Win32/Rustock.gen!C help needed please!!!

[Mortson]

The log is too big to fit in the reply box! Would you like me to e-mail the log to you or send it some way?

[tetonbob]

See if you can attach it.

Otherwise, upload it here:

http://www.bleepingcomputer.com/subm...php?channel=28

[Mortson]

Uploaded

[tetonbob]

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\Backup of Mortlock 070107\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\JH8N812Z\BearShareV6[1].exe
C:\WINDOWS\system32\i

Folder::
C:\WINDOWS\system32\i

Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log and the log from ComboFix.

[Mortson]

Okay I'm doing what you requested. Are you near a conclusion on what I should to to rid my computer of the virus?

[tetonbob]

I guess I don't understand the question....as that's what we've been doing this whole time.

[Mortson]

ComboFix log below:


ComboFix 07-08-15.3 - "Joshua" 2007-08-15 7:33:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.165 [GMT 1:00]
Command switches used :: C:\Documents and Settings\Joshua\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Backup of Mortlock 070107\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\JH8N812Z\BearShareV6[1].exe
C:\WINDOWS\system32\i


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Backup of Mortlock 070107\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\JH8N812Z\BearShareV6[1].exe
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\i
C:\WINDOWS\system32\i\


((((((((((((((((((((((((( Files Created from 2007-07-15 to 2007-08-15 )))))))))))))))))))))))))))))))


2007-08-15 07:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-13 20:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-13 20:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-13 10:47 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-08-12 16:12 5,505,024 --a------ C:\DOCUME~1\Joshua\ntuser.dat
2007-08-09 08:20 <DIR> d-------- C:\Program Files\Arcane Light Messenger Tools 4.1
2007-08-09 08:19 <DIR> d-------- C:\Program Files\Download Manager
2007-08-08 12:17 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(6).sys
2007-08-08 09:10 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(7).sys
2007-08-08 07:55 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(8).sys
2007-08-07 08:59 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(9).sys
2007-08-04 18:18 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(10).sys
2007-08-04 13:53 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(11).sys
2007-08-01 07:13 <DIR> d-------- C:\Program Files\AoA Audio Extractor
2007-07-28 18:57 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-07-28 16:28 <DIR> d-------- C:\Program Files\NCH Software
2007-07-28 16:16 <DIR> d-------- C:\Program Files\YouTube Video Downloader
2007-07-19 21:44 <DIR> d-------- C:\Program Files\Chronograph
2007-07-16 19:04 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-16 19:01 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-16 19:01 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-15 07:36 --------- d-------- C:\DOCUME~1\Joshua\APPLIC~1\OpenOffice.org2
2007-08-14 19:14 --------- d-------- C:\Program Files\Windows Live Safety Center
2007-08-10 21:57 --------- d-------- C:\Program Files\CRB
2007-08-09 18:00 --------- d-------- C:\Program Files\NCH Swift Sound
2007-08-09 10:08 --------- d-------- C:\Program Files\GameSpy Arcade
2007-08-09 08:19 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-09 08:19 --------- d-------- C:\Program Files\Acoustica DJ Twist And Burn
2007-08-09 08:13 --------- d-------- C:\DOCUME~1\Joshua\APPLIC~1\IGN_DLM
2007-08-09 08:11 --------- d-------- C:\Program Files\Acoustica Shared Effects
2007-08-08 13:03 --------- d-------- C:\Program Files\eMule
2007-08-01 17:06 --------- d-------- C:\Program Files\FST Calculator
2007-07-28 19:15 --------- d-------- C:\Program Files\Gpotato
2007-07-22 22:04 --------- d-------- C:\Program Files\Google
2007-07-12 07:24 --------- d-------- C:\Program Files\AnalogX
2007-07-12 07:19 --------- d-------- C:\DOCUME~1\Joshua\APPLIC~1\Acoustica
2007-07-09 17:52 --------- d-------- C:\Program Files\Winamp
2007-07-09 17:09 80 -r-hs---- C:\WINDOWS\system32\57906271A7.dll
2007-07-09 17:09 --------- d-------- C:\Program Files\Amond Software
2007-07-08 09:34 --------- d-------- C:\Program Files\Activision
2007-07-05 17:50 --------- d-------- C:\DOCUME~1\Joshua\APPLIC~1\Reno 911 Paintball
2007-06-30 18:33 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-29 19:37 --------- d-------- C:\DOCUME~1\Joshua\APPLIC~1\NCH Swift Sound
2007-06-26 17:26 --------- d-------- C:\Program Files\TalkTalk
2007-06-26 17:26 --------- d-------- C:\Program Files\SupportSoft
2007-06-26 17:26 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-26 16:39 --------- d-------- C:\Program Files\Common Files\AVSMedia
2007-06-26 16:13 851968 --a--c--- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 15:35 665600 --a--c--- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 07:08 1104896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-25 19:58 --------- d-------- C:\DOCUME~1\Joshua\APPLIC~1\MSN6
2007-06-24 17:51 --------- d-------- C:\DOCUME~1\Joshua\APPLIC~1\Hewlett-Packard
2007-06-24 09:26 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(3).sys
2007-06-21 16:27 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(4).sys
2007-06-20 17:21 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(5).sys
2007-06-19 17:04 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(2).sys
2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 14:31 282112 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-15 09:12 96256 --a--c--- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-15 09:12 616960 --a--c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-15 09:12 55808 --a--c--- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-15 09:12 532480 --a--c--- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-15 09:12 474112 -----c--- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 09:12 449024 --a--c--- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-15 09:12 39424 --a--c--- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-15 09:12 357888 --a--c--- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-15 09:12 3064320 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-15 09:12 251904 --a--c--- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-15 09:12 205824 --a--c--- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-15 09:12 16384 --a--c--- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-15 09:12 151040 -----c--- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 09:12 1498112 -----c--- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 09:12 146432 --a--c--- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-15 09:12 1054208 -----c--- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 09:12 1022976 -----c--- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 11:32 18432 --a--c--- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 11:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 11:23 1033216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-11 22:15 203264 --a------ C:\WINDOWS\system32\MCW32.DLL
2007-06-07 22:17 876032 --a------ C:\WINDOWS\system32\VFP6RENU.DLL
2007-06-07 22:17 69632 --a------ C:\WINDOWS\system32\DZSTACTX.DLL
2007-06-07 22:17 6656 --a------ C:\WINDOWS\system32\FOXHHELPPS.DLL
2007-06-07 22:17 61440 --a------ C:\WINDOWS\system32\WWIPSTUF.DLL
2007-06-07 22:17 3373328 --a------ C:\WINDOWS\system32\VFP6R.DLL
2007-06-07 22:17 26112 --a------ C:\WINDOWS\system32\FOXHHELP.EXE
2007-06-07 22:17 24990 --a------ C:\WINDOWS\system32\VFP6RUN.EXE
2007-06-07 22:17 249856 --a------ C:\WINDOWS\system32\DZACTX.DLL
2007-06-07 22:17 229376 --a------ C:\WINDOWS\system32\DUZACTX.DLL
2007-06-07 22:17 120056 --a------ C:\WINDOWS\system32\PINGX.DLL
2007-06-07 22:17 118784 --a------ C:\WINDOWS\system32\RASX.DLL
2007-05-17 12:28 549376 -----c--- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-05-17 12:28 549376 --------- C:\WINDOWS\system32\oleaut32.dll
2007-05-16 16:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 16:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 16:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 16:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 16:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 16:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 09:34]
"nForce Tray Options"="sstray.exe" [2002-12-05 13:23 C:\WINDOWS\system32\sstray.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 12:38]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-25 01:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 01:56 C:\WINDOWS\system32\bthprops.cpl]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"TalkTalk"="C:\Program Files\TalkTalk\bin\sprtcmd.exe" [2005-08-16 00:12]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-07-08 19:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"xi4dc"="c:\program files\habbo\activex\please goto system32\files\ocx\dll\data\csrss.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 22:57]
"Chronograph"="C:\Program Files\Chronograph\chrono.exe" [2007-04-24 22:38]

C:\Documents and Settings\Joshua\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 17:45:48]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-02-10 15:11:08]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 02:17:18]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 0258]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mszsrn32]

S2 Install Driver Table Manager;Install Driver Manager;"C:\WINDOWS\wpablan.exe"
S2 MsaSvc;Microsoft authenticate service;C:\WINDOWS\System32\msasvc.exe
S3 dump_wmimmc;dump_wmimmc;\??\C:\Program Files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys
S3 spydetector;spydetector;\??\C:\Program Files\Spyware Process Detector\spydetector.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44dba336-afc9-11db-b938-0090d0a67f28}]
AutoRun\command- Don't_Tell_The_Professionals!_-_CD1.exe


Contents of the 'Scheduled Tasks' folder
2007-08-14 21:24:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
2007-05-17 14:45:05 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1168357262.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
2007-04-27 2314 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-15 07:37:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-15 7:40:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-15 07:40
C:\ComboFix2.txt ... 2007-08-12 19:53
C:\ComboFix3.txt ... 2007-08-12 18:55

--- E O F ---

[Mortson]

SDFix:



SDFix: Version 1.98

Run by Joshua on 15/08/2007 at 07:49

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Install Driver Table Manager
MsaSvc

ImagePath:
"C:\WINDOWS\wpablan.exe"
C:\WINDOWS\System32\msasvc.exe

Install Driver Table Manager - Deleted
MsaSvc - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

C:\WINDOWS\system32\57906271A7.dll
C:\Backup of Mortlock 070107\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Backup of Mortlock 070107\Documents and Settings\Christian\NTUSER.DAT.COPY.TMP.LOG
C:\Backup of Mortlock 070107\Documents and Settings\Experiment\NTUSER.DAT.COPY.TMP.LOG
C:\Backup of Mortlock 070107\Documents and Settings\Guest\NTUSER.DAT.COPY.TMP.LOG
C:\Backup of Mortlock 070107\Documents and Settings\Jonathan\NTUSER.DAT.COPY.TMP.LOG
C:\Backup of Mortlock 070107\Documents and Settings\Joshua\NTUSER.DAT.COPY.TMP.LOG
C:\Backup of Mortlock 070107\Documents and Settings\Joshua\My Documents\Documents\K.E.S VI\YEAR 8\IT\~WRL0004.tmp
C:\Backup of Mortlock 070107\Documents and Settings\Joshua\My Documents\Documents\K.E.S VI\YEAR 8\IT\~WRL0261.tmp
C:\Backup of Mortlock 070107\Documents and Settings\Joshua\My Documents\Documents\K.E.S VI\YEAR 8\RS\Holocaust\~WRL0002.tmp
C:\Backup of Mortlock 070107\Documents and Settings\Sue_2\NTUSER.DAT.COPY.TMP.LOG
C:\Backup of Mortlock 070107\Documents and Settings\Tony\NTUSER.DAT.COPY.TMP.LOG
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\Joshua\My Documents\Documents\K.E.S VI\YEAR 8\Geography\~WRL0003.tmp
C:\Documents and Settings\Joshua\My Documents\Documents\K.E.S VI\YEAR 8\IT\~WRL0004.tmp
C:\Documents and Settings\Joshua\My Documents\Documents\K.E.S VI\YEAR 8\IT\~WRL0261.tmp
C:\Documents and Settings\Joshua\My Documents\Documents\K.E.S VI\YEAR 8\RS\Holocaust\~WRL0002.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG
C:\Backup of Mortlock 070107\Documents and Settings\Tony\Local Settings\Temp\Temporary Directory 1 for 05MortlockJ.zip\05MortlockJ\Images\Thumbs.db

Finished

[Mortson]

HijackThis:



Logfile of HijackThis v1.99.1
Scan saved at 08:01:38, on 15/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\hjk\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [xi4dc] c:\program files\habbo\activex\please goto system32\files\ocx\dll\data\csrss.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Chronograph] "C:\Program Files\Chronograph\chrono.exe" /autorun
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?8eb85512b2344245b17926c4bbee6551
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?8eb85512b2344245b17926c4bbee6551
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Joshua\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Homepage - {25D93640-EFB4-4335-B0C9-8189D26504CA} - http://bt.yahoo.com (file missing) (HKCU)
O9 - Extra button: BT - {7EA563BC-0C67-4487-AB4D-6FF2E1EBE9F8} - http://www.bt.com (file missing) (HKCU)
O16 - DPF: Yahoo! Blackjack - http://download2.games.yahoo.com/gam...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/gam...ts/y/ct5_x.cab
O16 - DPF: Yahoo! Hearts - http://download2.games.yahoo.com/gam...ts/y/ht1_x.cab
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/gam...ts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/gam...s/y/poti_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.2.100.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by126w.bay126.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1168724651500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1168805068015
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/...y4LotTeleX.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport...ScapeTeleX.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[tetonbob]

Almost done....

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKCU\..\Run: [xi4dc] c:\program files\habbo\activex\please goto system32\files\ocx\dll\data\csrss.exe

Close HijackThis now.

---------------------------------------------------------------------------------------------



Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following in BOLD:
  
  C:\WINDOWS\system32\57906271A7.dll
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• Once scanned, copy and paste the results in your next reply.

[Mortson]

VirusTotal log:


Virus Total
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File 57906271A7.dll received on 08.15.2007 19:30:22 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 5.
Estimated start time is between 64 and 91 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.8.15.0 2007.08.14 -
AntiVir 7.4.1.62 2007.08.15 -
Authentium 4.93.8 2007.08.15 -
Avast 4.7.1029.0 2007.08.15 -
AVG 7.5.0.476 2007.08.14 -
BitDefender 7.2 2007.08.15 -
CAT-QuickHeal 9.00 2007.08.14 -
ClamAV 0.91 2007.08.15 -
DrWeb 4.33 2007.08.15 -
eSafe 7.0.15.0 2007.08.10 -
eTrust-Vet 31.1.5061 2007.08.15 -
Ewido 4.0 2007.08.15 -
FileAdvisor 1 2007.08.15 -
Fortinet 2.91.0.0 2007.08.15 -
F-Prot 4.3.2.48 2007.08.14 -
F-Secure 6.70.13030.0 2007.08.15 -
Ikarus T3.1.1.12 2007.08.15 -
Kaspersky 4.0.2.24 2007.08.15 -
McAfee 5098 2007.08.15 -
Microsoft 1.2704 2007.08.15 -
NOD32v2 2464 2007.08.15 -
Norman 5.80.02 2007.08.15 -
Panda 9.0.0.4 2007.08.14 -
Prevx1 V2 2007.08.15 -
Rising 19.36.22.00 2007.08.15 -
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.14 -
Symantec 10 2007.08.15 -
TheHacker 6.1.8.168 2007.08.15 -
VBA32 3.12.2.2 2007.08.14 -
VirusBuster 4.3.26:9 2007.08.15 -
Webwasher-Gateway 6.0.1 2007.08.15 -
Additional information
File size: 80 bytes
MD5: f19ab3bfc4d6d35fd50d5e14a5e5232c
SHA1: 3a1c13e4dfaa95d006e289f051890c26eae6e94c

[tetonbob]

Looks harmless, then.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\

Run a new scan, save the log and post it.

---------------------------------------------------------------------------------------------

How is your system behaving, please?

[Mortson]

The system hasn't crashed recently and it is quite smooth atm.

[Mortson]

HijackThis:


Logfile of HijackThis v1.99.1
Scan saved at 07:40:26, on 16/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjk\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Chronograph] "C:\Program Files\Chronograph\chrono.exe" /autorun
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?8eb85512b2344245b17926c4bbee6551
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?8eb85512b2344245b17926c4bbee6551
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Joshua\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Homepage - {25D93640-EFB4-4335-B0C9-8189D26504CA} - http://bt.yahoo.com (file missing) (HKCU)
O9 - Extra button: BT - {7EA563BC-0C67-4487-AB4D-6FF2E1EBE9F8} - http://www.bt.com (file missing) (HKCU)
O16 - DPF: Yahoo! Blackjack - http://download2.games.yahoo.com/gam...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/gam...ts/y/ct5_x.cab
O16 - DPF: Yahoo! Hearts - http://download2.games.yahoo.com/gam...ts/y/ht1_x.cab
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/gam...ts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/gam...s/y/poti_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.2.100.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by126w.bay126.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1168724651500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1168805068015
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/...y4LotTeleX.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport...ScapeTeleX.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[tetonbob]

Your logs appear clean.You should be good to go. We still have a few items to address.

C:\QooBox\ is ComboFix's quarantine folder. You can safely delete it

Please also delete ComboFix.exe

SDFix.exe and it's folder, C:\SDFix can also be deleted.

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Clear & Reset System Restore's Cache

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already:

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
    From within the folder, double-click install.bat
    Select Option #2 - Install the new IE-SPYAD list.
    Then return to the main menu.
    Select option #4 - Add the old porn sites domain
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  
  
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  Here are a few very good free Antivirus products which are available:
  • Avast!
  • AVG
  • Avira PersonalEdition Classic
  Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  

  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial

• FIREWALL
  If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:
  
  Do not install more than one firewall program because they will conflict with each other.

• Comodo Personal Firewall
• ZoneAlarm

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[Mortson]

Thank you so much! You are a computer god! I've downloaded the recommended programs so I should be trojan free!

Thanks again, Mortson.

[tetonbob]

You're quite welcome for the help.

Remember, common sense in using the web is the most important aspect of system protection.

Surf Safe out there!