0

Hi all, I hope you are well. I am trying to remove the Trojan "win32 cutwail.j" from a friends computer, the first step I have taken was to scan with Spybot S & D which removed some malware. I believe that the payload is still prevalent in the system though. Here is a HJT log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:03:11, on 12/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Phil\Desktop\windows-kb890830-v2.13.exe
c:\c79ed52ccac1b6de22095e4b332dbb53\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ecollege.ie/site/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-21-736535237-3451093729-2193730098-500\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-736535237-3451093729-2193730098-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
O4 - HKUS\S-1-5-21-736535237-3451093729-2193730098-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ikowin32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 9716 bytes

I would be very grateful if anyone might advise me on what to do next. Many thanks.

2
Contributors
36
Replies
37
Views
8 Years
Discussion Span
Last Post by majestic0110
Featured Replies
  • I note several things immediately in the HJT log. [B]#1.[/B] SpyBot TeaTimer is running. This needs to be disabled as it WILL interfere with any fixes done. * Run Spybot-S&D in Advanced Mode * If it is not already set to do this, go to the Mode menu select Advanced … Read More

  • SDFix must be used in Safe Mode only. This may be one reason why you say it won't work. But if you feel it has replicated then, why? SDFix wouldn't be the tool to use for that anyway. It is not listed on the items which that SDFix will remove … Read More

  • Yes the computer itself looks clean. However, before you do scans of the USB drives you need to disable the AutoPlay feature for USB devices, otherwise you could re-infect the computer if these drives do carry the infection. To do this follow the directions [B][URL="http://www.labtestproject.com/using_windows/disable_windows_xp_autoplay_autorun_for_cd_dvd_and_removable_drives"]HERE [/URL][/B] After you have disabled … Read More

1

I note several things immediately in the HJT log.
#1. SpyBot TeaTimer is running. This needs to be disabled as it WILL interfere with any fixes done.
* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

#2. Now this "may" be taken care of by the above restart, but MBA-M was set to run at Start Up, meaning the program evidently has been run but required a restart to fully remove whatever was found. This would have been noted in the log, which you did not post by the way. It would have said Quarantine or Delete on restart or something similar. Meaning it couldn't clean without restarting the computer.

The reason for this would be that the infected file was probably in use AND set to start after the computer boots up. When MBA-M must complete a removal with a restart what will happen when the computer is restarted is MBA-M will Remove the infected files BEFORE they can begin to run. So this should be a rule to follow with EVERY MBA-M scan, unless the scan is clean, just always reboot the computer after the scan, even if the log doesn't say to do it. This will get you in the habit of doing so and therefore you can be assured the program cleaned what needed to be cleaned.
Please do the above and post back with that MBA-M log and a new HJT log done AFTER the reboot.

Votes + Comments
congrats on featured poster, you deserve it!
0

Hi there jholland1964, thank you very much for the reply. I did not realise that Teatimer would interfere with any scans, that is useful information! I shall restart, rescan and repost (the 3 "R's"!). P.S. I apologise for omitting the MBA-M log and will post a new log after the 3 "R's" ! Thanks again.

0

Good deal. To clarify the TeaTimer...what it can do is interfere with actual fixes done, especially if there is a registry key involved.
What it is "supposed to do" is give you a notification of registry changes which are going to be made and give you the option of saying no or yes. But with the number of infections found when TeaTimer is definitely running in the background all the time if obviously falls short on this. Of course some people may have received a warning before some sort of infection makes a registry change or addition but I sincerely doubt that ALL people would say ok.
Plus when fixes are being attempted using other programs TeaTimer has been known to block these legitimate changes needed and NOT do any notification.
The Spybot scanner is excellent and will remove many infections and a lot of malware but the TeaTimer portion leaves a lot to be desired.
I will wait for your scan logs.
Judy

0

Ok, i performed a restart, but now I am getting a BSOD upon starting windows normally or even with safe mode with networking. I am , however , able to get pure safe mode up so I have done so and am now scanning using MBA-M. Looking quite nasty though....BSOD is so fast I cannot read it, and then the laptop shuts down immediately....

0

Do what you can and then we can figure out where to go from there.
Also post that first MBA-M log when you do. That can be found within the program under Logs tab.

0

Ok, thanks a lot JHolland1964, nasty piece of kit this one! Who writes these things!

Creeps who take joy in hurting those they don't know!

0

The fools... I really appreciate the help you are offering here. MBA-M is still scanning might take another half hour or so but I will try and post the log if i can get access to windows or even safe mode with netwroking. I am using my pc to post this message, but I am loathe to put a USB stick into the infeted pc to obtain the log for upload for fear of infecting my PC(if you know what I mean).

0

OK, MBA-M has finished, it picked up only 1 trojan - C:\windows\system32\1.tmp (Trojan.agent).
This was quarantined and deleted. I followed the instructions from MBA-M and restarted straight away. Unfortunately, still no access to windows or windows safe mode with networking...Hmmm. BSOD still popping up - is there anyway that I can find out what it says? I tried photographing it with a digital camera (lol) but it disappears too fast! What should I do next ?

0

OK, MBA-M has finished, it picked up only 1 trojan - C:\windows\system32\1.tmp (Trojan.agent).
This was quarantined and deleted. I followed the instructions from MBA-M and restarted straight away. Unfortunately, still no access to windows or windows safe mode with networking...Hmmm. BSOD still popping up - is there anyway that I can find out what it says? I tried photographing it with a digital camera (lol) but it disappears too fast! What should I do next ?

If you can access the Event Viewer in Safe mode go there and see what the errors are. Probably listed in System Errors section.
Start, Control Panel, Administrative Tools, Event Viewer. Look in System and also in Applications. Just the most recent errors listed there.

0

OK, I have to warn you there are a few! OK under applications :
"Warning - Userenv - Windows saved user **\*** registry while an app or service was still using the reg during log off. the memory used by the users' registry has not been freed. the registry will be unloaded when it is no longer in use. "
Ok, under SYSTEM I see about 8 errors to do with service control manager and 6 for DCOM. Unfortunately I have to type this by hand which is not great! Under the services cocntrol manager errors it appears that system start drivers are failing to load, followed by a lot of drivers, some seem legit to me others I am very wary about. Please, if you need more information do not hesitate to ask! Your knowledge is outstanding!

0

Additional: I can see under security task manager a few rogue process "msword98.exe" operating in c\windows\system32. "braviax.exe" in c\windows\system32. Should I perform a boot scan using Avast ?

0

Additional: I can see under security task manager a few rogue process "msword98.exe" operating in c\windows\system32. "braviax.exe" in c\windows\system32. Should I perform a boot scan using Avast ?

Yes and see if that makes a difference.

0

Ok thanks, that will probably take some time but I will post any findings up here. Thanks again!

0

Hi, a quick update, avast root scan has prevented the BSOD upon start up and I am now able to get into windows normally. I did a scan of MBA-M Here is the log:

Malwarebytes' Anti-Malware 1.40
Database version: 2610
Windows 5.1.2600 Service Pack 3

13/08/2009 12:14:39
mbam-log-2009-08-13 (12-14-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 223335
Time elapsed: 55 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msword98 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msword98 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Phil\msword98.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\msword98.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\Documents and Settings\Phil\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Phil\Local Settings\Temp\BN14.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv151250024935.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv421250008288.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Phil\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.

I performed a reboot and I am going to now do a HJT scan. I keep getting avast warning! pop ups about C:\windows\temp\wpv44120047226.exe\install.exe. (malware name = win32.Neredr[Drp] - a dropper of some sort.....
Any help/advice would be greatly appreciated!

0

Additional: HJT log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:27, on 13/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Temp\wpv531250008288.exe
C:\DOCUME~1\Phil\LOCALS~1\Temp\RarSFX0\install.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BNF.tmp
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [braviax] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ikowin32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 6894 bytes

I presume there are values listed in that HJT log that I SHOULD NOT remove, any advice on that ?

0

What do you think of using SDFIx ?

You all ready have removed the infections using MBA-M.
but if you want to go ahead. Follow the instructions TO THE LETTER, no deviation. Then you will also have to run another Full Scan with MBA-M. Reboot and then do another Full Scan with HJT. Post back here with the SDFix log, the MBA-M log and the new HJT log.

0

But the system is not clean, this entry here :

O4 - HKUS\S-1-5-18\..\Run: [braviax] (User 'SYSTEM')

Is that suspicious?

Also, Avast keeps informing that c\windows\system32\dllcache\figarosys (win32.FakeAV-NO[Rtk]) Rootkit was found ... Among other trojans there seem to be a lot of these avast pop ups. EDIT : Tried using SDFix following instructions to the letter but the cmd promp window flashes up, then disappears. Also followed the advice on bleeping computer on how to cirumvent this, to no avail. Nasty piece of work this one......Reformat the way forward?

0

You didn't give me time to read the HJT log and give the fixes using it. If you would feel better doing the other, as I said, go ahead. If you look at the MBA-M log it shows that it was removed by MBA-M. The instructions given on the page you linked say do a Quick Scan with MBA-M, we have you do a Full Scan. But that said, if you would feel better then do the steps listed on the page, post back with the logs and then I will give you the clean up steps using a new HJT scan log.

0

Right, ok I cannot get SFix to work so what are the options ? MBA-M might have removed it but it certainly is still present in the system so I guess it replicated...

1

SDFix must be used in Safe Mode only. This may be one reason why you say it won't work. But if you feel it has replicated then, why?

SDFix wouldn't be the tool to use for that anyway. It is not listed on the items which that SDFix will remove on the SDFix Information page.

Instead you should do the following:

Download ComboFix from Here or Here. Save it to the desktop.

Do NOT run the program yet.
First you must do the following:
# Close all open Windows including this one.
# Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. I
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Once you double-click on the icon you may see a Windows Prompt.
Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.



ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry.
Once the Windows Registry has finished being backed up, ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically
You should now post this log here when all is complete.

Votes + Comments
Thanks for the continued help!
0

Ok, thanks very much for all your help. I tried SDFIx only in safe mode, didn't work. I will try ComboFix and post results later. Thanks again. EDIT: I think it must have replicated itself because after MBA-M removed, rebooted, then another reboot I launched security task manager and Braviax was still listed as a running process.

0

OK. ComboFix has finished now, rather fast I thought ! Here is the log :

ComboFix 09-08-10.06 - Phil 13/08/2009 19:47.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1588 [GMT 1:00]
Running from: c:\documents and settings\Phil\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090812-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Phil\Application Data\.#
c:\documents and settings\Phil\Application Data\wiaserva.log
c:\documents and settings\Phil\Start Menu\Programs\Startup\ikowin32.exe
c:\windows\kb913800.exe
c:\windows\system32\1.tmp
c:\windows\system32\braviax.exe
c:\windows\system32\tmp.reg
c:\windows\system32\wisdstr.exe

Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ntfs.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2


((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.

2009-08-13 17:45 . 2009-08-13 17:45 -------- d-----w- c:\windows\system32\LogFiles
2009-08-12 19:12 . 2009-08-12 19:12 619584 -c--a-w- c:\windows\system32\dllcache\ntfs.sys
2009-08-12 17:59 . 2009-08-12 17:59 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-08-12 14:02 . 2009-08-12 14:02 -------- d-----w- c:\program files\Trend Micro
2009-08-12 11:34 . 2009-08-12 11:34 -------- d-----w- c:\documents and settings\Phil\Application Data\Malwarebytes
2009-08-12 11:34 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-12 11:34 . 2009-08-12 11:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-12 11:34 . 2009-08-12 11:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 11:34 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-12 11:32 . 2009-08-12 11:33 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-12 11:26 . 2009-08-12 11:26 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_BF69C629A0D9405408006C3D4A3A11E8.dll
2009-08-12 11:26 . 2009-08-12 11:26 302 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E5D9D200AB92D6E3B94CD3D7D6CB37C5.dll
2009-08-12 11:26 . 2009-08-12 11:26 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DC3BF90CC0D3D2F398A9A6D1762F70F3.dll
2009-08-12 11:26 . 2009-08-12 11:26 1251 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D20352A90C039D93DBF6126ECE614057.dll
2009-08-12 11:26 . 2009-08-12 11:26 265 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D169751270508A44CB2FE12E4D938EFD.dll
2009-08-12 11:26 . 2009-08-12 11:26 82 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_7A43E36E255EB214E904DFF65C22A7AB.dll
2009-08-12 11:26 . 2009-08-12 11:26 125 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_71008F6089F849C48B8625535896CF23.dll
2009-08-12 11:26 . 2009-08-12 11:26 27 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4F4A3A23297B6D117AA8000B0D611004.dll
2009-08-12 11:26 . 2009-08-12 11:26 103 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_342C9E3FE221B6D4CA1C1EEF0CF2C61A.dll
2009-08-12 11:26 . 2009-08-12 11:26 3568 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_26DDC2EC4210AC63483DF9D4FCC5B59D.dll
2009-08-12 11:26 . 2009-08-12 11:26 316 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0D756077321A70C3E844C138CE981581.dll
2009-08-12 11:26 . 2009-08-12 11:26 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0DC1503A46F231838AD88BCDDC8E8F7C.dll
2009-08-12 11:14 . 2008-04-13 19:20 182656 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-08-12 10:51 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 14:22 . 2009-08-11 14:22 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Identities
2009-08-10 19:11 . 2009-08-10 19:11 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Help
2009-08-08 23:04 . 2009-03-04 09:31 4202496 ----a-w- c:\windows\system32\drivers\NETw5x32.sys
2009-08-08 23:04 . 2008-06-20 09:33 2756608 ----a-w- c:\windows\system32\NETw5r32.dll
2009-08-08 23:04 . 2008-06-20 09:32 663552 ----a-w- c:\windows\system32\NETw5c32.dll
2009-08-08 18:58 . 2009-08-08 18:58 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-05 15:50 . 2009-06-30 16:40 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-05 15:12 . 2009-08-12 19:50 -------- d-----w- c:\documents and settings\Phil\Application Data\vlc
2009-08-05 11:47 . 2009-08-05 11:47 152576 ----a-w- c:\documents and settings\Phil\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-07-29 07:18 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 07:18 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-27 19:44 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-07-27 12:54 . 2009-07-27 12:54 -------- d-----w- c:\documents and settings\Phil\.netbeans-derby
2009-07-27 12:29 . 2009-07-27 12:52 -------- d-----w- c:\documents and settings\Phil\.netbeans
2009-07-27 12:29 . 2009-07-27 12:29 -------- d-----w- c:\documents and settings\Phil\.netbeans-registration
2009-07-27 12:29 . 2009-07-27 12:29 -------- d-----w- c:\program files\Apache Software Foundation
2009-07-27 12:28 . 2009-07-27 21:30 -------- d-----w- c:\program files\sges-v3-prelude
2009-07-27 12:26 . 2009-07-27 12:26 -------- d-----w- C:\Sun
2009-07-27 12:21 . 2009-07-30 16:49 -------- d-----w- c:\program files\NetBeans 6.7
2009-07-25 23:01 . 2009-07-27 12:32 -------- d-----w- c:\documents and settings\Phil\.nbi
2009-07-24 16:59 . 2009-07-24 16:59 -------- d-----w- c:\program files\Firaxis Games
2009-07-23 19:50 . 2009-07-23 19:54 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Eraser
2009-07-23 17:00 . 2009-07-23 17:00 -------- d-----w- c:\program files\Recuva
2009-07-23 12:56 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-07-23 12:56 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-07-22 16:14 . 2009-07-22 16:14 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Apple
2009-07-21 15:17 . 2009-07-21 15:17 -------- d-----w- c:\documents and settings\Phil\bluej
2009-07-21 15:15 . 2009-07-21 15:15 -------- d-----w- c:\program files\Sun
2009-07-21 14:56 . 2009-07-21 15:10 -------- d-----w- c:\documents and settings\Phil\.SunDownloadManager
2009-07-21 14:55 . 2009-07-21 14:55 -------- d-----w- C:\BlueJ
2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-07-16 15:07 . 2009-07-16 15:07 -------- d-----w- c:\program files\CCleaner
2009-07-16 13:37 . 2009-07-16 13:37 -------- d-----w- c:\program files\Sophos
2009-07-15 17:26 . 2009-07-15 17:26 -------- d-----w- C:\Restoration
2009-07-15 15:56 . 2009-07-15 15:56 -------- d-----w- c:\program files\LSoft Technologies
2009-07-15 15:18 . 2009-08-13 12:18 -------- d-----w- c:\program files\iStar
2009-07-14 20:39 . 2009-07-26 14:52 -------- d-----w- c:\documents and settings\Phil\.fontconfig

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 18:54 . 2009-07-11 14:29 -------- d-----w- c:\program files\PeerGuardian2
2009-08-13 18:04 . 2009-05-03 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-13 14:16 . 2009-05-09 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-08-12 13:31 . 2009-05-04 21:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-12 12:18 . 2009-06-30 18:36 -------- d-----w- c:\program files\Security Task Manager
2009-08-12 00:29 . 2009-05-14 15:00 1 ----a-w- c:\documents and settings\Phil\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-08-11 23:17 . 2009-07-12 16:35 -------- d-----w- c:\program files\Diablo II
2009-08-05 11:47 . 2006-03-17 10:58 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2006-03-17 09:20 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:15 . 2009-05-07 07:56 6388 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-01 11:15 . 2009-05-15 19:40 -------- d-----w- c:\documents and settings\Phil\Application Data\gtk-2.0
2009-07-29 20:46 . 2009-05-03 18:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-27 19:45 . 2009-07-27 19:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-27 19:44 . 2009-07-27 19:44 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-25 11:38 . 2006-03-17 12:26 38576 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-25 04:23 . 2009-05-15 12:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 17:18 . 2006-03-17 11:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-21 15:10 . 2009-05-12 12:58 -------- d-----w- c:\program files\Doom Builder
2009-07-20 12:03 . 2009-05-31 01:04 -------- d-----w- c:\program files\LaunchTool
2009-07-17 19:01 . 2006-03-17 09:19 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 21:16 . 2009-05-13 14:14 -------- d-----w- c:\program files\Project64 1.6
2009-07-13 14:40 . 2009-07-13 14:27 1004 ----a-w- c:\windows\eReg.dat
2009-07-13 14:34 . 2009-07-13 14:17 -------- d-----w- c:\program files\EA Games
2009-07-13 09:08 . 2006-03-17 09:20 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 22:34 . 2009-07-12 16:45 35165 ----a-w- c:\windows\DIIUnin.dat
2009-07-12 16:45 . 2009-07-12 16:45 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-12 16:45 . 2009-07-12 16:45 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-11 23:05 . 2009-07-11 21:44 -------- d-----w- c:\documents and settings\Phil\Application Data\dvdcss
2009-07-03 17:09 . 2006-03-17 09:20 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-02 23:29 . 2009-07-02 23:29 -------- d-----w- c:\documents and settings\Phil\Application Data\InterVideo
2009-07-01 17:12 . 2009-07-01 17:12 -------- d-----w- c:\program files\Alwil Software
2009-07-01 13:43 . 2009-07-01 13:43 -------- dc----w- c:\documents and settings\All Users\Application Data\{8AE45C14-3559-45A6-AF34-03CE304FA276}
2009-07-01 13:20 . 2009-07-01 13:20 -------- d-----w- c:\program files\MSBuild
2009-07-01 13:20 . 2009-07-01 13:20 -------- d-----w- c:\program files\Reference Assemblies
2009-07-01 13:08 . 2009-07-01 13:08 -------- d-----w- c:\documents and settings\Phil\Application Data\Uniblue
2009-07-01 13:06 . 2009-07-01 13:06 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-07-01 13:06 . 2009-07-01 13:06 -------- d-----w- c:\program files\Uniblue
2009-06-30 18:36 . 2009-06-30 18:36 295 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C9D2F2ED2E35EE04289047AD36BC60E0.dll
2009-06-30 18:36 . 2009-06-30 18:36 26 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D139E7FE48CDB174D86B8A3385904547.dll
2009-06-30 18:36 . 2009-06-30 18:36 133 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8C585A7BE4EC0514486C1AC3C31B73F9.dll
2009-06-30 18:36 . 2009-06-30 18:36 258 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0558D69260BC4E84A9B85E30F46B7451.dll
2009-06-28 20:45 . 2009-06-28 20:45 -------- d-----w- c:\program files\Bullfrog
2009-06-28 18:10 . 2009-05-12 17:16 -------- d-----w- c:\program files\id Software
2009-06-28 15:40 . 2009-06-28 15:40 -------- d-----w- c:\documents and settings\Phil\Application Data\Stellarium
2009-06-25 10:11 . 2009-06-25 10:11 -------- d-----w- c:\documents and settings\Phil\Application Data\Echo Software
2009-06-25 10:10 . 2009-06-25 10:10 -------- d-----w- c:\program files\Programmers Notepad
2009-06-25 09:52 . 2009-06-25 09:52 98304 ----a-r- c:\documents and settings\Phil\Application Data\Microsoft\Installer\{DE2F2D9C-53E2-40EE-8209-74DA63CB060E}\python_icon.exe
2009-06-16 14:36 . 2006-03-17 09:20 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-03-17 09:19 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 09:01 . 2009-06-16 09:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-06-15 20:24 . 2009-06-15 20:24 -------- d-----w- c:\program files\CDisplay
2009-06-15 18:47 . 2009-06-15 18:47 2989 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-06-15 18:46 . 2009-06-15 18:46 -------- d-----w- c:\documents and settings\Phil\Application Data\AccurateRip
2009-06-15 18:46 . 2009-06-15 18:46 -------- d-----w- c:\program files\Illustrate
2009-06-15 18:44 . 2009-06-15 18:46 515760 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-06-15 16:58 . 2009-06-15 16:58 -------- d-----w- c:\documents and settings\Phil\Application Data\Red Alert 3
2009-06-15 16:58 . 2009-06-15 16:58 -------- d--h--r- c:\documents and settings\Phil\Application Data\SecuROM
2009-06-15 16:58 . 2009-06-15 16:58 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-15 16:57 . 2009-06-15 16:30 -------- d-----w- c:\program files\Electronic Arts
2009-06-15 16:57 . 2009-06-15 16:57 3624 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-06-15 15:38 . 2009-06-15 15:38 3710 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F6CAE87C37A7E2541843BD2B61C5A586.dll
2009-06-15 15:38 . 2009-06-15 15:38 2429 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_556106D545D648345BC271CE3558BFDB.dll
2009-06-15 15:38 . 2009-06-15 15:38 1260 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_079F5538D106D2447AB9D1D74B2FC4DA.dll
2009-06-14 21:42 . 2009-06-14 21:42 -------- d-----w- c:\program files\Common Files\DirectX
2009-06-12 12:31 . 2006-03-17 09:20 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2006-03-17 09:20 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-11 14:49 . 2009-06-11 14:49 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-10 14:13 . 2006-03-17 09:19 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 09:08 . 2009-06-10 09:08 152576 ----a-w- c:\documents and settings\Phil\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-10 08:19 . 2006-03-17 10:31 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2006-03-17 09:20 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 10:42 . 2009-05-03 20:41 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 10:42 . 2009-05-03 18:05 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:09 . 2006-03-17 09:20 1291264 ----a-w- c:\windows\system32\quartz.dll
.

------- Sigcheck -------

[7] 2004-08-10 13:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\dllcache\beep.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-16 7557120]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-03-15 1769472]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-02-16 1519616]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-17 61952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\DOOM Collector's Edition\\prboom-2.5.0-win32\\prboom-2.5.0-win32\\prboom_server.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"c:\\Program Files\\Diablo II\\Diablo II.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_14\\jre\\bin\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_14\\bin\\java.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [01/07/2009 18:12 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [01/07/2009 18:12 20560]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [17/03/2006 13:04 7040]
S4 SecureLockWare_EncryptFilterDriver;SecureLockWare Encryption Filter driver;c:\windows\system32\DRIVERS\ENCRFIL.SYS --> c:\windows\system32\DRIVERS\ENCRFIL.SYS [?]
S4 SecureLockWare_EncryptFilterDriver2;SecureLockWare Encryption Filter driver Ver.2;c:\windows\system32\DRIVERS\SLWFIL.SYS --> c:\windows\system32\DRIVERS\SLWFIL.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\nhirqmwn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-13 19:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-736535237-3451093729-2193730098-1005\Software\SecuROM\License information*]
"datasecu"=hex:78,6d,b1,42,29,9e,a5,fe,2f,6b,f2,6a,bc,0e,e3,2d,58,c7,dd,9c,b8,
da,93,35,2c,33,f3,bd,8a,17,d8,72,d1,ae,95,50,f0,c4,b8,a8,ed,59,ce,79,60,48,\
"rkeysecu"=hex:7a,3b,2b,b7,2b,f5,d7,62,5e,01,02,2f,46,97,95,b7
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1188)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSENG.DLL
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\COMMON~1\X10\Common\X10nets.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-13 19:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-13 18:57

Pre-Run: 26,369,249,280 bytes free
Post-Run: 26,243,436,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

351 --- E O F --- 2009-08-12 16:48

What is the next step ?

0

HJT log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:13:53, on 13/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 6905 bytes

0

OK will do, I might have to post the results over the weekend though as I have to go out now. I really do appreciate your help, you're the best! It looks a lot cleaner to me now after ComboFix actually. But I might be wrong...

0

Don't use the computer then until everything is deemed fully clean. Be sure it is not on or connected to the internet until you have completed the steps. We want to be sure all is gone.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.