Member Avatar for HeidiGiller

My son is really making things hard! At least it's not my PC!
Here's his HiJackThis! log. Any suggestions? Thanks in advance for any help!!!!!!!!!

Logfile of HijackThis v1.99.1
Scan saved at 3:24:38 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\hkcmd.exe
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
F:\Program Files\COMODO\Firewall\cfp.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\SpywareGuard\sgmain.exe
F:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\rundll32.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Program Files\HiJackThis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.java.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - C:\WINDOWS\system32\byxyaxw.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "F:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: SpywareGuard.lnk = F:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199230403921
O17 - HKLM\System\CCS\Services\Tcpip\..\{06D2C262-ABFB-4E79-BC19-DFA712147FB7}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{06D2C262-ABFB-4E79-BC19-DFA712147FB7}: NameServer = 209.244.0.3 209.244.0.4
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: byxyaxw - C:\WINDOWS\SYSTEM32\byxyaxw.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - F:\Program Files\COMODO\Firewall\cmdagent.exe

  • 4 Contributors
  • 10 Replies
  • 133 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by crunchie

Recommended Answers

All 10 Replies

Member Avatar for Michael_Knight

Remove the following:

O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - C:\WINDOWS\system32\byxyaxw.dll

O4 - Startup: PowerReg Scheduler V3.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{06D2C262-ABFB-4E79-BC19-DFA712147FB7}: NameServer = 209.244.0.3 209.244.0.4

O17 - HKLM\System\CS1\Services\Tcpip\..\{06D2C262-ABFB-4E79-BC19-DFA712147FB7}: NameServer = 209.244.0.3 209.244.0.4

O20 - Winlogon Notify: byxyaxw - C:\WINDOWS\SYSTEM32\byxyaxw.dll

F:\Program Files\HiJackThis!\HijackThis.exe (should be run in its own folder as it keeps backups)

Note: Upgrade to Internet Explorer 7 [ from here ]

If this PC is constantly having problems, I would recommend either monitoring his activity, adding a download quota or blocking certain file extensions.

Member Avatar for HeidiGiller

I thought those were probably the culprits.
But before I do anything, I'd like to double check something.
I think the NameServer may be my internet connnection. MSN dialup.
And HiJackThis! is in it's own folder. I made 4 partitions my sons drive, after his last outbreak. I had to just reformat his drive and was advised by Gerbil to maybe partition. So I did. F:\ being one of the partitions.
I also keep having trouble with this little bugger, "jkkjh.dll" It keeps trying to do stuff. Thanks for your response so far.
~H

Member Avatar for bobbyraw

Download this file vondufix here
save to desktop THEN start in safe mode and run the file

Member Avatar for crunchie

Also, please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

You need to update hijackthis to version 2.0.2. Remove the old version by opening the program, going to config\misc tools, then uninstall & exit. You then have to delete the file manually.

Member Avatar for HeidiGiller

Here's the fresh logs, and a question.
Is it ok to run both AVG-AV free Resident and Spybot Resident, or should I just go one? If just one is better, which one? Thanks.
~~~~~~~~~~~~~
ComboFix 08-02-14.3 - Owner 2008-02-14 10:34:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.395 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\temp\tn3
C:\WINDOWS\b116.exe.bin
C:\WINDOWS\b151.exe.bin
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\hjkkj.ini2
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\ihkmp.ini2
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\teuibics.ini
C:\WINDOWS\system32\z1
C:\WINDOWS\system32\z9
E:\User Documents and Data\Matt\User Data\Application Data\TSKS~1
E:\User Documents and Data\Matt\User Data\Application Data\TSKS~1\T?sks\

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\core


((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.

2008-02-14 10:14 . 2008-02-14 10:14 <DIR> d-------- F:\Program Files\Trend Micro
2008-02-14 09:21 . 2008-02-14 09:21 <DIR> d-------- C:\VundoFix Backups
2008-02-13 22:37 . 2008-02-13 23:02 <DIR> d-------- E:\User Documents and Data\Matt\User Data\Application Data\AVG7
2008-02-13 22:36 . 2008-02-13 22:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-13 22:35 . 2008-02-13 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-13 22:35 . 2008-02-13 22:35 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-02-13 15:28 . 2008-02-13 15:34 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-02-13 15:14 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-13 15:14 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-13 15:14 . 2008-02-08 23:55 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-13 15:14 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-13 15:14 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-13 15:14 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-13 15:14 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-11 19:58 . 2008-02-14 00:33 336 --a------ C:\WINDOWS\wininit.ini
2008-02-11 18:22 . 2008-02-11 17:42 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-11 18:22 . 2008-02-11 18:24 3,446 --a------ C:\WINDOWS\unins000.dat
2008-02-11 17:40 . 2008-02-11 17:40 <DIR> d-------- E:\User Documents and Data\Matt\User Data\Application Data\Lavasoft
2008-02-11 17:38 . 2008-02-11 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 16:38 . 2008-02-11 16:38 <DIR> d-------- F:\Program Files\COMODO
2008-02-11 16:38 . 2008-02-11 16:38 <DIR> d-------- E:\User Documents and Data\Matt\User Data\Application Data\Comodo
2008-02-11 16:38 . 2008-02-11 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-02-11 16:38 . 2008-02-11 16:38 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2008-02-11 16:38 . 2008-02-11 16:38 83,064 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-02-11 16:38 . 2008-02-11 16:38 23,800 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-02-11 15:53 . 2008-02-11 18:56 <DIR> d-------- F:\Program Files\Spybot - Search & Destroy
2008-02-11 15:53 . 2008-02-11 15:53 <DIR> d-------- F:\Program Files\Lavasoft
2008-02-11 13:47 . 2008-02-11 17:02 <DIR> d-------- F:\Program Files\SpywareGuard
2008-02-11 13:46 . 2008-02-11 13:52 <DIR> d-------- F:\Program Files\SpywareBlaster
2008-02-11 13:46 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-02-10 18:00 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-02-10 18:00 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-02-10 18:00 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-02-10 17:28 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-02-10 10:11 . 2004-08-03 23:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-10 10:09 . 2008-02-10 10:09 <DIR> d-------- C:\WINDOWS\provisioning
2008-02-10 10:09 . 2008-02-10 10:09 <DIR> d-------- C:\WINDOWS\peernet
2008-02-10 10:08 . 2008-02-10 10:08 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-02-10 10:01 . 2008-02-10 10:01 <DIR> d-------- C:\WINDOWS\EHome
2008-02-09 17:59 . 2004-08-03 22:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-02-09 17:59 . 2004-08-03 22:07 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-02-09 17:57 . 2008-02-09 17:57 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-09 17:57 . 2007-09-17 11:25 514,432 --a------ C:\WINDOWS\system32\drivers\L6PODLV.sys
2008-02-09 17:57 . 2007-09-17 11:22 118,784 --a------ C:\WINDOWS\system32\l6podlv.dll
2008-02-09 17:57 . 2007-09-17 11:31 29,312 --a------ C:\WINDOWS\system32\drivers\l6dp.sys
2008-02-08 16:43 . 2008-02-08 16:43 <DIR> d-------- F:\Program Files\Acoustica Shared Effects
2008-02-08 16:43 . 2008-02-11 11:45 <DIR> d-------- F:\Program Files\Acoustica Beatcraft
2008-02-05 18:56 . 2006-08-02 11:15 106,496 --a------ C:\WINDOWS\acufutls.dll
2008-02-04 19:15 . 2008-02-04 19:15 <DIR> d-------- F:\Program Files\Audacity
2008-01-30 21:32 . 2002-04-15 21:11 67,866 --a------ C:\WINDOWS\system32\drivers\netwlan5.img
2008-01-30 21:32 . 2004-08-04 00:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-01-30 21:32 . 2004-08-02 14:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-01-30 21:32 . 2004-08-02 14:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 06:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-12 05:12 --------- d-----w F:\Program Files\Maxis
2008-02-08 23:40 --------- d-----w F:\Program Files\Common Files\AVSMedia
2008-02-08 23:40 --------- d-----w F:\Program Files\AVSMedia
2008-01-04 05:40 --------- d--h--w F:\Program Files\InstallShield Installation Information
2008-01-04 02:11 --------- d-----w F:\Program Files\CCleaner
2008-01-04 01:57 --------- d-----w E:\User Documents and Data\Matt\User Data\Application Data\LimeWire
2008-01-03 00:32 --------- d-----w F:\Program Files\Line6
2008-01-02 22:49 --------- d-----w E:\User Documents and Data\Matt\User Data\Application Data\Line 6
2008-01-02 01:22 --------- d-----w F:\Program Files\Java
2008-01-02 01:21 --------- d-----w F:\Program Files\Common Files\Java
2008-01-01 23:28 --------- d-----w E:\User Documents and Data\Matt\User Data\Application Data\Talkback
2008-01-01 23:01 --------- d-----w E:\User Documents and Data\Matt\User Data\Application Data\MSN6
2008-01-01 22:33 --------- d-----w E:\User Documents and Data\Matt\User Data\Application Data\Grisoft
2008-01-01 22:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-02 12:37 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-02 12:19 118784]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"AVG7_CC"="F:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-13 22:35 579072]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2004-08-03 23:56 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="F:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-13 22:35 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - F:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"84e0a89e"=rundll32.exe "C:\WINDOWS\system32\scibiuet.dll",b

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-02-11 16:38]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-02-11 16:38]
R3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys [2007-09-17 11:31]
S3 L6PODLV;PODxt Live Service;C:\WINDOWS\system32\Drivers\L6PODLV.sys [2007-09-17 11:25]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 10:39:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
------------------------ Other Running Processes ------------------------
.
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-02-14 10:40:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-14 18:40:14
.
2008-02-14 17:14:52 --- E O F ---

~~~~~~~~~~~~~~~
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:31 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\hkcmd.exe
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\Program Files\COMODO\Firewall\cfp.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\SpywareGuard\sgmain.exe
F:\Program Files\SpywareGuard\sgbhp.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.java.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "F:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [84e0a89e] rundll32.exe "C:\WINDOWS\system32\scibiuet.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199230403921
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - F:\Program Files\COMODO\Firewall\cmdagent.exe

--
End of file - 4285 bytes

Member Avatar for crunchie

Here's the fresh logs, and a question.
Is it ok to run both AVG-AV free Resident and Spybot Resident, or should I just go one? If just one is better, which one?

They both do different things, so keep them both.

==

A. Please RUN HijackThis

  1. Click the SCAN button to produce a log.
  2. Place a check mark beside each one of the following items:

    O4 - HKLM\..\Run: [84e0a89e] rundll32.exe "C:\WINDOWS\system32\scibiuet.dll",b

  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\scibiuet.dll
Folder::
C:\VundoFix Backups

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]http://i5.photobucket.com/albums/y153/crunchie1/CFScript.gif[/IMG]


7. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Member Avatar for HeidiGiller

ComboFix 08-02-14.3 - Owner 2008-02-15 9:01:58.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.391 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\scibiuet.dll
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\gebyv.dll.bad

.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-15 08:58 . 2008-02-15 08:58 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-14 10:14 . 2008-02-14 10:14 <DIR> d-------- F:\Program Files\Trend Micro
2008-02-13 22:37 . 2008-02-14 11:29 <DIR> d-------- E:\User Documents and Data\Matt\User Data\Application Data\AVG7
2008-02-13 22:36 . 2008-02-13 22:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-13 22:35 . 2008-02-13 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-13 22:35 . 2008-02-13 22:35 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-02-13 15:28 . 2008-02-14 11:06 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-02-13 15:14 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-13 15:14 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-13 15:14 . 2008-02-08 23:55 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-13 15:14 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-13 15:14 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-13 15:14 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-13 15:14 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-11 19:58 . 2008-02-14 00:33 336 --a------ C:\WINDOWS\wininit.ini
2008-02-11 18:22 . 2008-02-11 17:42 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-11 18:22 . 2008-02-11 18:24 3,446 --a------ C:\WINDOWS\unins000.dat
2008-02-11 17:40 . 2008-02-11 17:40 <DIR> d-------- E:\User Documents and Data\Matt\User Data\Application Data\Lavasoft
2008-02-11 17:38 . 2008-02-11 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 16:38 . 2008-02-11 16:38 <DIR> d-------- F:\Program Files\COMODO
2008-02-11 16:38 . 2008-02-11 16:38 <DIR> d-------- E:\User Documents and Data\Matt\User Data\Application Data\Comodo
2008-02-11 16:38 . 2008-02-11 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-02-11 16:38 . 2008-02-11 16:38 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2008-02-11 16:38 . 2008-02-11 16:38 83,064 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-02-11 16:38 . 2008-02-11 16:38 23,800 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-02-11 15:53 . 2008-02-11 18:56 <DIR> d-------- F:\Program Files\Spybot - Search & Destroy
2008-02-11 15:53 . 2008-02-11 15:53 <DIR> d-------- F:\Program Files\Lavasoft
2008-02-11 13:47 . 2008-02-11 17:02 <DIR> d-------- F:\Program Files\SpywareGuard
2008-02-11 13:46 . 2008-02-11 13:52 <DIR> d-------- F:\Program Files\SpywareBlaster
2008-02-11 13:46 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-02-11 12:29 . 2006-12-26 06:00 10,965 --------- C:\WINDOWS\_000004_.tmp.dll
2008-02-10 18:00 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-02-10 18:00 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-02-10 18:00 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-02-10 17:28 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-02-10 10:11 . 2004-08-03 23:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-10 10:09 . 2008-02-10 10:09 <DIR> d-------- C:\WINDOWS\provisioning
2008-02-10 10:09 . 2008-02-10 10:09 <DIR> d-------- C:\WINDOWS\peernet
2008-02-10 10:08 . 2008-02-10 10:08 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-02-10 10:01 . 2008-02-10 10:01 <DIR> d-------- C:\WINDOWS\EHome
2008-02-09 17:59 . 2004-08-03 22:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-02-09 17:59 . 2004-08-03 22:07 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-02-09 17:57 . 2008-02-09 17:57 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-09 17:57 . 2007-09-17 11:25 514,432 --a------ C:\WINDOWS\system32\drivers\L6PODLV.sys
2008-02-09 17:57 . 2007-09-17 11:22 118,784 --a------ C:\WINDOWS\system32\l6podlv.dll
2008-02-09 17:57 . 2007-09-17 11:31 29,312 --a------ C:\WINDOWS\system32\drivers\l6dp.sys
2008-02-08 16:43 . 2008-02-08 16:43 <DIR> d-------- F:\Program Files\Acoustica Shared Effects
2008-02-08 16:43 . 2008-02-11 11:45 <DIR> d-------- F:\Program Files\Acoustica Beatcraft
2008-02-05 18:56 . 2006-08-02 11:15 106,496 --a------ C:\WINDOWS\acufutls.dll
2008-02-04 19:15 . 2008-02-04 19:15 <DIR> d-------- F:\Program Files\Audacity
2008-01-30 21:32 . 2002-04-15 21:11 67,866 --a------ C:\WINDOWS\system32\drivers\netwlan5.img
2008-01-30 21:32 . 2004-08-04 00:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-01-30 21:32 . 2004-08-02 14:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-01-30 21:32 . 2004-08-02 14:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 06:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-12 05:12 --------- d-----w F:\Program Files\Maxis
2008-02-08 23:40 --------- d-----w F:\Program Files\Common Files\AVSMedia
2008-02-08 23:40 --------- d-----w F:\Program Files\AVSMedia
2008-01-04 05:40 --------- d--h--w F:\Program Files\InstallShield Installation Information
2008-01-04 02:11 --------- d-----w F:\Program Files\CCleaner
2008-01-04 01:57 --------- d-----w E:\User Documents and Data\Matt\User Data\Application Data\LimeWire
2008-01-03 00:32 --------- d-----w F:\Program Files\Line6
2008-01-02 22:49 --------- d-----w E:\User Documents and Data\Matt\User Data\Application Data\Line 6
2008-01-02 01:22 --------- d-----w F:\Program Files\Java
2008-01-02 01:21 --------- d-----w F:\Program Files\Common Files\Java
2008-01-01 23:28 --------- d-----w E:\User Documents and Data\Matt\User Data\Application Data\Talkback
2008-01-01 23:01 --------- d-----w E:\User Documents and Data\Matt\User Data\Application Data\MSN6
2008-01-01 22:33 --------- d-----w E:\User Documents and Data\Matt\User Data\Application Data\Grisoft
2008-01-01 22:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-02 12:37 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-02 12:19 118784]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"AVG7_CC"="F:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-13 22:35 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="F:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-13 22:35 219136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - F:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-02-11 16:38]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-02-11 16:38]
R3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys [2007-09-17 11:31]
S3 L6PODLV;PODxt Live Service;C:\WINDOWS\system32\Drivers\L6PODLV.sys [2007-09-17 11:25]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 09:04:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-02-15 9:05:39
ComboFix-quarantined-files.txt 2008-02-15 17:05:21
ComboFix2.txt 2008-02-14 18:40:20
.
2008-02-15 03:36:12 --- E O F ---

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:55 AM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\hkcmd.exe
F:\Program Files\COMODO\Firewall\cmdagent.exe
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\Program Files\COMODO\Firewall\cfp.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\SpywareGuard\sgmain.exe
F:\Program Files\SpywareGuard\sgbhp.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.java.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "F:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = F:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199230403921
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - F:\Program Files\COMODO\Firewall\cmdagent.exe

--
End of file - 4205 bytes

Member Avatar for crunchie

Unless I have missed something, those logs look ok.
How is the pc?

Member Avatar for HeidiGiller

Excellent so far!! Got AVG-AV now and Internet Explorer 7. Downloading all updates now. Everything seems A-OK!
THANK YOU CRUNCHIE!!!!!!!!!!!!!!!!!!:*
And everyone else too!

Oh ya. One more thing.
Can/Should I delete the "Qoobox" folder and all it's contents? Or at least the quarantine folder/files in it? (they're makin' me nerrrrrrvous)
And should I delete System Restore Points? (although I have done some things since the fix. installed IE7 and some updates)

Member Avatar for crunchie

Do the following and Qoobox etc will be removed.

Let's get rid of Combofix now that we are finished with it.

The above procedure will:


  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

==

Do all your updating etc and once done, turn off system restore and reboot. Once rebooted. restart system restore.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.