Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Newdotnet Broke My Network. Tried Everything...


  • This topic is locked This topic is locked
15 replies to this topic

#1 toughguyorhs

toughguyorhs

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 09 December 2007 - 07:18 PM

Alright, i've got one for all the geniuses I've found on the forum. My brother used my computer w/o my permission, went to GOD knows what site, and I ended up with NewDotNet+broken network connection. so far, i've used this computer to download and run: AVG spyware, FixNewDotNet by Symantec, WinSockXPFix, and LSPFix. I finally got AVG to where it won't find anymore newdotnet entries when it's on "full system scan" mode. i've manually gone into the registry and gotten rid of the newdotnet entries there.

the leftover problems are as follows:
no internet.
firewall is automatically disabled about 3 minutes into my XP session.
AVG's "email scanner" is not fully functional, (an error message i get).
guard.exe, whatever that is (AVG?) is giving my CPU hell.

when I run LSPfix, nothing is left in the 'remove' section, but here is what is in the 'keep' section:
winrnr
mswsock.dll
nwprovau.dll
rsvpsp.dll

winsockXPfix finds no problems. i've tried cmd->netsh winsock reset. no antivirus finds anything wrong with my computer. spybot and adaware find nothing wrong, and theyre updated as of the day before my freaking brother broke my comp. and last, but not least, here is my hijackthis log. I would really, truly appreciate anyone who can help me out. thank you!

Scan saved at 4:55:26 PM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8118;gopher=localhost:8118;http=localhost:8118;https=localhost:8118;socks=localhost:9050
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {CB58D301-FF8E-48E5-95C7-501B2C52520C} - C:\WINDOWS\system32\diskcopyd.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [FIREPOD] C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: mmbiirkd - drmv2clte.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:49 PM

Posted 09 December 2007 - 07:49 PM

Hello toughguyorhs,

Welcome to Bleeping Computer :blink:

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe <---this is the real time protection. :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {CB58D301-FF8E-48E5-95C7-501B2C52520C} - C:\WINDOWS\system32\diskcopyd.dll (file missing)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O20 - Winlogon Notify: mmbiirkd - drmv2clte.dll (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Try these if you still have no internet connection:

Click Start>Run> Type in (or copy and paste) ipconfig /flushdns and hit enter. You'll get a confirmation that the flush was successful.

FOR CONNECTION PROBLEMS :
Click on Start, Control Panel, select the Network and Internet Connections category or double click on Network Connections, depending on which View you are using. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item. Write down the settings in case you should need to change them back. Select the radio dial that says Obtain DNS servers automatically.
Press OK twice to get out of the properties screen and reboot if it asks. If it does not prompt you to reboot go ahead and reboot manually.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 toughguyorhs

toughguyorhs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 10 December 2007 - 12:03 AM

Hi! Now i really feel like i've tried everything. i did everything suggested, including the dnsflush, and have the new log files available. under 'processes', guard.exe and csrss.exe are really eating up my CPU, but my main problem is still noooo internet, which is breaking my heart. that being said, here are my new log files!

ComboFix 07-12-10.1 - HP_Owner 2007-12-09 22:41:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.129 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\system32\rpcc.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.

2007-12-09 22:06 . 2007-12-09 22:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-06 01:27 . 2007-12-06 01:27 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2007-12-06 01:25 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-05 23:39 . 2007-12-05 23:39 <DIR> d-------- C:\Program Files\Security Task Manager
2007-12-05 23:39 . 2007-12-06 01:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-05 18:39 . 2007-12-05 18:39 102 --a------ C:\WINDOWS\wininit.ini
2007-12-05 17:59 . 2007-12-05 17:59 <DIR> d-------- C:\Program Files\VVSN
2007-12-05 14:16 . 2007-12-05 14:16 116,480 --a------ C:\WINDOWS\system32\pvyllpwt.dat
2007-12-05 14:09 . 2007-12-06 01:14 <DIR> d-------- C:\WINDOWS\system32\AppCert
2007-12-05 14:09 . 2004-08-11 00:45 84,992 --a------ C:\WINDOWS\system32\drmv2clte.dll.bak
2007-11-26 15:00 . 2007-11-26 15:00 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-06 07:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-06 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-05 20:10 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-12-05 19:57 --------- d-----w C:\Program Files\AdVantage
2007-12-02 16:18 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AVG7
2007-11-30 00:19 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
2007-11-26 21:00 --------- d-----w C:\Program Files\SBC LightSpeed Self Support Tool
2007-11-26 20:59 --------- d-----w C:\Program Files\Viewpoint
2007-11-26 20:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-24 12:24 --------- d-----w C:\Program Files\BitComet
2007-11-13 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 02:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-12 02:09 --------- d-----w C:\Program Files\Yahoo!
2007-11-12 01:59 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-12 01:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-07 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-06 21:44 --------- d--h--r C:\Documents and Settings\HP_Owner\Application Data\yahoo!
2007-11-06 21:40 --------- d-----w C:\Program Files\Common Files\Motive
2007-11-06 21:39 --------- d-----w C:\Program Files\SBC Self Support Tool
2007-11-06 21:06 --------- d-----w C:\Program Files\AF Uninstalls
2007-11-06 05:55 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\BSplayer
2007-11-06 05:51 --------- d-----w C:\Program Files\Webteh
2007-11-05 18:49 --------- d-----w C:\Program Files\NCH Swift Sound
2007-11-05 18:48 --------- d-----w C:\Program Files\Star Downloader
2007-11-05 07:00 --------- d-----w C:\Program Files\dBpowerAMP
2006-04-11 21:56 1,354 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2005-10-19 22:27 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-07-07 07:16 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:00]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 03:04]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 C:\WINDOWS\AGRSMMSG.exe]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 05:53]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 05:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 06:02]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 07:43]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 08:17]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 08:54]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 07:47 C:\WINDOWS\ALCXMNTR.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-25 08:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-04 23:06]
"Motive SmartBridge"="C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52]
"FIREPOD"="C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.EXE" [2004-07-21 16:10]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 08:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Kremlin Sentry.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Kremlin Sentry.lnk
backup=C:\WINDOWS\pss\Kremlin Sentry.lnkStartup


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vicvggza

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
\Shell\AutoRun\command - N:\Setup\Common\Autorun\AUTI386.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-10 04:47:02 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 22:47:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-09 22:48:31 - machine was rebooted
.
--- E O F ---
------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:48 PM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\Hj.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8118;gopher=localhost:8118;http=localhost:8118;https=localhost:8118;socks=localhost:9050
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [FIREPOD] C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7087 bytes

thanx again!

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:49 PM

Posted 10 December 2007 - 01:48 PM

Hello,

After looking at your logs and consulting with the cavalry, I have to tell you that there's a lot more going on here than meets the eye. Not only do you have malware to contend with, but it has messed up your system to the point that it will take many posts at best to fix. We can try to do this, and if you decide to do so I have to ask that you do absolutely nothing more to the machine unless asked to do so.

Please let me know what you decide to do.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 toughguyorhs

toughguyorhs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 10 December 2007 - 07:39 PM

let's do it. i'm willing and able. thanks -

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:49 PM

Posted 10 December 2007 - 08:22 PM

Okie dokie then, this is where we start :

Click the link below and download it to your desktop. Doubleclick it and it will open a command prompt. Just let it run and it will produce a report for you in Notepad. Please copy and paste that report here in your reply. :thumbsup:

http://download.bleepingcomputer.com/sUBs/Beta/querySvc.zip

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 toughguyorhs

toughguyorhs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 11 December 2007 - 04:04 PM

hi tea,

oh my. currently, my network is down at home on both computers i used (not the same problem), so i'm going to have to do this from my work computer until my network comes back up. Thanks for your help! i'll get back to you ASAP.

#8 toughguyorhs

toughguyorhs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 11 December 2007 - 09:08 PM

Hi tea,
here's the log you requested. my 'net is back up on the home network (but not the computer in question...). here's the log from querysrvc. thanks again

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 20:03:25
Windows 5.1.2600 Service Pack 2

scanning processes ...

System [4]
C:\WINDOWS\system32\smss.exe [332] 0x82617B18
C:\WINDOWS\system32\csrss.exe [396] 0x82461410
C:\WINDOWS\system32\winlogon.exe [420] 0x824ED2F0
C:\WINDOWS\system32\services.exe [468] 0x824F8318
C:\WINDOWS\system32\lsass.exe [480] 0x82490248
C:\WINDOWS\system32\svchost.exe [628] 0x82458020
C:\WINDOWS\system32\svchost.exe [672] 0x825CB378
C:\WINDOWS\system32\svchost.exe [700] 0x823E8150
C:\WINDOWS\system32\svchost.exe [804] 0x82622BB8
C:\WINDOWS\system32\spoolsv.exe [904] 0x824B6DA0
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [1288] 0x8255F580
C:\WINDOWS\system\hpsysdrv.exe [1296] 0x825974B0
C:\WINDOWS\AGRSMMSG.exe [1304] 0x824A98B0
C:\WINDOWS\system32\hphmon06.exe [1328] 0x82485768
C:\hp\KBD\kbd.exe [1340] 0x824343C8
C:\WINDOWS\ALCXMNTR.EXE [1428] 0x82570900
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [1436] 0x823F6928
C:\Program Files\QuickTime\qttask.exe [1444] 0x82725D78
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe [1452] 0x82727580
C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe [1468] 0x82711020
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe [1476] 0x82536DA0
C:\WINDOWS\system32\ctfmon.exe [1532] 0x8249F020
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe [1548] 0x825DE1F0
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [1580] 0x8249FB28
C:\WINDOWS\explorer.exe [1896] 0x82469BD0
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [1088] 0x824D9B20
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [1148] 0x825B18C8
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [1276] 0x8246A990
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [1508] 0x82439B28
C:\WINDOWS\system32\CTSVCCDA.EXE [1516] 0x82464738
C:\Program Files\Common Files\LightScribe\LSSrvc.exe [1524] 0x826422B8
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [216] 0x8250DBC0
C:\WINDOWS\system32\svchost.exe [1200] 0x82514558
C:\WINDOWS\system32\wdfmgr.exe [1824] 0x824492B0
C:\WINDOWS\system32\wuauclt.exe [3392] 0x8273E1C8
C:\WINDOWS\system32\wscntfy.exe [3540] 0x82667948
C:\Program Files\Sonic RecordNow!\RecordNow.exe [3876] 0x82461978
C:\WINDOWS\system32\cmd.exe [2028] 0x824852D8
C:\WINDOWS\catchme.exe [2036] 0x82777628


SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0vicvggza\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\DComLaunch
CoInitializeSecurityParam REG_DWORD 1 (0x1)
DefaultRpcStackSize REG_DWORD 8 (0x8)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\HTTPFilter
CoInitializeSecurityParam REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\LocalService
CoInitializeSecurityParam REG_DWORD 1 (0x1)
AuthenticationCapabilities REG_DWORD 8192 (0x2000)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\netsvcs
CoInitializeSecurityParam REG_DWORD 1 (0x1)
AuthenticationCapabilities REG_DWORD 12320 (0x3020)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\PCHealth
CoInitializeSecurityParam REG_DWORD 2 (0x2)
AuthenticationCapabilities REG_DWORD 64 (0x40)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs
CoInitializeSecurityParam REG_DWORD 1 (0x1)
DefaultRpcStackSize REG_DWORD 8 (0x8)


------ Services [Running]

SERVICE_NAME: AudioSrv
SERVICE_NAME: AVG Anti-Spyware Guard
SERVICE_NAME: Avg7Alrt
SERVICE_NAME: Avg7UpdSvc
SERVICE_NAME: AVGEMS
SERVICE_NAME: Creative Service for CDROM Access
SERVICE_NAME: CryptSvc
SERVICE_NAME: DcomLaunch
SERVICE_NAME: ERSvc
SERVICE_NAME: Eventlog
SERVICE_NAME: EventSystem
SERVICE_NAME: FastUserSwitchingCompatibility
SERVICE_NAME: helpsvc
SERVICE_NAME: lanmanserver
SERVICE_NAME: lanmanworkstation
SERVICE_NAME: LightScribeService
SERVICE_NAME: LmHosts
SERVICE_NAME: MDM
SERVICE_NAME: Netman
SERVICE_NAME: PlugPlay
SERVICE_NAME: ProtectedStorage
SERVICE_NAME: RasMan
SERVICE_NAME: RpcSs
SERVICE_NAME: SamSs
SERVICE_NAME: Schedule
SERVICE_NAME: seclogon
SERVICE_NAME: SENS
SERVICE_NAME: ShellHWDetection
SERVICE_NAME: Spooler
SERVICE_NAME: srservice
SERVICE_NAME: stisvc
SERVICE_NAME: TapiSrv
SERVICE_NAME: TermService
SERVICE_NAME: Themes
SERVICE_NAME: TrkWks
SERVICE_NAME: UMWdf
SERVICE_NAME: W32Time
SERVICE_NAME: WebClient
SERVICE_NAME: winmgmt
SERVICE_NAME: wscsvc
SERVICE_NAME: wuauserv
SERVICE_NAME: WZCSVC

------ Services [Stopped]

SERVICE_NAME: Alerter
SERVICE_NAME: ALG
SERVICE_NAME: AppMgmt
SERVICE_NAME: aspnet_state
SERVICE_NAME: BITS
SERVICE_NAME: Browser
SERVICE_NAME: CiSvc
SERVICE_NAME: ClipSrv
SERVICE_NAME: COMSysApp
SERVICE_NAME: Dhcp
SERVICE_NAME: dmadmin
SERVICE_NAME: dmserver
SERVICE_NAME: Dnscache
SERVICE_NAME: Fax
SERVICE_NAME: HidServ
SERVICE_NAME: HTTPFilter
SERVICE_NAME: IDriverT
SERVICE_NAME: ImapiService
SERVICE_NAME: iPodService
SERVICE_NAME: Messenger
SERVICE_NAME: mnmsrvc
SERVICE_NAME: MSDTC
SERVICE_NAME: MSIServer
SERVICE_NAME: NetDDE
SERVICE_NAME: NetDDEdsdm
SERVICE_NAME: Netlogon
SERVICE_NAME: Nla
SERVICE_NAME: NtLmSsp
SERVICE_NAME: NtmsSvc
SERVICE_NAME: ose
SERVICE_NAME: PolicyAgent
SERVICE_NAME: RasAuto
SERVICE_NAME: RDSessMgr
SERVICE_NAME: RemoteAccess
SERVICE_NAME: RpcLocator
SERVICE_NAME: RSVP
SERVICE_NAME: SCardSvr
SERVICE_NAME: SharedAccess
SERVICE_NAME: SSDPSRV
SERVICE_NAME: StarWindService
SERVICE_NAME: SwPrv
SERVICE_NAME: SysmonLog
SERVICE_NAME: upnphost
SERVICE_NAME: UPS
SERVICE_NAME: vicvggza
SERVICE_NAME: VSS
SERVICE_NAME: WmdmPmSN
SERVICE_NAME: WmiApSrv
SERVICE_NAME: xmlprov

------ Drivers [Running]

SERVICE_NAME: ACPI
SERVICE_NAME: AFD
SERVICE_NAME: AgereSoftModem
SERVICE_NAME: ALCXWDM
SERVICE_NAME: AmdK8
SERVICE_NAME: atapi
SERVICE_NAME: audstub
SERVICE_NAME: AVG Anti-Spyware Driver
SERVICE_NAME: Avg7Core
SERVICE_NAME: Avg7RsW
SERVICE_NAME: Avg7RsXP
SERVICE_NAME: AvgAsCln
SERVICE_NAME: AvgClean
SERVICE_NAME: Beep
SERVICE_NAME: catchme
SERVICE_NAME: Cdfs
SERVICE_NAME: Cdrom
SERVICE_NAME: Disk
SERVICE_NAME: Fastfat
SERVICE_NAME: Fips
SERVICE_NAME: FltMgr
SERVICE_NAME: Ftdisk
SERVICE_NAME: gagp30kx
SERVICE_NAME: Gpc
SERVICE_NAME: HTTP
SERVICE_NAME: i8042prt
SERVICE_NAME: Imapi
SERVICE_NAME: IPSec
SERVICE_NAME: isapnp
SERVICE_NAME: Iviaspi
SERVICE_NAME: Kbdclass
SERVICE_NAME: KSecDD
SERVICE_NAME: mnmdd
SERVICE_NAME: Modem
SERVICE_NAME: Mouclass
SERVICE_NAME: MountMgr
SERVICE_NAME: MRxDAV
SERVICE_NAME: MRxSmb
SERVICE_NAME: Msfs
SERVICE_NAME: mssmbios
SERVICE_NAME: Mup
SERVICE_NAME: NDIS
SERVICE_NAME: NdisTapi
SERVICE_NAME: Ndisuio
SERVICE_NAME: NdisWan
SERVICE_NAME: NDProxy
SERVICE_NAME: NetBIOS
SERVICE_NAME: NetBT
SERVICE_NAME: Npfs
SERVICE_NAME: Ntfs
SERVICE_NAME: Null
SERVICE_NAME: ohci1394
SERVICE_NAME: Parport
SERVICE_NAME: PartMgr
SERVICE_NAME: PCI
SERVICE_NAME: PCIIde
SERVICE_NAME: Pcouffin
SERVICE_NAME: Pfc
SERVICE_NAME: PptpMiniport
SERVICE_NAME: Ps2
SERVICE_NAME: PSched
SERVICE_NAME: Ptilink
SERVICE_NAME: PxHelp20
SERVICE_NAME: RasAcd
SERVICE_NAME: Rasl2tp
SERVICE_NAME: RasPppoe
SERVICE_NAME: Raspti
SERVICE_NAME: Rdbss
SERVICE_NAME: RDPCDD
SERVICE_NAME: redbook
SERVICE_NAME: Serenum
SERVICE_NAME: Serial
SERVICE_NAME: SiS315
SERVICE_NAME: SISAGP
SERVICE_NAME: SiSkp
SERVICE_NAME: SISNIC
SERVICE_NAME: sr
SERVICE_NAME: Srv
SERVICE_NAME: swenum
SERVICE_NAME: sysaudio
SERVICE_NAME: TermDD
SERVICE_NAME: Update
SERVICE_NAME: usbehci
SERVICE_NAME: usbhub
SERVICE_NAME: usbohci
SERVICE_NAME: USBSTOR
SERVICE_NAME: Vax347b
SERVICE_NAME: Vax347s
SERVICE_NAME: VgaSave
SERVICE_NAME: VolSnap
SERVICE_NAME: wdmaud

------ Drivers [Stopped]

SERVICE_NAME: 61883
SERVICE_NAME: Abiosdsk
SERVICE_NAME: abp480n5
SERVICE_NAME: ACPIEC
SERVICE_NAME: adpu160m
SERVICE_NAME: aec
SERVICE_NAME: Aha154x
SERVICE_NAME: aic78u2
SERVICE_NAME: aic78xx
SERVICE_NAME: AliIde
SERVICE_NAME: amsint
SERVICE_NAME: Arp1394
SERVICE_NAME: asc
SERVICE_NAME: asc3350p
SERVICE_NAME: asc3550
SERVICE_NAME: AsyncMac
SERVICE_NAME: Atdisk
SERVICE_NAME: Atmarpc
SERVICE_NAME: Avc
SERVICE_NAME: AvgTdi
SERVICE_NAME: bcbus
SERVICE_NAME: cbidf2k
SERVICE_NAME: cd20xrnt
SERVICE_NAME: Cdaudio
SERVICE_NAME: Changer
SERVICE_NAME: CmdIde
SERVICE_NAME: Cpqarray
SERVICE_NAME: dac960nt
SERVICE_NAME: dmboot
SERVICE_NAME: dmio
SERVICE_NAME: dmload
SERVICE_NAME: DMusic
SERVICE_NAME: dpti2o
SERVICE_NAME: drmkaud
SERVICE_NAME: Fdc
SERVICE_NAME: Flpydisk
SERVICE_NAME: hpn
SERVICE_NAME: i2omgmt
SERVICE_NAME: i2omp
SERVICE_NAME: ini910u
SERVICE_NAME: IntelIde
SERVICE_NAME: intelppm
SERVICE_NAME: Ip6Fw
SERVICE_NAME: IpFilterDriver
SERVICE_NAME: IpInIp
SERVICE_NAME: IpNat
SERVICE_NAME: IRENUM
SERVICE_NAME: kmixer
SERVICE_NAME: lbrtfdc
SERVICE_NAME: mraid35x
SERVICE_NAME: MSKSSRV
SERVICE_NAME: MSPCLOCK
SERVICE_NAME: MSPQM
SERVICE_NAME: NIC1394
SERVICE_NAME: NwlnkFlt
SERVICE_NAME: NwlnkFwd
SERVICE_NAME: ParVdm
SERVICE_NAME: PCIDump
SERVICE_NAME: Pcmcia
SERVICE_NAME: PDCOMP
SERVICE_NAME: PDFRAME
SERVICE_NAME: PDRELI
SERVICE_NAME: PDRFRAME
SERVICE_NAME: perc2
SERVICE_NAME: perc2hib
SERVICE_NAME: Processor
SERVICE_NAME: ps_1394
SERVICE_NAME: ps_avs
SERVICE_NAME: ql1080
SERVICE_NAME: Ql10wnt
SERVICE_NAME: ql12160
SERVICE_NAME: ql1240
SERVICE_NAME: ql1280
SERVICE_NAME: RDPWD
SERVICE_NAME: rtl8139
SERVICE_NAME: Secdrv
SERVICE_NAME: Sfloppy
SERVICE_NAME: Simbad
SERVICE_NAME: Sparrow
SERVICE_NAME: splitter
SERVICE_NAME: swmidi
SERVICE_NAME: symc810
SERVICE_NAME: symc8xx
SERVICE_NAME: sym_hi
SERVICE_NAME: sym_u3
SERVICE_NAME: Tcpip
SERVICE_NAME: TDPIPE
SERVICE_NAME: TDTCP
SERVICE_NAME: TosIde
SERVICE_NAME: Udfs
SERVICE_NAME: ultra
SERVICE_NAME: usbprint
SERVICE_NAME: usbscan
SERVICE_NAME: usbuhci
SERVICE_NAME: ViaIde
SERVICE_NAME: Wanarp
SERVICE_NAME: WDICA
SERVICE_NAME: WpdUsb
SERVICE_NAME: WS2IFSL

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:49 PM

Posted 13 December 2007 - 12:24 PM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\Tasks\At1.job
Collect::
C:\WINDOWS\system32\drmv2clte.dll.bak
C:\WINDOWS\system32\pvyllpwt.dat
Driver::
vicvggza
NetSvc::
vicvggza


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Please navigate to this file :

C:\WINDOWS\system32\drivers\tcpip.sys

Please go to VirusTotal and submit the file for a scan and post the results in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 toughguyorhs

toughguyorhs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 14 December 2007 - 02:25 AM

Here we go:

Here's the VirusTotal log:

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Win32.Malware.gen!80 (suspicious)
Additional information
MD5: c3720ba495bd94e3fe917f89016bab44
---------------

And the ComboFix log:

ComboFix 07-12-10.1 - HP_Owner 2007-12-14 1:05:01.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.113 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\Tasks\At1.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drmv2clte.dll.bak
C:\WINDOWS\system32\pvyllpwt.dat
C:\WINDOWS\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_VICVGGZA
-------\vicvggza


((((((((((((((((((((((((( Files Created from 2007-11-14 to 2007-12-14 )))))))))))))))))))))))))))))))
.

2007-12-09 22:06 . 2007-12-09 22:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-06 01:27 . 2007-12-06 01:27 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2007-12-06 01:25 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-05 23:39 . 2007-12-05 23:39 <DIR> d-------- C:\Program Files\Security Task Manager
2007-12-05 23:39 . 2007-12-06 01:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-05 18:39 . 2007-12-05 18:39 102 --a------ C:\WINDOWS\wininit.ini
2007-12-05 17:59 . 2007-12-05 17:59 <DIR> d-------- C:\Program Files\VVSN
2007-12-05 14:09 . 2007-12-06 01:14 <DIR> d-------- C:\WINDOWS\system32\AppCert
2007-11-26 15:00 . 2007-11-26 15:00 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-06 07:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-06 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-05 20:10 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-12-05 19:57 --------- d-----w C:\Program Files\AdVantage
2007-12-02 16:18 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AVG7
2007-11-30 00:19 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
2007-11-26 21:00 --------- d-----w C:\Program Files\SBC LightSpeed Self Support Tool
2007-11-26 20:59 --------- d-----w C:\Program Files\Viewpoint
2007-11-26 20:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-24 12:24 --------- d-----w C:\Program Files\BitComet
2007-11-13 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 02:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-12 02:09 --------- d-----w C:\Program Files\Yahoo!
2007-11-12 01:59 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-12 01:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-07 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-06 21:44 --------- d--h--r C:\Documents and Settings\HP_Owner\Application Data\yahoo!
2007-11-06 21:40 --------- d-----w C:\Program Files\Common Files\Motive
2007-11-06 21:39 --------- d-----w C:\Program Files\SBC Self Support Tool
2007-11-06 21:06 --------- d-----w C:\Program Files\AF Uninstalls
2007-11-06 05:55 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\BSplayer
2007-11-06 05:51 --------- d-----w C:\Program Files\Webteh
2007-11-05 18:49 --------- d-----w C:\Program Files\NCH Swift Sound
2007-11-05 18:48 --------- d-----w C:\Program Files\Star Downloader
2007-11-05 07:00 --------- d-----w C:\Program Files\dBpowerAMP
2006-04-11 21:56 1,354 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2005-10-19 22:27 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-07-07 07:16 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:00]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 03:04]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 C:\WINDOWS\AGRSMMSG.exe]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 05:53]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 05:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 06:02]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 07:43]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 08:17]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 08:54]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 07:47 C:\WINDOWS\ALCXMNTR.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-25 08:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-04 23:06]
"Motive SmartBridge"="C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52]
"FIREPOD"="C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.EXE" [2004-07-21 16:10]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 08:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Kremlin Sentry.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Kremlin Sentry.lnk
backup=C:\WINDOWS\pss\Kremlin Sentry.lnkStartup


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
\Shell\AutoRun\command - N:\Setup\Common\Autorun\AUTI386.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-14 01:10:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-14 1:11:51 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-09 22:48
.
--- E O F ---
--------------------------------

And the latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:26 AM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Hj.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8118;gopher=localhost:8118;http=localhost:8118;https=localhost:8118;socks=localhost:9050
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [FIREPOD] C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7087 bytes
-----------------------------------------------

You guys should be nominated for the Nobel NetPeace Prize. Thanks so much. Hopefully i'll fix this mess soon.

Here we go:

Here's the VirusTotal log:

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Win32.Malware.gen!80 (suspicious)
Additional information
MD5: c3720ba495bd94e3fe917f89016bab44
---------------

And the ComboFix log:

ComboFix 07-12-10.1 - HP_Owner 2007-12-14 1:05:01.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.113 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\Tasks\At1.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drmv2clte.dll.bak
C:\WINDOWS\system32\pvyllpwt.dat
C:\WINDOWS\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_VICVGGZA
-------\vicvggza


((((((((((((((((((((((((( Files Created from 2007-11-14 to 2007-12-14 )))))))))))))))))))))))))))))))
.

2007-12-09 22:06 . 2007-12-09 22:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-06 01:27 . 2007-12-06 01:27 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2007-12-06 01:25 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-05 23:39 . 2007-12-05 23:39 <DIR> d-------- C:\Program Files\Security Task Manager
2007-12-05 23:39 . 2007-12-06 01:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-05 18:39 . 2007-12-05 18:39 102 --a------ C:\WINDOWS\wininit.ini
2007-12-05 17:59 . 2007-12-05 17:59 <DIR> d-------- C:\Program Files\VVSN
2007-12-05 14:09 . 2007-12-06 01:14 <DIR> d-------- C:\WINDOWS\system32\AppCert
2007-11-26 15:00 . 2007-11-26 15:00 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-06 07:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-06 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-05 20:10 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-12-05 19:57 --------- d-----w C:\Program Files\AdVantage
2007-12-02 16:18 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AVG7
2007-11-30 00:19 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
2007-11-26 21:00 --------- d-----w C:\Program Files\SBC LightSpeed Self Support Tool
2007-11-26 20:59 --------- d-----w C:\Program Files\Viewpoint
2007-11-26 20:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-24 12:24 --------- d-----w C:\Program Files\BitComet
2007-11-13 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 02:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-12 02:09 --------- d-----w C:\Program Files\Yahoo!
2007-11-12 01:59 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-12 01:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-07 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-06 21:44 --------- d--h--r C:\Documents and Settings\HP_Owner\Application Data\yahoo!
2007-11-06 21:40 --------- d-----w C:\Program Files\Common Files\Motive
2007-11-06 21:39 --------- d-----w C:\Program Files\SBC Self Support Tool
2007-11-06 21:06 --------- d-----w C:\Program Files\AF Uninstalls
2007-11-06 05:55 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\BSplayer
2007-11-06 05:51 --------- d-----w C:\Program Files\Webteh
2007-11-05 18:49 --------- d-----w C:\Program Files\NCH Swift Sound
2007-11-05 18:48 --------- d-----w C:\Program Files\Star Downloader
2007-11-05 07:00 --------- d-----w C:\Program Files\dBpowerAMP
2006-04-11 21:56 1,354 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2005-10-19 22:27 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-07-07 07:16 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:00]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 03:04]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 C:\WINDOWS\AGRSMMSG.exe]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 05:53]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 05:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 06:02]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 07:43]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 08:17]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 08:54]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 07:47 C:\WINDOWS\ALCXMNTR.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-25 08:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-04 23:06]
"Motive SmartBridge"="C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52]
"FIREPOD"="C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.EXE" [2004-07-21 16:10]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 08:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Kremlin Sentry.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Kremlin Sentry.lnk
backup=C:\WINDOWS\pss\Kremlin Sentry.lnkStartup


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
\Shell\AutoRun\command - N:\Setup\Common\Autorun\AUTI386.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-14 01:10:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-14 1:11:51 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-09 22:48
.
--- E O F ---
--------------------------------

And the latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:26 AM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Hj.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8118;gopher=localhost:8118;http=localhost:8118;https=localhost:8118;socks=localhost:9050
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [FIREPOD] C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7087 bytes
-----------------------------------------------

You guys should be nominated for the Nobel NetPeace Prize. Thanks so much. Hopefully i'll fix this mess soon.

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:49 PM

Posted 14 December 2007 - 11:34 AM

Hello,

Did you set this entry? R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8118;gopher=localhost:8118;http=localhost:8118;https=localhost:811
8;socks=localhost:9050
If not, check it in HijackThis, click Fix checked, then reboot.

You didn't say anything about your connection, so I have to assume you don't have it back? Let me know what's going on, and we'll move on to our next option. :thumbsup:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 toughguyorhs

toughguyorhs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 14 December 2007 - 03:35 PM

hi tea,

no dice on the connection :thumbsup: even after i got rid of that entry on hijackthis.

what was this line on that VirusTotal log, btw? "Webwasher-Gateway - - Win32.Malware.gen!80 (suspicious)"

anyway, on to plan P i guess :blink: as always, thanks for your help. is there some way to donate to this forum?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:49 PM

Posted 14 December 2007 - 05:12 PM

Hi,

Is your other machine, the one you're posting from, a Windows XP machine? Give this a try ...

Go to this directory > C:\Windows\System32\drivers\
Locate the file -> tcpip.sys
Rename it to > tcpip.sys_old

Wait 5 seconds & refresh the page by pressing F5
See if the Operating System regenerates a fresh copy of tcpip.sys

If not, copy tcpip.sys from another machine & place it in the C:\Windows\System32\drivers\ directory
Reboot the machine!!

Look in my signature at the bottom for donations. :thumbsup:

Let me know how you come out!

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 toughguyorhs

toughguyorhs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 15 December 2007 - 06:42 PM

HOLY SMOKES!!! Houston, we have internet. I don't have my wallet up here right this second, but rest assured you'll have a donation coming your way. I really, truly appreciate all of your help. happy holidays

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:49 PM

Posted 15 December 2007 - 07:07 PM

w00t!! :blink: I'm ecstatic that it worked! I thought I heard something in the distance....Houston is just a few hours south of here. :thumbsup:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Everything else running all right?

Happy holidays to you too!!

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users