Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svxela.exe


  • This topic is locked This topic is locked
11 replies to this topic

#1 pippin254

pippin254

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 03 December 2007 - 08:00 PM

Hello, I'm new to this forum, so I hope I do this correctly. I am running a Windows Media Center Laptop, and I recently had a Vundo infection on my computer. I used a vundofix to get rid of the vundo, and saw results immidiately, but I'm still getting full-screen popups from svxela.com. the popups are full screen, and google popup blocker is doing nothing to block them. the pages that load are always either search engines that I've never heard of, car sales, or just a plain "the page cannot be displayed".

Help would be appreciated.

I did all the preperations for the hijackthis log. here it is now....

Thank you.

_____________________________________________________________________________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:32 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Scott\Desktop\Scott\finale crap\Finale NotePad 2007\FinaleNotePad.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Scott\Local Settings\Temporary Internet Files\Content.IE5\01K3MNO7\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wiki.guildwars.com/wiki/Main_Page
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wiki.guildwars.com/wiki/Main_Page
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: {ede90a3d-4d60-38ab-54d4-38fd9aac440c} - {c044caa9-df83-4d45-ba83-06d4d3a09ede} - C:\WINDOWS\system32\qfauqoii.dll
O2 - BHO: (no name) - {D8AAD286-7200-4543-AE8A-FE730EB69B52} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [c4e943a8] rundll32.exe "C:\WINDOWS\system32\tgeuqfqn.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe" (User '?')
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-21-2000478354-57989841-725345543-1003 Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe (User '?')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Scott\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: prxernsp.dll
O10 - Unknown file in Winsock LSP: prxerdrv.dll
O10 - Unknown file in Winsock LSP: prxerdrv.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/04/clip_image002.jpg
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/05/clip_image002.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 4: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/02/clip_image002.jpg
O24 - Desktop Component 5: (no name) - http://www.homestead.com/~media/elements/s...pt_disabled.gif
O24 - Desktop Component 6: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/01/clip_image003.jpg

--
End of file - 11084 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:02 PM

Posted 09 December 2007 - 11:18 PM

Hello pippin254,

I am SifuMike and I will be helping you. :thumbsup:

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {ede90a3d-4d60-38ab-54d4-38fd9aac440c} - {c044caa9-df83-4d45-ba83-06d4d3a09ede} - C:\WINDOWS\system32\qfauqoii.dll
O2 - BHO: (no name) - {D8AAD286-7200-4543-AE8A-FE730EB69B52} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O4 - HKLM\..\Run: [c4e943a8] rundll32.exe "C:\WINDOWS\system32\tgeuqfqn.dll",b


If you did not add the following images to your desktop, then fix them.
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/04/clip_image002.jpg
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/05/clip_image002.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 4: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/02/clip_image002.jpg
O24 - Desktop Component 5: (no name) - http://www.homestead.com/~media/elements/s...pt_disabled.gif
O24 - Desktop Component 6: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/01/clip_image003.jpg


*******************************************

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\tgeuqfqn.dll

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

*******************************************


*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
• Clean any others that you choose.

In the Applications Tab:
• Clean all including cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer.

Disable you Avast antivirus and any registry protectors (like Teatimer, WinPatrol, Windows Defender, Spysweeper)


Let's run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


If you have used Combofix before, please delete the version you have and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
 Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix  log, the OTMoveIt log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Do NOT run ComboFix more than once.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

Edited by SifuMike, 09 December 2007 - 11:20 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 pippin254

pippin254
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 10 December 2007 - 10:41 AM

Sifumike, thank you for your reply, It is greatly appreciated.

I ran into a few problems with 1 of the applications, and did not want to proceed with Combofix until I knew it was safe. I apologize: I'm not really good with computers :thumbsup:

Oldtimer did not find the file that was listed, so it didnt produce a log. Avast! might have deleted it as adaware, but I'm not sure. Hijackthis fixed the files you wanted, however.

is it safe to proceed with combofix?

again, I apologize for this.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:02 PM

Posted 10 December 2007 - 01:18 PM

Hi pippin254,

Yes, it is safe to proceed with ComboFix. Be sure to follow the instructions carefully.

Edited by SifuMike, 10 December 2007 - 02:59 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 pippin254

pippin254
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 10 December 2007 - 02:13 PM

Ok, here is the combofix log and the hijackthis log.


ComboFix 07-12-09.1 - Scott 2007-12-10 11:51:39.1 - NTFSx86

Running from: C:\Documents and Settings\Scott\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\outlook
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cioemkvr.dll
C:\WINDOWS\system32\hhhkj.bak1
C:\WINDOWS\system32\hhhkj.bak2
C:\WINDOWS\system32\hhhkj.ini
C:\WINDOWS\system32\ilrfxkwm.dll
C:\WINDOWS\system32\kkhbvsuu.dll
C:\WINDOWS\system32\mmrgahqt.dll
C:\WINDOWS\system32\pckutwqv.dll
C:\WINDOWS\system32\tolsbuae.dll
C:\WINDOWS\system32\trhysotj.dll
C:\WINDOWS\system32\uhbpwtov.dll
C:\WINDOWS\system32\vkrpdrbf.dll
C:\WINDOWS\system32\wgwjaagh.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.

2007-12-07 16:21 . 2007-12-07 16:21 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-12-07 16:09 . 2007-12-07 16:15 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2007-12-07 15:31 . 2007-08-13 18:40 991,232 --a------ C:\WINDOWS\system32\ieframe.dll.mui
2007-12-07 15:13 . 2007-12-07 15:14 47,104 --a------ C:\WINDOWS\system32\rpcnet.exe
2007-12-07 10:00 . 2007-08-20 03:04 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-07 10:00 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-07 10:00 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-07 10:00 . 2007-08-20 03:04 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-07 10:00 . 2007-08-20 03:04 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-07 10:00 . 2007-08-20 03:04 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-07 10:00 . 2007-08-20 03:04 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-07 10:00 . 2007-08-20 03:04 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-07 10:00 . 2007-08-17 03:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-05 18:30 . 2007-12-05 18:30 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Sibelius Software
2007-12-05 18:29 . 2007-12-05 18:29 <DIR> d-------- C:\Program Files\Sibelius Software
2007-12-03 18:31 . 2007-12-10 07:52 <DIR> d-------- C:\HijackThis
2007-11-29 17:52 . 2003-10-08 21:56 2,793,472 --a--c--- C:\halo.exe
2007-11-27 15:55 . 2007-11-27 15:56 <DIR> d-------- C:\Program Files\Finale PrintMusic 2007
2007-11-26 16:29 . 2007-11-26 16:29 268 --ah-c--- C:\sqmdata01.sqm
2007-11-26 16:29 . 2007-11-26 16:29 244 --ah-c--- C:\sqmnoopt01.sqm
2007-11-21 19:40 . 2007-11-21 19:46 <DIR> d----c--- C:\VundoFix Backups
2007-11-20 18:05 . 2007-11-20 18:05 <DIR> d----c--- C:\getservice
2007-11-20 11:27 . 2007-12-04 13:55 1,099,370 ---hs---- C:\WINDOWS\system32\nqfquegt.ini
2007-11-19 13:24 . 2007-11-19 13:24 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-19 13:24 . 2007-11-19 13:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 13:24 . 2007-11-19 13:24 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-19 09:52 . 2007-11-19 09:52 689,531 --ahs---- C:\WINDOWS\system32\bmkybxwm.ini
2007-11-18 08:22 . 2007-11-19 09:49 678,058 --ahs---- C:\WINDOWS\system32\omekmstj.ini
2007-11-17 02:42 . 2007-11-18 08:17 677,980 --ahs---- C:\WINDOWS\system32\medrfpnp.ini
2007-11-16 21:28 . 2007-11-16 21:28 677,920 --ahs---- C:\WINDOWS\system32\hrwtvpcd.ini
2007-11-15 19:33 . 2007-11-15 19:33 669,611 --ahs---- C:\WINDOWS\system32\skqjglgm.ini
2007-11-14 19:32 . 2007-11-15 19:33 669,551 --ahs---- C:\WINDOWS\system32\rlmewpna.ini
2007-11-14 18:24 . 2002-01-17 14:52 3,584 --a------ C:\WINDOWS\system32\wceprv.dll
2007-11-14 13:27 . 2007-11-14 15:34 671,136 --ahs---- C:\WINDOWS\system32\tghdtaug.ini
2007-11-10 23:09 . 2007-11-10 23:09 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-10 23:05 . 2007-11-10 23:06 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-10 19:34 . 2007-11-10 19:34 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2007-11-10 19:34 . 2002-01-05 15:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-11-10 19:33 . 2007-11-10 19:33 <DIR> d-------- C:\Program Files\DVDVideoSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 18:55 323,372 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-10 18:55 30,122,016 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-10 18:55 --------- d-----w C:\Program Files\Google
2007-12-10 18:54 36,168 ----a-w C:\Documents and Settings\Scott\Application Data\wklnhst.dat
2007-12-09 07:00 --------- dc----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-09 02:28 --------- d-----w C:\Documents and Settings\Scott\Application Data\U3
2007-12-08 04:16 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-07 23:31 --------- d-----w C:\Documents and Settings\Scott\Application Data\uTorrent
2007-12-07 23:31 --------- d-----w C:\Documents and Settings\Scott\Application Data\IMVU
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRSTITL.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRSTEXT.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSTMP.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSPEC.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSCRP.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRSREH_.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRSMET_.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRSCHOR.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRS____.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSTEXT.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSSE__.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSS___.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSROMC.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSPC__.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSP___.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSO___.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSNN__.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSM___.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSJAPC.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFS__.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFBE_.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFB__.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSCSC_.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSCS__.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSC___.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUS____.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\INKPEN2_.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\INK2TEXT.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\INK2SPEC.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\INK2SCRI.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\INK2METR.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\INK2CHOR.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\HELST___.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\HELSS___.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\HELSM___.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\HELSINKI.FOT
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 00:45 --------- d-----w C:\Program Files\Enigma Software Group
2007-12-04 00:40 --------- d-----w C:\Documents and Settings\Scott\Application Data\SiteAdvisor
2007-11-30 01:14 --------- d-----w C:\Program Files\GameSpy Arcade
2007-11-22 04:03 57,830,936 ----a-w C:\WINDOWS\GuildWarsPanorama High Quality.scr
2007-11-22 04:03 230,306 ----a-w C:\WINDOWS\uninstall GuildWarsPanorama High Quality.exe
2007-11-16 15:43 --------- d-----w C:\Program Files\Apple Software Update
2007-11-10 03:14 --------- d-----w C:\Program Files\Starcraft
2007-11-07 21:17 --------- d-----w C:\Program Files\Proxifier
2007-11-06 22:33 --------- d-----w C:\Program Files\IGN
2007-11-06 22:33 --------- d-----w C:\Documents and Settings\Scott\Application Data\IGN_DLM
2007-11-06 22:32 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-06 02:25 --------- d-----w C:\Program Files\Microsoft Games
2007-11-01 03:38 --------- d-----w C:\Documents and Settings\Scott\Application Data\Uniblue
2007-10-25 20:54 --------- d-----w C:\Program Files\Overbond
2007-10-22 21:53 --------- d-----w C:\Program Files\MSN Messenger
2007-10-17 03:00 --------- dc----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-16 04:35 --------- d-----w C:\Program Files\Warcraft III
2007-10-16 03:10 --------- dc----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-16 03:10 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-10-14 01:59 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-14 01:41 --------- d-----w C:\Documents and Settings\Scott\Application Data\Ahead
2007-10-14 01:39 --------- d-----w C:\Program Files\Nero
2007-10-13 21:41 --------- d-----w C:\Program Files\Java
2007-10-13 02:06 --------- d-----w C:\Program Files\Eidos Interactive
2007-10-13 02:06 --------- d-----w C:\Program Files\directx
2007-10-07 15:22 5,758 ----a-w C:\Program Files\install.log
2007-08-24 16:44 41,688 ----a-w C:\Documents and Settings\Scott\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 17:04]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29]
"uTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2007-09-21 20:38]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-07-13 02:10]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-07 16:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 18:30 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 13:48]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-14 18:07]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-07-14 18:04]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-14 18:08]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 13:48]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-20 05:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 06:00]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-13 11:05]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 17:04]

C:\Documents and Settings\Scott\Start Menu\Programs\Startup\
IMVU.lnk - C:\Program Files\IMVU\IMVUClient.exe [2007-05-24 17:46:34]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{975ad106-58cc-11dc-890a-0016cf8f5a1e}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 15:44:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\DOCUME~1\Scott\LOCALS~1\Temp\rjexejkn.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 11:57:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-10 11:59:47 - machine was rebooted
.
--- E O F ---






and the new hijackthis log...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:23 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\uTorrent\utorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\HijackThis\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wiki.guildwars.com/wiki/Main_Page
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe" (User '?')
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO (User '?')
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-21-2000478354-57989841-725345543-1003 Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe (User '?')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Scott\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: prxernsp.dll
O10 - Unknown file in Winsock LSP: prxerdrv.dll
O10 - Unknown file in Winsock LSP: prxerdrv.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/04/clip_image002.jpg
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/05/clip_image002.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 4: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/02/clip_image002.jpg
O24 - Desktop Component 5: (no name) - http://www.homestead.com/~media/elements/s...pt_disabled.gif
O24 - Desktop Component 6: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/01/clip_image003.jpg

--
End of file - 11053 bytes

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:02 PM

Posted 10 December 2007 - 03:17 PM

Hi pippin254,

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\nqfquegt.ini
C:\WINDOWS\system32\bmkybxwm.ini
C:\WINDOWS\system32\omekmstj.ini
C:\WINDOWS\system32\medrfpnp.ini
C:\WINDOWS\system32\hrwtvpcd.ini
C:\WINDOWS\system32\skqjglgm.ini
C:\WINDOWS\system32\rlmewpna.ini
C:\WINDOWS\system32\tghdtaug.ini

Folder:: 
C:\VundoFix Backups


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 pippin254

pippin254
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 10 December 2007 - 05:41 PM

alrighty, here is the new combofix log.

ComboFix 07-12-09.1 - Scott 2007-12-10 13:34:00.2 - NTFSx86

Running from: C:\Documents and Settings\Scott\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Scott\Desktop\CFScript.txt

FILE
C:\WINDOWS\system32\bmkybxwm.ini
C:\WINDOWS\system32\hrwtvpcd.ini
C:\WINDOWS\system32\medrfpnp.ini
C:\WINDOWS\system32\nqfquegt.ini
C:\WINDOWS\system32\omekmstj.ini
C:\WINDOWS\system32\rlmewpna.ini
C:\WINDOWS\system32\skqjglgm.ini
C:\WINDOWS\system32\tghdtaug.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\ysjjsbup.dll.bad
C:\WINDOWS\system32\bmkybxwm.ini
C:\WINDOWS\system32\hrwtvpcd.ini
C:\WINDOWS\system32\medrfpnp.ini
C:\WINDOWS\system32\nqfquegt.ini
C:\WINDOWS\system32\omekmstj.ini
C:\WINDOWS\system32\rlmewpna.ini
C:\WINDOWS\system32\skqjglgm.ini
C:\WINDOWS\system32\tghdtaug.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.

2007-12-07 16:21 . 2007-12-07 16:21 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-12-07 16:09 . 2007-12-07 16:15 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2007-12-07 15:31 . 2007-08-13 18:40 991,232 --a------ C:\WINDOWS\system32\ieframe.dll.mui
2007-12-07 15:13 . 2007-12-07 15:14 47,104 --a------ C:\WINDOWS\system32\rpcnet.exe
2007-12-07 10:00 . 2007-08-20 03:04 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-07 10:00 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-07 10:00 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-07 10:00 . 2007-08-20 03:04 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-07 10:00 . 2007-08-20 03:04 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-07 10:00 . 2007-08-20 03:04 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-07 10:00 . 2007-08-20 03:04 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-07 10:00 . 2007-08-20 03:04 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-07 10:00 . 2007-08-17 03:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-05 18:30 . 2007-12-05 18:30 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Sibelius Software
2007-12-05 18:29 . 2007-12-05 18:29 <DIR> d-------- C:\Program Files\Sibelius Software
2007-12-03 18:31 . 2007-12-10 12:12 <DIR> d-------- C:\HijackThis
2007-11-29 17:52 . 2003-10-08 21:56 2,793,472 --a--c--- C:\halo.exe
2007-11-27 15:55 . 2007-11-27 15:56 <DIR> d-------- C:\Program Files\Finale PrintMusic 2007
2007-11-26 16:29 . 2007-11-26 16:29 268 --ah-c--- C:\sqmdata01.sqm
2007-11-26 16:29 . 2007-11-26 16:29 244 --ah-c--- C:\sqmnoopt01.sqm
2007-11-20 18:05 . 2007-11-20 18:05 <DIR> d----c--- C:\getservice
2007-11-19 13:24 . 2007-11-19 13:24 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-19 13:24 . 2007-11-19 13:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 13:24 . 2007-11-19 13:24 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-14 18:24 . 2002-01-17 14:52 3,584 --a------ C:\WINDOWS\system32\wceprv.dll
2007-11-10 23:09 . 2007-11-10 23:09 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-10 23:05 . 2007-11-10 23:06 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-10 19:34 . 2007-11-10 19:34 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2007-11-10 19:34 . 2002-01-05 15:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-11-10 19:33 . 2007-11-10 19:33 <DIR> d-------- C:\Program Files\DVDVideoSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 20:36 323,756 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-10 20:36 30,122,016 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-10 20:31 --------- d-----w C:\Documents and Settings\Scott\Application Data\uTorrent
2007-12-10 18:59 --------- d-----w C:\Documents and Settings\Scott\Application Data\IMVU
2007-12-10 18:55 --------- d-----w C:\Program Files\Google
2007-12-10 18:54 36,168 ----a-w C:\Documents and Settings\Scott\Application Data\wklnhst.dat
2007-12-09 07:00 --------- dc----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-09 02:28 --------- d-----w C:\Documents and Settings\Scott\Application Data\U3
2007-12-08 04:16 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRSTITL.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRSTEXT.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSTMP.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSPEC.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSCRP.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRSREH_.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRSMET_.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRSCHOR.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\RPRS____.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSTEXT.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSSE__.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSS___.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSROMC.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSPC__.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSP___.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSO___.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSNN__.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSM___.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSJAPC.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFS__.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFBE_.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFB__.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSCSC_.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSCS__.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUSC___.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\OPUS____.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\INKPEN2_.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\INK2TEXT.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\INK2SPEC.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\INK2SCRI.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\INK2METR.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\INK2CHOR.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\HELST___.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\HELSS___.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\HELSM___.FOT
2007-12-06 01:29 1,409 ----a-w C:\WINDOWS\Fonts\HELSINKI.FOT
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 00:45 --------- d-----w C:\Program Files\Enigma Software Group
2007-12-04 00:40 --------- d-----w C:\Documents and Settings\Scott\Application Data\SiteAdvisor
2007-11-30 01:14 --------- d-----w C:\Program Files\GameSpy Arcade
2007-11-22 04:03 57,830,936 ----a-w C:\WINDOWS\GuildWarsPanorama High Quality.scr
2007-11-22 04:03 230,306 ----a-w C:\WINDOWS\uninstall GuildWarsPanorama High Quality.exe
2007-11-16 15:43 --------- d-----w C:\Program Files\Apple Software Update
2007-11-10 03:14 --------- d-----w C:\Program Files\Starcraft
2007-11-07 21:17 --------- d-----w C:\Program Files\Proxifier
2007-11-06 22:33 --------- d-----w C:\Program Files\IGN
2007-11-06 22:33 --------- d-----w C:\Documents and Settings\Scott\Application Data\IGN_DLM
2007-11-06 22:32 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-06 02:25 --------- d-----w C:\Program Files\Microsoft Games
2007-11-01 03:38 --------- d-----w C:\Documents and Settings\Scott\Application Data\Uniblue
2007-10-25 20:54 --------- d-----w C:\Program Files\Overbond
2007-10-22 21:53 --------- d-----w C:\Program Files\MSN Messenger
2007-10-17 03:00 --------- dc----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-16 04:35 --------- d-----w C:\Program Files\Warcraft III
2007-10-16 03:10 --------- dc----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-16 03:10 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-10-14 01:59 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-14 01:41 --------- d-----w C:\Documents and Settings\Scott\Application Data\Ahead
2007-10-14 01:39 --------- d-----w C:\Program Files\Nero
2007-10-13 21:41 --------- d-----w C:\Program Files\Java
2007-10-13 02:06 --------- d-----w C:\Program Files\Eidos Interactive
2007-10-13 02:06 --------- d-----w C:\Program Files\directx
2007-10-07 15:22 5,758 ----a-w C:\Program Files\install.log
2007-08-24 16:44 41,688 ----a-w C:\Documents and Settings\Scott\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2007-12-10_11.59.18.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-10 18:56:22 47,104 ----a-w C:\WINDOWS\system32\rpcnet.dll
+ 2007-12-10 20:37:03 47,104 ----a-w C:\WINDOWS\system32\rpcnet.dll
- 2007-12-10 18:56:25 17,408 ----a-w C:\WINDOWS\system32\rpcnetp.exe
+ 2007-12-10 20:37:06 17,408 ----a-w C:\WINDOWS\system32\rpcnetp.exe
+ 2007-12-10 20:37:02 16,384 ------w C:\WINDOWS\Temp\Perflib_Perfdata_6c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 17:04]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29]
"uTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2007-09-21 20:38]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-07-13 02:10]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-07 16:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 18:30 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 13:48]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-14 18:07]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-07-14 18:04]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-14 18:08]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 13:48]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-20 05:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 06:00]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-13 11:05]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 17:04]

C:\Documents and Settings\Scott\Start Menu\Programs\Startup\
IMVU.lnk - C:\Program Files\IMVU\IMVUClient.exe [2007-05-24 17:46:34]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{975ad106-58cc-11dc-890a-0016cf8f5a1e}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 15:44:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 13:52:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-10 13:54:55 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-10 11:59
.
--- E O F ---







and the new hijack this log....



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:12 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wiki.guildwars.com/wiki/Main_Page
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe" (User '?')
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO (User '?')
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2000478354-57989841-725345543-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-21-2000478354-57989841-725345543-1003 Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe (User '?')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Scott\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: prxernsp.dll
O10 - Unknown file in Winsock LSP: prxerdrv.dll
O10 - Unknown file in Winsock LSP: prxerdrv.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/03/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/04/clip_image002.jpg
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/05/clip_image002.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 4: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/02/clip_image002.jpg
O24 - Desktop Component 5: (no name) - http://www.homestead.com/~media/elements/s...pt_disabled.gif
O24 - Desktop Component 6: (no name) - file:///C:/DOCUME~1/Scott/LOCALS~1/Temp/msohtml1/01/clip_image003.jpg

--
End of file - 10922 bytes

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:02 PM

Posted 10 December 2007 - 06:25 PM

Hi pippin254,

Your log looks clean! :thumbsup: Good job on the cleanup! How is the computer running?

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 pippin254

pippin254
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 10 December 2007 - 06:28 PM

The computer looks a LOT better! no more popups, and avast (for once) didnt find any adware!

Thank you so much! If I can find a way to get a paypal account, I will definitely consider a donation. You pretty much saved my computer! :thumbsup:

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:02 PM

Posted 10 December 2007 - 06:32 PM

Your very welcome. Hope your computer continues to run smoothly.

If I can find a way to get a paypal account, I will definitely consider a donation.


Thanks. If you have a debit or credit card, then you can easily make a paypal account
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 pippin254

pippin254
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 10 December 2007 - 06:34 PM

Very true. i will see what I can do.

Thanks again! :thumbsup:

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:02 PM

Posted 16 December 2007 - 01:20 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users