"Trojan Horse Generic"

[EastSport]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:31 PM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.narmir.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BB173F6D-29F4-4EA2-863F-97C23A004C7B} - C:\Program Files\OpenOffice.org 2.2\homeqyx83122.dll
O2 - BHO: (no name) - {D416F6FE-902D-4470-AC79-19998C3C8072} - C:\Program Files\OpenOffice.org 2.2\homeqyx4444.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1186342231433
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4877 bytes
I keep getting popups as well... and then AVG states that there is a threat, which I heal every time, and when I log on again the threat remains.

the file name of one that I know specifically is tk58 (this found in C: Windows)

here's my log, but I don't really understand it and I'm not sure it found the tk58 threat.

Also, I never ignore the threats from AVG and I've healed every threat in which I have come into contact. (just in case this helps)

Will removing these objects ensure that I will no longer get those unwanted popups and threat messages?

Also, how safe is AVG?

[sUBs]

1. Download & Save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[EastSport]

ComboFix 07-08-07.6 - "User" 2007-08-07 22:48:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.101 [GMT -5:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\OpenOffice.org 2.2\homeqyx4444.dll
C:\Program Files\OpenOffice.org 2.2\homeqyx83122.dll
C:\Program Files\TTC.dll
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\F2
C:\WINDOWS\system32\F3
C:\WINDOWS\TTC-4444.exe


((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))


2007-08-07 22:47 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 22:47 1,411,770 --a------ C:\ComboFix.exe
2007-08-07 22:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-07 22:16 812,344 --a------ C:\HJTInstall.exe
2007-08-07 21:27 164 --a------ C:\install.dat
2007-08-07 21:25 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\GetRightToGo
2007-08-07 16:15 26,768 --a------ C:\WINDOWS\system\CTL3D.DLL
2007-08-07 16:15 249,072 --a------ C:\WINDOWS\UNINST16.EXE
2007-08-07 15:44 <DIR> d-------- C:\BEST250
2007-08-07 15:43 7,008 --a------ C:\WINDOWS\system\SETUPKIT.DLL
2007-08-07 15:43 398,416 --a------ C:\WINDOWS\system\VBRUN300.DLL
2007-08-07 15:43 356,992 --a------ C:\WINDOWS\system\VBRUN200.DLL
2007-08-07 15:43 283,648 --a------ C:\WINDOWS\uninst.exe
2007-08-07 15:43 28,433 --a------ C:\WINDOWS\SETUP1.EXE
2007-08-07 15:43 271,264 --a------ C:\WINDOWS\system\VBRUN100.DLL
2007-08-07 15:43 <DIR> d-------- C:\DOCUME~1\User\WINDOWS
2007-08-06 18:31 <DIR> d-------- C:\Program Files\KONAMI
2007-08-05 16:38 <DIR> d-------- C:\Program Files\MTV Networks
2007-08-05 16:37 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-08-05 16:34 524,288 --ah----- C:\DOCUME~1\Guest\NTUSER.DAT
2007-08-05 16:13 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-08-05 16:09 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-08-05 16:06 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-08-05 16:06 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-05 15:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-05 14:37 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-05 14:37 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-05 14:37 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-08-05 14:32 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-08-05 14:32 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-08-04 17:07 <DIR> d-------- C:\Program Files\Project64 1.6
2007-08-04 17:04 <DIR> d-------- C:\Program Files\7-Zip
2007-08-04 17:00 <DIR> d-------- C:\WINDOWS\system32\f02WtR
2007-08-04 17:00 <DIR> d-------- C:\WINDOWS\system32\configs
2007-08-04 17:00 <DIR> d-------- C:\Temp\fse
2007-08-04 17:00 <DIR> d-------- C:\Temp\1cb
2007-08-04 17:00 <DIR> d-------- C:\Temp
2007-08-04 13:03 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Google
2007-08-04 13:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-04 13:00 <DIR> d-------- C:\Program Files\Google
2007-08-04 12:18 12,219,983 --------- C:\AVG7QT.DAT


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 22:50 --------- d-------- C:\Program Files\OpenOffice.org 2.2
2007-08-07 22:14 --------- d-------- C:\Program Files\Online Services
2007-08-07 22:13 --------- d-------- C:\DOCUME~1\User\APPLIC~1\OpenOffice.org2
2007-08-06 19:54 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-08-06 18:32 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 15:54 --------- d-------- C:\Program Files\Messenger
2007-05-16 10:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-08 04:24 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-10-11 00:39 C:\WINDOWS\system32\pctspk.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-08-04 12:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-06 13:18]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:56]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56]

S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\system32\DRIVERS\wlluc48.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 22:52:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 22:54:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-07 22:54

--- E O F ---

I have Windows XP in case that makes a difference.

[sUBs]

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Folder::
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\configs
C:\Temp\fse
C:\Temp\1cb

Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


---------------


Click here perform an online scan >> Online Scanner


---------------


In your next post, please include fresh logs from:

1. Fresh Hijackthis log taken just before replying
2. Online scan
3. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[EastSport]

Hijackthis report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:59 AM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.narmir.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1186342231433
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4777 bytes

Combofix:
ComboFix 07-08-07.6 - "User" 2007-08-07 22:48:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.101 [GMT -5:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\OpenOffice.org 2.2\homeqyx4444.dll
C:\Program Files\OpenOffice.org 2.2\homeqyx83122.dll
C:\Program Files\TTC.dll
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\F2
C:\WINDOWS\system32\F3
C:\WINDOWS\TTC-4444.exe


((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))


2007-08-07 22:47 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 22:47 1,411,770 --a------ C:\ComboFix.exe
2007-08-07 22:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-07 22:16 812,344 --a------ C:\HJTInstall.exe
2007-08-07 21:27 164 --a------ C:\install.dat
2007-08-07 21:25 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\GetRightToGo
2007-08-07 16:15 26,768 --a------ C:\WINDOWS\system\CTL3D.DLL
2007-08-07 16:15 249,072 --a------ C:\WINDOWS\UNINST16.EXE
2007-08-07 15:44 <DIR> d-------- C:\BEST250
2007-08-07 15:43 7,008 --a------ C:\WINDOWS\system\SETUPKIT.DLL
2007-08-07 15:43 398,416 --a------ C:\WINDOWS\system\VBRUN300.DLL
2007-08-07 15:43 356,992 --a------ C:\WINDOWS\system\VBRUN200.DLL
2007-08-07 15:43 283,648 --a------ C:\WINDOWS\uninst.exe
2007-08-07 15:43 28,433 --a------ C:\WINDOWS\SETUP1.EXE
2007-08-07 15:43 271,264 --a------ C:\WINDOWS\system\VBRUN100.DLL
2007-08-07 15:43 <DIR> d-------- C:\DOCUME~1\User\WINDOWS
2007-08-06 18:31 <DIR> d-------- C:\Program Files\KONAMI
2007-08-05 16:38 <DIR> d-------- C:\Program Files\MTV Networks
2007-08-05 16:37 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-08-05 16:34 524,288 --ah----- C:\DOCUME~1\Guest\NTUSER.DAT
2007-08-05 16:13 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-08-05 16:09 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-08-05 16:06 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-08-05 16:06 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-05 15:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-05 14:37 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-05 14:37 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-05 14:37 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-08-05 14:32 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-08-05 14:32 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-08-04 17:07 <DIR> d-------- C:\Program Files\Project64 1.6
2007-08-04 17:04 <DIR> d-------- C:\Program Files\7-Zip
2007-08-04 17:00 <DIR> d-------- C:\WINDOWS\system32\f02WtR
2007-08-04 17:00 <DIR> d-------- C:\WINDOWS\system32\configs
2007-08-04 17:00 <DIR> d-------- C:\Temp\fse
2007-08-04 17:00 <DIR> d-------- C:\Temp\1cb
2007-08-04 17:00 <DIR> d-------- C:\Temp
2007-08-04 13:03 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Google
2007-08-04 13:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-04 13:00 <DIR> d-------- C:\Program Files\Google
2007-08-04 12:18 12,219,983 --------- C:\AVG7QT.DAT


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 22:50 --------- d-------- C:\Program Files\OpenOffice.org 2.2
2007-08-07 22:14 --------- d-------- C:\Program Files\Online Services
2007-08-07 22:13 --------- d-------- C:\DOCUME~1\User\APPLIC~1\OpenOffice.org2
2007-08-06 19:54 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-08-06 18:32 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 15:54 --------- d-------- C:\Program Files\Messenger
2007-05-16 10:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-08 04:24 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-10-11 00:39 C:\WINDOWS\system32\pctspk.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-08-04 12:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-06 13:18]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:56]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56]

S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\system32\DRIVERS\wlluc48.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 22:52:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 22:54:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-07 22:54

--- E O F ---


KOS scan:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 08, 2007 9:17:10 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 8/08/2007
Kaspersky Anti-Virus database records: 377010
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 23561
Number of viruses found: 2
Number of infected objects: 49
Number of suspicious objects: 0
Duration of the scan process: 01:01:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012007080820070809\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\hsperfdata_User\3064 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\OpenOffice.org 2.2\homeqyx4444.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\Program Files\OpenOffice.org 2.2\homeqyx83122.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\QooBox\Quarantine\C\Program Files\TTC.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\configs\kmhp83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\configs\kmhp83122.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\TTC-4444.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINDOWS\TTC-4444.exe.vir NSIS: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP19\A0002259.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP19\A0002259.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP19\A0002261.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP20\A0002368.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP20\A0002368.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP20\A0003348.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP20\A0003357.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP20\A0003357.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP21\A0003843.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP21\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP22\A0004020.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP22\A0004020.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP22\A0004022.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP22\A0004031.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP22\A0004031.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP22\A0004039.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP23\A0004185.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP23\A0004185.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP24\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP25\A0004224.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP25\A0004235.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP25\A0004235.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP25\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP26\A0004276.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP26\A0004280.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP26\A0004280.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP26\A0004282.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP26\A0004286.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP26\A0004286.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP26\A0004316.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP26\A0004322.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP26\A0004322.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP26\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP26\snapshot\MFEX-2.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP27\A0004342.dll Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP27\A0004343.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP27\A0004344.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP27\A0004345.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP27\A0004345.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP27\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP28\A0004444.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP28\A0004444.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{6D05FE71-1DD0-4C20-A746-46C249C73DF1}\RP28\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

While doing the KOS scan, this was detected:

(there should be an attachment with a BitMap image.)

[EastSport]

so can it be healed?

Also, I'm not sure if I said this, but whenever AVG heals the "Trojan Horse Generic"s, they just reappear later.

[sUBs]

Quote:

ComboFix 07-08-07.6 - "User" 2007-08-07 22:48:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.101 [GMT -5:00]

You posted an incorrect copy of combofix log. This was the log from your previous run. I would like a copy of the log that's produced after running CFScript.

Quote:

so can it be healed?

"Healed" is a misnomer. If legitimate files gets patched by malware code, antivirus programs will attempt to heal/repair them (to remove malware code & restore the file). Some files are in their entirety, created by malware. There's no healing for them. They need to be deleted. The picture you attached shows an infected file from the System Volume Information folder; that's where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while

Go to Start → Run → type control sysdm.cpl,,4 & press Enter

• Tick on the checkbox - Turn off System Restore on all drives
• Click Apply

Turn it back 'On' by unticking the same checkbox & click OK


-------


C:\QooBox\ is ComboFix's quarantine folder. You can safely delete it


Tell me if you're still getting AVG alerts after this.

[EastSport]

okay I've turned off system restore...

and qoobox is deleted (moved to the recycle bin which has not been emptied yet).

Today I haven't gotten any alerts, but I'm sure they are eminent.

so after doing this I should no longer have trojan horse generic things?

and that tk stuff?

That combofix data was named ComboFix2... which I assumed was the latest results page... there was another one... which was named ComboFix ... both of which were not named by me.

"Combo Fix"
ComboFix 07-08-07.6 - "User" 2007-08-07 23:26:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.75 [GMT -5:00]
Command switches used :: C:\Documents and Settings\User\My Documents\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\system32\configs
C:\WINDOWS\system32\configs\kmhp83122.exe
C:\WINDOWS\system32\f02WtR


((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))


2007-08-07 22:47 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 22:47 1,411,770 --a------ C:\ComboFix.exe
2007-08-07 22:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-07 22:16 812,344 --a------ C:\HJTInstall.exe
2007-08-07 21:27 164 --a------ C:\install.dat
2007-08-07 21:25 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\GetRightToGo
2007-08-07 16:15 26,768 --a------ C:\WINDOWS\system\CTL3D.DLL
2007-08-07 16:15 249,072 --a------ C:\WINDOWS\UNINST16.EXE
2007-08-07 15:44 <DIR> d-------- C:\BEST250
2007-08-07 15:43 7,008 --a------ C:\WINDOWS\system\SETUPKIT.DLL
2007-08-07 15:43 398,416 --a------ C:\WINDOWS\system\VBRUN300.DLL
2007-08-07 15:43 356,992 --a------ C:\WINDOWS\system\VBRUN200.DLL
2007-08-07 15:43 283,648 --a------ C:\WINDOWS\uninst.exe
2007-08-07 15:43 28,433 --a------ C:\WINDOWS\SETUP1.EXE
2007-08-07 15:43 271,264 --a------ C:\WINDOWS\system\VBRUN100.DLL
2007-08-07 15:43 <DIR> d-------- C:\DOCUME~1\User\WINDOWS
2007-08-06 18:31 <DIR> d-------- C:\Program Files\KONAMI
2007-08-05 16:38 <DIR> d-------- C:\Program Files\MTV Networks
2007-08-05 16:37 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-08-05 16:34 524,288 --ah----- C:\DOCUME~1\Guest\NTUSER.DAT
2007-08-05 16:13 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-08-05 16:09 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-08-05 16:06 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-08-05 16:06 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-05 15:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-05 14:37 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-05 14:37 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-05 14:37 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-08-05 14:32 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-08-05 14:32 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-08-04 17:07 <DIR> d-------- C:\Program Files\Project64 1.6
2007-08-04 17:04 <DIR> d-------- C:\Program Files\7-Zip
2007-08-04 17:00 <DIR> d-------- C:\Temp
2007-08-04 13:03 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Google
2007-08-04 13:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-04 13:00 <DIR> d-------- C:\Program Files\Google
2007-08-04 12:18 12,219,983 --------- C:\AVG7QT.DAT


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 22:53 --------- d-------- C:\DOCUME~1\User\APPLIC~1\OpenOffice.org2
2007-08-07 22:50 --------- d-------- C:\Program Files\OpenOffice.org 2.2
2007-08-07 22:14 --------- d-------- C:\Program Files\Online Services
2007-08-06 19:54 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-08-06 18:32 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 15:54 --------- d-------- C:\Program Files\Messenger
2007-05-16 10:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-08 04:24 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-10-11 00:39 C:\WINDOWS\system32\pctspk.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-08-04 12:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-06 13:18]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:56]

S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\system32\DRIVERS\wlluc48.sys

*Newly Created Service* - CATCHME

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 23:28:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData"="C:\Documents and Settings\Default User\Application Data"
"Cookies"="C:\Documents and Settings\Default User\Cookies"
"Desktop"="C:\Documents and Settings\Default User\Desktop"
"Favorites"="C:\Documents and Settings\Default User\Favorites"
"NetHood"="C:\Documents and Settings\Default User\NetHood"
"Personal"="C:\Documents and Settings\Default User\My Documents"
"PrintHood"="C:\Documents and Settings\Default User\PrintHood"
"Recent"="C:\Documents and Settings\Default User\Recent"
"SendTo"="C:\Documents and Settings\Default User\SendTo"
"Start Menu"="C:\Documents and Settings\Default User\Start Menu"
"Templates"="C:\Documents and Settings\Default User\Templates"
"Programs"="C:\Documents and Settings\Default User\Start Menu\Programs"
"Startup"="C:\Documents and Settings\Default User\Start Menu\Programs\Startup"
"Local Settings"="C:\Documents and Settings\Default User\Local Settings"
"Local AppData"="C:\Documents and Settings\Default User\Local Settings\Application Data"
"Cache"="C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files"
"History"="C:\Documents and Settings\Default User\Local Settings\History"
"My Pictures"=""
"My Music"=""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SmallIcons]
"SmallIcons"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"User Agent"="Mozilla/4.0 (compatible; MSIE 6.0; Win32)"
"MigrateProxy"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0]
"1001"=dword:00000000
"1407"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1]
"Flags"=dword:000000db
"1407"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2]
"1001"=dword:00000000
"1206"=dword:00000000
"1406"=dword:00000000
"1407"=dword:00000000
"1607"=dword:00000000
"1800"=dword:00000000
"1804"=dword:00000000
"1805"=dword:00000000
"1806"=dword:00000000
"1807"=dword:00000000
"1A00"=dword:00000000
"1A05"=dword:00000000
"1A10"=dword:00000000
"1E05"=dword:00030000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3]
"1407"=dword:00000000
"1601"=dword:00000001
"1607"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4]
"1604"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"CurrentLevel"=dword:00010500
"Flags"=dword:000000db

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"CurrentLevel"=dword:00010000
"1001"=dword:00000000
"1004"=dword:00000001
"1201"=dword:00000001
"1206"=dword:00000000
"1406"=dword:00000000
"1407"=dword:00000000
"1607"=dword:00000000
"1800"=dword:00000000
"1804"=dword:00000000
"1805"=dword:00000000
"1806"=dword:00000000
"1809"=dword:00000003
"1A00"=dword:00000000
"1A04"=dword:00000000
"1A05"=dword:00000000
"1C00"=dword:00030000
"1E05"=dword:00030000
"2102"=dword:00000000
"2200"=dword:00000000
"2201"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"CurrentLevel"=dword:00011000
"1407"=dword:00000000
"1601"=dword:00000001
"1607"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"CurrentLevel"=dword:00012000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\LastTheme]
"Wallpaper"=""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shell32.dll,-28995"="Shared Music"
"C:\WINDOWS\system32\regsvr32.exe"="Microsoft(C) Register Server"
"C:\WINDOWS\system32\RUNDLL32.exe"="Run a DLL as an App"
"C:\WINDOWS\system32\mshta.exe"="Microsoft (R) HTML Application host"
"C:\WINDOWS\system32\fixmapi.exe"="FIXMAPI 1.0 MAPI Repair Tool"
"C:\WINDOWS\system32\odbcconf.exe"="Microsoft Data Access - ODBC Driver Configuration Program"
"C:\WINDOWS\system32\mstinit.exe"="Task Scheduler Setup"
"C:\Program Files\Outlook Express\setup50.exe"="Outlook Express Setup Library"
"C:\WINDOWS\system32\logagent.exe"="Windows Media Player Logagent"
"C:\WINDOWS\INF\unregmp2.exe"="Microsoft Windows Media Player Setup Utility"
"C:\WINDOWS\system32\Cmd.exe"="Windows Command Processor"
"C:\WINDOWS\pchealth\uploadlb\binaries\uploadm.exe"="PC Health Upload Manager"
"C:\Program Files\Windows Media Player\migrate.exe"="MLS Migrate DLL"
"C:\WINDOWS\system32\grpconv.exe"="Windows Progman Group Converter"
[HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Namespace]
"LocalBase"="C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML"
"DTDFile"="C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD"
"LocalDelta"="C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML"
"RemoteDelta"="C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSR.XML"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"=""

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 23:29:38
C:\ComboFix-quarantined-files.txt ... 2007-08-07 23:29
C:\ComboFix2.txt ... 2007-08-07 22:54

--- E O F ---

[sUBs]

Quote:

okay I've turned off system restore...

You're supposed to turn it off & then on again. This action will reset the cache.

Quote:

Today I haven't gotten any alerts, but I'm sure they are eminent

Life has many suprises. You may be wrong

Use the machine as you normally would for the next 1-2 days. If all goes well, come back & tell me about it

[EastSport]

so now everything should be good?

[sUBs]

Yes, it's good.

Remember to come later to tell me how it has been

[EastSport]

well, it's been one day, and I've not gotten ANY threats or unwanted popups!

Needless to say, AVG found ZERO threats in itself!

thank you so much for all your help!

I'll make sure that any time I need help with something of this nature I will find you guys ASAP! =)

[sUBs]

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

1. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
2. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html
   
   
   
3. Microsoft Windows Update → http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
4. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html
   
   
   
5. IE-SPYAD
   IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[EastSport]

thanks a bunch =)