Member Avatar for BigMike2008

Searching for the answer to my problem brought me to your website and this thread http://www.daniweb.com/forums/nextoldesttothread31710.html

My Explorer.exe keeps restarting itself, in some cases it just crashes.

I have discovered viruses like Virtumonde.dll and Ctfmon.dll and have failed in my attempts to delete them forever. When i think the problem is fix it just come back later on. Please HELP:(

This is the Hijack Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:09:48, on 05/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C3CB215-1609-49A2-A7F2-BB92E8397AA0} - C:\WINDOWS\system32\xxywWNGY.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6233D25F-E3C1-4A4C-A4F5-4A36E6AD34AD} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A493D00-648B-4B5E-9630-CEFBF82B057B} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BD3C6F7C-6C8D-48F6-AC52-5E4071AEB257} - C:\WINDOWS\system32\ssqNHBrs.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C4848C46-F213-4608-986E-CA48582F11C0} - (no file)
O2 - BHO: (no name) - {D9866F3D-A586-4F74-BB27-477140581789} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8631] command /c del "C:\WINDOWS\system32\xxywWNGY.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9412] cmd /c del "C:\WINDOWS\system32\xxywWNGY.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\RunOnce: [SpybotDeletingB1447] command /c del "C:\WINDOWS\system32\xxywWNGY.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7969] cmd /c del "C:\WINDOWS\system32\xxywWNGY.dll_old"
O4 - HKUS\S-1-5-21-861567501-220523388-839522115-1004\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User 'Michael')
O4 - HKUS\S-1-5-21-861567501-220523388-839522115-1004\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Michael')
O4 - HKUS\S-1-5-21-861567501-220523388-839522115-1004\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User 'Michael')
O4 - HKUS\S-1-5-21-861567501-220523388-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Michael')
O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\ATI Technologies\ATI.ACE\StartUpDualCoreCenter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204019719796
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: ssqNHBrs - C:\WINDOWS\SYSTEM32\ssqNHBrs.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\Program Files\Promise\FastTrak\FtrakSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

  • 2 Contributors
  • 3 Replies
  • 151 Views
  • 21 Hours Discussion Span
  • Latest Post Latest Post by crunchie

Recommended Answers

All 3 Replies

Member Avatar for crunchie

Hi and welcome to the Daniweb forums :).

==========

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Member Avatar for BigMike2008

Hi

Here is the log from comboFix

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\Documents and Settings\Michael\Application Data\inst.exe
C:\WINDOWS\system32\dKlknnpo.ini
C:\WINDOWS\system32\dKlknnpo.ini2
C:\WINDOWS\system32\ENoWxGgh.ini
C:\WINDOWS\system32\ENoWxGgh.ini2
C:\WINDOWS\system32\GfijRXyb.ini
C:\WINDOWS\system32\GfijRXyb.ini2
C:\WINDOWS\system32\IPXEgfhk.ini
C:\WINDOWS\system32\IPXEgfhk.ini2
C:\WINDOWS\system32\opnnklKd.dll
C:\WINDOWS\system32\ssqNHBrs.dll
C:\WINDOWS\system32\systeminfo.dll
C:\WINDOWS\system32\YGNWwyxx.ini
C:\WINDOWS\system32\YGNWwyxx.ini2


.
(((((((((((((((((((((((((   Files Created from 2008-05-05 to 2008-06-05  )))))))))))))))))))))))))))))))
.


2008-06-05 18:55 . 2008-06-05 18:55 <DIR>    d--------   C:\Program Files\Trend Micro
2008-06-05 18:48 . 2008-06-05 18:48 <DIR>    d--------   C:\Program Files\CCleaner
2008-06-05 16:38 . 2008-06-05 16:38 <DIR>    d--------   C:\Documents and Settings\Mike2.BIGMIKES\Application Data\Uniblue
2008-06-05 15:10 . 2008-06-05 15:10 <DIR>    d--------   C:\Documents and Settings\NewME
2008-06-05 15:10 . 2004-08-04 00:56 221,184 --a------   C:\WINDOWS\system32\wmpns.dll
2008-06-05 07:06 . 2008-06-05 07:06 <DIR>    d--------   C:\VundoFix Backups
2008-06-05 06:43 . 2008-06-05 06:43 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-05 06:42 . 2008-06-05 06:42 <DIR>    d--------   C:\WINDOWS\system32\Kaspersky Lab
2008-06-05 06:32 . 2008-06-05 06:32 <DIR>    d--------   C:\WINDOWS\system32\drivers\Avg
2008-06-05 06:32 . 2008-06-05 06:32 <DIR>    d--------   C:\Program Files\AVG
2008-06-05 06:32 . 2008-06-05 06:32 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\avg8
2008-06-05 06:32 . 2008-06-05 06:32 96,520  --a------   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-05 06:32 . 2008-06-05 06:32 73,864  --a------   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-05 06:32 . 2008-06-05 06:32 14,104  --a------   C:\WINDOWS\system32\avgrsstx.dll
2008-06-05 06:32 . 2008-06-05 06:32 12,424  --a------   C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-06-05 06:22 . 2008-06-05 06:22 <DIR>    d--------   C:\Program Files\Spybot - Search & Destroy
2008-06-05 06:22 . 2008-06-05 15:01 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-05 06:09 . 2008-06-05 06:09 <DIR>    d--------   C:\Program Files\Panda Security
2008-06-04 23:01 . 2008-06-04 23:01 <DIR>    d--------   C:\WINDOWS\Sun
2008-06-04 23:01 . 2008-06-05 05:48 <DIR>    d--------   C:\Documents and Settings\Michael\.housecall6.6
2008-06-04 23:00 . 2008-06-04 23:00 <DIR>    d--------   C:\Program Files\Java
2008-06-04 23:00 . 2005-04-13 03:48 49,265  --a------   C:\WINDOWS\system32\jpicpl32.cpl
2008-06-04 22:58 . 2008-06-04 22:58 <DIR>    d--------   C:\Program Files\Common Files\Java
2008-06-04 22:42 . 2008-06-05 18:11 54,156  --ah-----   C:\WINDOWS\QTFont.qfn
2008-06-04 22:42 . 2008-06-05 18:11 1,409   --a------   C:\WINDOWS\QTFont.for
2008-06-04 18:42 . 2004-01-12 14:02 123,904 -ra------   C:\WINDOWS\system32\XMUpload.1.0.1.dll
2008-05-28 15:19 . 2008-05-28 15:19 <DIR>    d--------   C:\Program Files\Eltima Software
2008-05-28 15:19 . 2007-06-29 10:55 3,345,408   --a------   C:\WINDOWS\system32\avcodec-51.dll
2008-05-28 15:19 . 2007-06-29 10:55 577,536 --a------   C:\WINDOWS\system32\audiocodec.dll
2008-05-28 15:19 . 2007-06-29 10:55 448,512 --a------   C:\WINDOWS\system32\avformat-50.dll
2008-05-28 15:19 . 2007-06-29 10:55 282,624 --a------   C:\WINDOWS\system32\4codedecoder.dll
2008-05-28 15:19 . 2007-06-29 10:55 233,472 --a------   C:\WINDOWS\system32\dllzaac.dll
2008-05-28 15:19 . 2007-06-29 10:55 217,088 --a------   C:\WINDOWS\system32\mp4filelib.dll
2008-05-28 15:19 . 2007-06-29 10:55 57,344  --a------   C:\WINDOWS\system32\streamio.dll
2008-05-28 15:19 . 2007-06-29 10:55 19,968  --a------   C:\WINDOWS\system32\avutil-49.dll
2008-05-24 13:47 . 2008-05-24 13:47 <DIR>    d--------   C:\Program Files\Uniblue
2008-05-24 13:47 . 2008-05-24 13:47 <DIR>    d--------   C:\Documents and Settings\Michael\Application Data\Uniblue
2008-05-24 13:43 . 2008-06-04 22:44 <DIR>    d--------   C:\Documents and Settings\Mike2.BIGMIKES\Application Data\AVG7
2008-05-23 21:02 . 2008-05-23 21:02 <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\CyberLink
2008-05-23 06:51 . 2008-05-23 06:51 <DIR>    d--------   C:\Program Files\EA Sports
2008-05-23 06:38 . 2008-05-23 13:43 <DIR>    d--------   C:\Program Files\DAEMON Tools Lite
2008-05-23 06:34 . 2008-05-23 06:34 <DIR>    d--------   C:\Documents and Settings\Michael\Application Data\DAEMON Tools
2008-05-23 06:34 . 2008-05-23 06:34 717,296 --a------   C:\WINDOWS\system32\drivers\sptd.sys
2008-05-22 17:56 . 2008-05-22 17:56 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-22 16:18 . 2008-05-22 16:18 <DIR>    d--------   C:\Program Files\Universal boxing manager
2008-05-22 16:18 . 2008-05-23 16:25 <DIR>    d--------   C:\Documents and Settings\Michael\Application Data\Universal Boxing Manager
2008-05-21 15:26 . 2008-05-21 15:26 <DIR>    d--------   C:\Program Files\Cucusoft
2008-05-21 15:26 . 2008-05-28 15:19 <DIR>    d--------   C:\ConverterOutput
2008-05-21 15:26 . 2004-10-12 14:40 2,255,360   --a------   C:\WINDOWS\system32\libavcodec.dll
2008-05-21 15:26 . 2004-10-12 14:46 1,761,280   --a------   C:\WINDOWS\system32\ffdshow.ax
2008-05-21 15:26 . 2004-10-05 16:16 395,776 --a------   C:\WINDOWS\system32\libmplayer.dll
2008-05-21 15:26 . 2004-10-12 14:42 262,144 --a------   C:\WINDOWS\system32\TomsMoComp_ff.dll
2008-05-21 15:26 . 2003-04-03 00:17 172,032 --a------   C:\WINDOWS\system32\ac3filter.ax
2008-05-21 15:26 . 2004-10-04 01:50 112,640 --a------   C:\WINDOWS\system32\libmpeg2_ff.dll
2008-05-21 15:25 . 2008-05-21 15:25 <DIR>    d--------   C:\Program Files\Common Files\Download Manager
2008-05-20 22:13 . 2008-05-20 22:13 <DIR>    d--------   C:\Program Files\SmartSound Software
2008-05-20 22:13 . 2008-05-20 22:13 <DIR>    d--------   C:\Documents and Settings\Michael\Application Data\CyberLink
2008-05-20 22:13 . 2008-05-20 22:13 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-05-20 22:11 . 2008-05-20 22:15 <DIR>    d--------   C:\Program Files\Cyberlink
2008-05-20 20:24 . 2008-06-03 14:54 <DIR>    d--------   C:\Documents and Settings\Michael\Application Data\ZoomBrowser EX
2008-05-11 22:10 . 2008-05-11 22:42 <DIR>    d--------   C:\Program Files\Health And Fitness Club Tycoon
2008-05-11 22:06 . 2008-05-11 22:06 <DIR>    d--------   C:\Program Files\Las Vegas Tycoon
2008-05-11 21:53 . 2008-05-11 21:54 <DIR>    d--------   C:\Program Files\Chemist Tycoon
2008-05-11 21:47 . 2008-05-11 21:47 <DIR>    d--------   C:\Program Files\Carwash Tycoon
2008-05-11 15:19 . 2008-05-11 15:19 <DIR>    d--------   C:\Program Files\PhotoBox
2008-05-11 08:33 . 2008-05-11 18:12 <DIR>    d--------   C:\Program Files\Lemonade Tycoon 2
2008-05-09 21:43 . 2008-05-09 21:43 <DIR>    d--------   C:\WINDOWS\CinemaTycoonCC
2008-05-09 21:43 . 2008-05-11 20:46 <DIR>    d--------   C:\Program Files\CinemaTycoonCC
2008-05-08 22:06 . 2008-05-11 22:09 <DIR>    d--------   C:\Program Files\Cinema Tycoon Gold
2008-05-08 22:05 . 2008-05-08 22:05 <DIR>    d--------   C:\Program Files\ReflexiveArcade
2008-05-05 20:48 . 2008-05-06 23:48 <DIR>    d--------   C:\Program Files\Uplink


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 21:30    ---------   d-----w C:\Program Files\Symantec AntiVirus
2008-06-05 21:16    ---------   d-----w C:\Documents and Settings\Michael\Application Data\uTorrent
2008-06-04 21:39    ---------   d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-04 17:45    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2008-06-04 17:45    ---------   d-----w C:\Program Files\Xara
2008-06-03 13:54    ---------   d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-05-24 16:24    ---------   d-----w C:\Documents and Settings\Michael\Application Data\dvdcss
2008-05-22 17:21    ---------   d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-22 17:17    ---------   d-----w C:\Documents and Settings\Michael\Application Data\CameraWindowDC
2008-05-11 21:08    ---------   d-----w C:\Program Files\Bonjour
2008-04-30 00:05    ---------   d-----w C:\Program Files\uTorrent
2008-04-25 23:59    ---------   d-----w C:\Program Files\Doom 3
2008-04-21 20:02    ---------   d-----w C:\Program Files\ImageCut
2008-04-09 23:05    ---------   d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-09 22:58    ---------   d-----w C:\Program Files\Common Files\Adobe
2008-04-09 22:51    ---------   d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-08 22:30    ---------   d-----w C:\Documents and Settings\Michael\Application Data\CANON INC
2008-04-08 09:15    ---------   d-----w C:\Documents and Settings\Michael\Application Data\Xara
2008-04-05 21:36    ---------   d-----w C:\Program Files\Real
2008-04-05 21:36    ---------   d-----w C:\Program Files\Common Files\xing shared
2008-04-05 21:36    ---------   d-----w C:\Program Files\Common Files\Real
2008-03-16 08:52    47,360  ----a-w C:\Documents and Settings\Michael\Application Data\pcouffin.sys
.


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C3CB215-1609-49A2-A7F2-BB92E8397AA0}]
C:\WINDOWS\system32\xxywWNGY.dll


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidSetup.exe" [2006-10-30 13:44 1953792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56 158208]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll


[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DualCoreCenter.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DualCoreCenter.lnk
backup=C:\WINDOWS\pss\DualCoreCenter.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-06-05 06:32 899864 C:\PROGRA~1\AVG\AVG8\avgtray.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlazeServoTool]
--a------ 2007-03-07 18:30 270336 C:\Program Files\BlazeVideo\BlazeDTV 2.5a\MediaDetector.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2006-07-19 20:26 52896 C:\Program Files\Common Files\Symantec Shared\ccApp.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 10:39 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
-r------- 2006-10-30 13:44 36864 C:\WINDOWS\JM\JMInsIDE.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-07 01:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 03:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
--a------ 2008-05-14 10:12 1923352 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2006-09-27 21:33 125168 C:\PROGRA~1\SYMANT~1\VPTray.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SavRoam"=3 (0x3)
"RichVideo"=2 (0x2)
"ose"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"Macromedia Licensing Service"=3 (0x3)
"LiveUpdate"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"FastTrakSvc"=2 (0x2)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"CCALib8"=2 (0x2)
"Bonjour Service"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Cyberlink\\PowerDirector\\PDR.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-06-05 06:32]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-05 06:32]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-05 06:32]
S3 AF05BDA;AF9005 BDA Device;C:\WINDOWS\system32\drivers\AF05BDA.sys [2006-12-05 09:11]
S3 DualCoreCenter;DualCoreCenter;C:\Program Files\ATI Technologies\ATI.ACE\NTGLM7X.sys [2007-01-22 14:58]
S3 RushTopDevice2;RushTopDevice2;C:\Program Files\ATI Technologies\ATI.ACE\RushTop.sys [2007-01-23 15:23]
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2004-09-17 15:04]
S3 VCenterDriver;VCenterDriver;C:\Program Files\MSI\VCenter\NTGLM7X.sys []
S4 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-05 06:32]
S4 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-05 06:32]


.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 20:48:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************


catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 22:32:54
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


C:\WINDOWS\explorer.exe [2020] 0x897A8500


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-06-05 22:36:25 - machine was rebooted [Mike2]
ComboFix-quarantined-files.txt  2008-06-05 21:36:18


Pre-Run: 19,533,148,160 bytes free
Post-Run: 26,958,741,504 bytes free


258 --- E O F ---   2008-05-29 04:51:14


And here is the log from Hijack


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:40:05, on 05/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C3CB215-1609-49A2-A7F2-BB92E8397AA0} - C:\WINDOWS\system32\xxywWNGY.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204019719796
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll


--
End of file - 4939 bytes
Edited by happygeek because: fixed formatting
Member Avatar for crunchie

You chopped the top of the combofix log. It is very important that the entire log be posted in future.

==

Can you please do the following.


===============

Scan with HijackThis and then place a check next to all the following, if present:


O2 - BHO: (no name) - {1C3CB215-1609-49A2-A7F2-BB92E8397AA0} - C:\WINDOWS\system32\xxywWNGY.dll (file missing)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.