 . 2008-01-02 23:27 <DIR> d-------- F:\Program Files\Dl_cats
2008-01-02 22:32 . 2008-01-02 22:32 <DIR> d-------- F:\Program Files\Dell Color Printer 725
2008-01-02 22:32 . 2006-11-07 16:30 344,064 --a------ F:\WINDOWS\system32\dlcfcoin.dll
2008-01-02 22:32 . 2006-08-28 20:57 126,059 --a------ F:\WINDOWS\system32\dlcfceip.chm
2008-01-02 22:32 . 2005-08-18 10:26 40,960 --a------ F:\WINDOWS\system32\dlcfvs.dll
2008-01-02 22:29 . 2004-08-03 23:01 25,856 --a------ F:\WINDOWS\system32\drivers\usbprint.sys
2008-01-02 22:29 . 2004-08-03 23:01 25,856 --a--c--- F:\WINDOWS\system32\dllcache\usbprint.sys
2007-12-25 00:39 . 2007-12-25 00:39 <DIR> d-------- F:\Program Files\Common Files\Agnitum Shared
2007-12-25 00:39 . 2007-12-25 00:39 <DIR> d-------- F:\Program Files\Agnitum
2007-12-12 10:44 . 2001-08-17 13:48 12,160 --a------ F:\WINDOWS\system32\drivers\mouhid.sys
2007-12-12 10:44 . 2001-08-17 13:48 12,160 --a--c--- F:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-08 00:26 . 2007-12-08 00:26 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\NVIDIA
2007-12-08 00:15 . 2007-12-08 00:15 <DIR> d-------- F:\Program Files\NVIDIA
2007-12-08 00:15 . 2006-10-22 15:06 208,896 --a------ F:\WINDOWS\system32\NVUNINST.EXE
2007-12-08 00:15 . 2006-10-22 12:22 208,896 --a------ F:\WINDOWS\system32\nvudisp.exe
2007-12-08 00:10 . 2007-12-08 00:10 <DIR> d-------- F:\Program Files\SystemRequirementsLab
2007-12-08 00:10 . 2007-12-08 00:10 <DIR> d-------- F:\Documents and Settings\makem.HAL\Application Data\SystemRequirementsLab
2007-12-07 18:01 . 2001-08-17 22:36 94,720 --a------ F:\WINDOWS\system32\umaxud32.dll
2007-12-07 18:01 . 2001-08-17 22:36 94,720 --a--c--- F:\WINDOWS\system32\dllcache\umaxud32.dll
2007-12-07 18:01 . 2001-08-17 22:36 50,688 --a------ F:\WINDOWS\system32\umaxscan.dll
2007-12-07 18:01 . 2001-08-17 22:36 50,688 --a--c--- F:\WINDOWS\system32\dllcache\umaxscan.dll
2007-12-07 18:01 . 2001-08-17 13:53 10,880 --a------ F:\WINDOWS\system32\drivers\scsiscan.sys
2007-12-07 18:01 . 2001-08-17 13:53 10,880 --a--c--- F:\WINDOWS\system32\dllcache\scsiscan.sys
2007-12-07 17:48 . 2001-08-17 14:07 55,168 --a------ F:\WINDOWS\system32\drivers\aic78u2.sys
2007-12-07 17:48 . 2001-08-17 14:07 55,168 --a--c--- F:\WINDOWS\system32\dllcache\aic78u2.sys
2007-12-07 17:48 . 2004-08-03 23:08 31,616 --a------ F:\WINDOWS\system32\drivers\usbccgp.sys
2007-12-07 17:48 . 2004-08-03 23:08 31,616 --a--c--- F:\WINDOWS\system32\dllcache\usbccgp.sys
2007-12-07 17:48 . 2004-08-04 00:56 21,504 --a------ F:\WINDOWS\system32\hidserv.dll
2007-12-07 17:48 . 2004-08-04 00:56 21,504 --a--c--- F:\WINDOWS\system32\dllcache\hidserv.dll
2007-12-07 17:48 . 2004-08-03 22:58 14,848 --a------ F:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-07 17:48 . 2004-08-03 22:58 14,848 --a--c--- F:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-07 17:48 . 2001-08-17 14:02 9,600 --a------ F:\WINDOWS\system32\drivers\hidusb.sys
2007-12-07 17:48 . 2001-08-17 14:02 9,600 --a--c--- F:\WINDOWS\system32\dllcache\hidusb.sys
2007-12-03 19:57 . 2007-12-03 19:57 <DIR> d-------- F:\Documents and Settings\makem.HAL\Application Data\vlc
2007-12-03 19:19 . 2007-12-03 19:19 <DIR> d-------- F:\Documents and Settings\makem.HAL\Application Data\NewsLeecher

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 17:33 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\AVG7
2007-12-25 17:20 --------- d-----w F:\Program Files\FlashGet
2007-12-25 16:24 --------- d-----w F:\Program Files\SpywareGuard
2007-12-07 18:02 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\MailWasherPro
2007-11-18 17:43 --------- d-----w F:\Documents and Settings\All Users\Application Data\Avg7
2007-11-18 17:40 --------- d-----w F:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-18 17:39 --------- d-----w F:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-18 17:22 --------- d-----w F:\Program Files\SUPERAntiSpyware
2007-11-18 17:20 --------- d-----w F:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 17:20 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\SUPERAntiSpyware.com
2007-11-18 17:20 --------- d-----w F:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-17 01:45 --------- d-----w F:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-15 14:52 --------- d-----w F:\Program Files\Steam
2007-11-13 13:10 --------- d-----w F:\Program Files\Trend Micro
2007-10-16 11:02 1,422 ----a-w F:\Documents and Settings\makem.HAL\clean.reg
2006-03-11 17:55 457 ----a-w F:\Program Files\INSTALL.LOG
2001-11-23 12:08 712,704 ----a-w F:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"msnmsgr"="-F:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"SpybotSD TeaTimer"="F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="-cmicnfg.cpl" []
"NeroFilterCheck"="-F:\WINDOWS\System32\NeroCheck.exe" [ ]
"IMEKRMIG6.1"="-F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [ ]
"SoundMan"="-SOUNDMAN.EXE" []
"QuickTime Task"="-F:\Program Files\QuickTime\qttask.exe" [ ]
"!AVG Anti-Spyware"="F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"DiskeeperSystray"="F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 16:38 221184]
"ICQ Lite"="-F:\Program Files\ICQLite\ICQLite.exe" [ ]
"AVG7_CC"="F:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-24 18:48 579072]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 F:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="F:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"nod32kui"="F:\Program Files\Eset\nod32kui.exe" [ ]
"6cdc9ce0"="F:\WINDOWS\system32\yujugjhw.dll" [ ]
"DLCFCATS"="F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2006-10-20 21:48 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"AVG7_Run"="F:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-18 17:39 219136]

F:\Documents and Settings\makem\Start Menu\Programs\Startup\
DigiGuide.lnk - F:\Program Files\DigiGuide TV Guide\Client.exe [2005-10-30 22:55:56]

F:\Documents and Settings\makem.HAL\Start Menu\Programs\Startup\
SpywareGuard.lnk - F:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"Norun"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableReistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= F:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
F:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 F:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\slczgvbi]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Acronis Scheduler2 Service"="F:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
"SunJavaUpdateSched"=F:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

R1 SandBox;Outpost Firewall Sandbox Driver;F:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS [2006-12-13 14:23]
R1 VFILT;Outpost Firewall Kernel Driver;F:\Program Files\Agnitum\Outpost Firewall\kernel\FILTNT.SYS [2006-12-18 12:39]
R2 AsProbe;AsProbe;F:\WINDOWS\System32\drivers\AsProbe.sys [2004-06-24 10:37]
R2 UxTuneUp;TuneUp Design Expansion;F:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);F:\Program Files\Agnitum\Outpost Firewall\kernel\ADBLOCK.DLL [2006-12-18 12:40]
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);F:\Program Files\Agnitum\Outpost Firewall\kernel\ARP.DLL [2006-12-18 12:40]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);F:\Program Files\Agnitum\Outpost Firewall\kernel\CONTENT.DLL [2006-12-18 12:40]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);F:\Program Files\Agnitum\Outpost Firewall\kernel\DNSCACHE.DLL [2006-12-18 12:39]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);F:\Program Files\Agnitum\Outpost Firewall\kernel\FTPFILT.DLL [2006-12-18 12:40]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);F:\Program Files\Agnitum\Outpost Firewall\kernel\HTMLFILT.DLL [2006-12-18 12:39]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);F:\Program Files\Agnitum\Outpost Firewall\kernel\HTTPFILT.DLL [2006-12-18 12:39]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);F:\Program Files\Agnitum\Outpost Firewall\kernel\IMAPFILT.DLL [2006-12-18 12:40]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);F:\Program Files\Agnitum\Outpost Firewall\kernel\MAILFILT.DLL [2006-12-18 12:40]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);F:\Program Files\Agnitum\Outpost Firewall\kernel\NNTPFILT.DLL [2006-12-18 12:40]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);F:\Program Files\Agnitum\Outpost Firewall\kernel\POP3FILT.DLL [2006-12-18 12:40]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);F:\Program Files\Agnitum\Outpost Firewall\kernel\PROTECT.DLL [2006-12-18 12:40]
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);F:\Program Files\Agnitum\Outpost Firewall\kernel\SECRET.DLL [2006-12-18 12:40]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;F:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-29 05:59]
S3 AvFlt;Antivirus Filter Driver;F:\WINDOWS\system32\drivers\av5flt.sys []
S3 HCW848NT;Hauppauge Win/TV;F:\WINDOWS\system32\DRIVERS\hcw848nt.sys [2000-06-12 14:54]
S3 HWACCESS;HWACCESS;F:\WINDOWS\system32\HWACCESS.SYS [2007-03-03 23:02]
S3 mirrorv3;mirrorv3;F:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-05-08 15:46]
S3 scsiscan;SCSI Scanner Driver;F:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 16:15:00 F:\WINDOWS\Tasks\1-Click Maintenance.job"
- F:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 17:50:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 17:53:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-03 17:53:01
.
2007-11-17 01:30:48 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:10:04, on 03/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\WINDOWS\system32\dlcfcoms.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Agnitum\Outpost Firewall\outpost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\SpywareGuard\sgmain.exe
F:\Program Files\SpywareGuard\sgbhp.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\notepad.exe
F:\Documents and Settings\makem.HAL\Desktop\FireFox Downloads\HiJackThis.exe
F:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - F:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [Cmaudio] -RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] -F:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] -F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] -"F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ICQ Lite] -"F:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [6cdc9ce0] rundll32.exe "F:\WINDOWS\system32\yujugjhw.dll",b
O4 - HKLM\..\Run: [DLCFCATS] rundll32 F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] -"F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Download All with FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - F:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - F:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0175246499
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0177533779
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: slczgvbi - F:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - -"F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: dlcf_device - - F:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - F:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - -F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"F:\Program Files\MSN Messenger\usnsvc.exe" (file missing)

--
End of file - 8454 bytes
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Trojan/Virus still remains after your help

Unread postby Trogan » January 3rd, 2008, 3:47 pm

Hello makem,

A few things before we start...

1. You have several P2P filesharing program installed.

  • Many of these programs come with unwanted components bundled with them.
  • If you wish to find out whether the one you're using does click here.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I recommend you uninstall all forms of P2P programs via Add/Remove programs in Control Panel.

Please note: you must NOT use this whilst we are cleaning your machine.

2. I see you have 3 anti-virus programs (AVG, Nod32 and Norton). This is NOT a good idea. Mutliple anti-virus programs will conflict with each and can cause all sorts of serious problems. Please uninstall 2 of the anti-virus programs and only keep one. Do not continue until this is done.


Please do the following...

1. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 update3.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement."
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
    • J2SE Runtime Environment 5.0 Update 5
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
2. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O4 - HKLM\..\Run: [6cdc9ce0] rundll32.exe "F:\WINDOWS\system32\yujugjhw.dll",b

O20 - Winlogon Notify: slczgvbi - F:\WINDOWS\


- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

3. Run HijackThis again and click on Open the Misc Tools section.
Click on Delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:

F:\WINDOWS\system32\yujugjhw.dll

When you are asked "Do you want to restart your computer now?", click OK.

Your PC MUST reboot to delete the file!

4. Please post a new HijackThis log.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Re: Trojan/Virus still remains after your help

Unread postby makem » January 3rd, 2008, 4:08 pm

iIdo not use norton but cannot remove it because i get and error - cannot find F:/program files/common files/symantec shared/CfgWiz.exe

Nod32 does not appear in the add remove programs list or program files

iIhave removed bitornado and limewire

Shall I now carry on with your instructions?
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Trojan/Virus still remains after your help

Unread postby Trogan » January 3rd, 2008, 4:26 pm

Hi.

Regarding Norton: download the Norton Removal Tool to your Desktop. Run the tool and follow the instructions.

Regarding Nod2: Click Start | All Programs | Eset | Uninstall - does that work?
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Re: Trojan/Virus still remains after your help

Unread postby makem » January 3rd, 2008, 4:58 pm

Norton and Eset removed.

Shall I now continue with your instructions above?
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Trojan/Virus still remains after your help

Unread postby Trogan » January 3rd, 2008, 5:02 pm

Yes please!
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Re: Trojan/Virus still remains after your help

Unread postby makem » January 3rd, 2008, 5:23 pm

I cannot download the file re-6u3-windows-i586-p.exe

When | follow your instructions the page sends the file 1199394041310-integrated.jnlp and windows cannot run this file type.
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Trojan/Virus still remains after your help

Unread postby makem » January 3rd, 2008, 5:25 pm

Please ingore last - this time I do not have to make any selection so am getting the correct file
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Trojan/Virus still remains after your help

Unread postby makem » January 3rd, 2008, 5:43 pm

I have carried out all instructions.

I had to exit SD resident to get the changes to to HJT enties, however I see at least 1 has come back.

I also see NOD32 is still metioned but I am sure the EST folder in prograsm files does not exist.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:39:12, on 03/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\WINDOWS\system32\dlcfcoms.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Agnitum\Outpost Firewall\outpost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\SpywareGuard\sgmain.exe
F:\Program Files\SpywareGuard\sgbhp.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Documents and Settings\makem.HAL\Desktop\FireFox Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - F:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [Cmaudio] -RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] -F:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] -F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] -"F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ICQ Lite] -"F:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DLCFCATS] rundll32 F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [6cdc9ce0] rundll32.exe "F:\WINDOWS\system32\yujugjhw.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] -"F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Download All with FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - F:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - F:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0175246499
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0177533779
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - F:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - -"F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: dlcf_device - - F:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - F:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - -F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"F:\Program Files\MSN Messenger\usnsvc.exe" (file missing)

--
End of file - 8853 bytes
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Trojan/Virus still remains after your help

Unread postby Trogan » January 3rd, 2008, 6:07 pm

Hi makem,

Lets disable Spybots TeaTimer and try again:

  • Open Spybot Search & Destroy
  • Go to the Mode menu, and make sure "Advanced Mode" is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer" and OK any prompts
  • Exit SpyBot

AVG Anti-Spyware may be interfering with the fix:

  • Open AVG Anti-Spyware
  • On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.
  • Close AVG Anti-Spyware

Now, please do the following...

1. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [6cdc9ce0] rundll32.exe "F:\WINDOWS\system32\yujugjhw.dll",b


- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

2. Run HijackThis again and click on Open the Misc Tools section.
Click on Delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:

F:\WINDOWS\system32\yujugjhw.dll

When you are asked "Do you want to restart your computer now?", click OK.

Your PC MUST reboot to delete the file!

3. Please post a new HijackThis log.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Re: Trojan/Virus still remains after your help

Unread postby makem » January 3rd, 2008, 6:32 pm

All done

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:31:51, on 03/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\WINDOWS\system32\dlcfcoms.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Agnitum\Outpost Firewall\outpost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\SpywareGuard\sgmain.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\SpywareGuard\sgbhp.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Documents and Settings\makem.HAL\Desktop\FireFox Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - F:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [Cmaudio] -RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] -F:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] -F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] -"F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ICQ Lite] -"F:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DLCFCATS] rundll32 F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] -"F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Download All with FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - F:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - F:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0175246499
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0177533779
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - F:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - -"F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: dlcf_device - - F:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - F:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - -F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"F:\Program Files\MSN Messenger\usnsvc.exe" (file missing)

--
End of file - 8541 bytes
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Trojan/Virus still remains after your help

Unread postby Trogan » January 3rd, 2008, 6:49 pm

Hi makem,

Good job! Just want to run one more scan to ensure the computer is clean.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
Please post the Kaspersky report back here.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Re: Trojan/Virus still remains after your help

Unread postby makem » January 3rd, 2008, 7:08 pm

Hmm good job eh?
I don't think so - now Internet Explorer cannot access the internet!

I use Firefox but of course Kapersky only works with IE so I am stuck unless you can suggest how to reactivate IE which I hate but must use now and again.

BTW many thanks for this very fast service.
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 289 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware