Assistance needed-TFRA/TFRC/TFR8

infidel · 01-17-2008, 12:38 PM

Hi
My AVG Anti Virus has picked up a Virus recently which it calls LOP.
It is or possibly was in system32 folder and went under TFRA, TFRC and TFR8.dll
I moved it to the Vault and blocked it from accesing the Internet using ZoneAlarm. Now when my internet first loads up it loads up another browser saying page cannot be displayed suggesting it is still trying to access the internet but zonealarm is stopping it. i have tried AVG scan and shows no problems. I have tried Spybot which found nothing. i tried panda quickscan found nothing. i tried mcafee scan which found nothing. However this has not assured me so i seek your help.
Here is the log, many thanks in advance for your help

Deckard's System Scanner v20071014.68
Run by Owner on 2008-01-17 19:08:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
13: 2008-01-17 19:08:14 UTC - RP184 - Deckard's System Scanner Restore Point
12: 2008-01-17 19:04:14 UTC - RP183 - Software Distribution Service 3.0
11: 2008-01-17 16:59:01 UTC - RP182 - Installed Java(TM) 6 Update 3
10: 2008-01-16 18:39:53 UTC - RP181 - System Checkpoint
9: 2008-01-08 20:19:00 UTC - RP180 - Software Distribution Service 3.0

-- First Restore Point --
1: 2007-09-30 13:47:10 UTC - RP172 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-17 19:10:18
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Free\avgvv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [2ca129d3] rundll32.exe "C:\WINDOWS\khigef.dll",b
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O16 - DPF: PCPitstop-Tracks-Checker () - http://www.pcpitstop.com/privacy/PCPTracks.cab
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/fhg.CAB
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/bham/supp.../ebraryRdr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4B48D5DF-9021-45F7-A240-60304302A215} (Malicious Software Removal Tool) - http://download.microsoft.com/downlo...WebCleaner.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/...r/PROFILER.CAB
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/...l/gtdownde.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...09/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\Player\__CDS2.dll (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll
O20 - Winlogon Notify: fdibhhej - C:\WINDOWS\system32\fdibhhej.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9443 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel(R) Wireless LAN Packet Driver>

S2 PfModNT - c:\windows\system32\drivers\pfmodnt.sys (file missing)
S3 e3abb741-f704-4d56-b70a-5e7b51b0e36f - d:\player\cds300.dll (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys (file missing)
S3 Epiusb (USB Flash) - c:\windows\system32\drivers\epiusb.sys <Not Verified; Ericsson Mobile Communications AB; Ericsson Programming Interface USB Driver>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mrendis5.sys (file missing)
S3 NAL (Nal Service ) - c:\windows\system32\drivers\iqvw32.sys <Not Verified; Intel Corporation; Intel(R) iQVW32.SYS>
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/XP>
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)
S3 w800bus (Sony Ericsson W800 driver (WDM)) - c:\windows\system32\drivers\w800bus.sys <Not Verified; MCCI; Sony Ericsson W800>
S3 w800mdfl (Sony Ericsson W800 USB WMC Modem Filter) - c:\windows\system32\drivers\w800mdfl.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC Modem Filter Driver>
S3 w800mdm (Sony Ericsson W800 USB WMC Modem Drivers) - c:\windows\system32\drivers\w800mdm.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC Modem>
S3 w800mgmt (Sony Ericsson W800 USB WMC Device Management Drivers) - c:\windows\system32\drivers\w800mgmt.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC Device Management>
S3 w800obex (Sony Ericsson W800 USB WMC OBEX Interface Drivers) - c:\windows\system32\drivers\w800obex.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC OBEX Interface>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 RegSrvc - c:\windows\system32\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&39A85202&0&00F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&39A85202&0&00F0
Service: bcm4sbxp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\5D28C304A4FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\5D28C304A4FC000
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth LAN Access Server Driver
Device ID: ROOT\NET\0000
Manufacturer: WIDCOMM, Inc.
Name: Bluetooth LAN Access Server Driver
PNP Device ID: ROOT\NET\0000
Service: BTWDNDIS

-- Files created between 2007-12-17 and 2008-01-17 -----------------------------

2008-01-17 17:19:59 0 d-------- C:\Program Files\PCPitstop
2008-01-17 17:11:33 0 d-------- C:\WINDOWS\LastGood
2008-01-17 17:08:08 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-01-16 22:10:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-16 22:10:53 0 d-------- C:\Documents and Settings\Owner\Application Data\PrevxCSI
2008-01-16 22:07:37 73216 --a------ C:\WINDOWS\khigef.dll
2008-01-14 20:25:34 138240 --a------ C:\WINDOWS\system32\fdibhhej.dll

-- Find3M Report ---------------------------------------------------------------

2008-01-17 17:08:57 0 d-------- C:\Program Files\CCleaner
2008-01-17 17:02:20 0 d-------- C:\Program Files\Java
2008-01-16 17:28:57 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-12-13 17:20:36 0 d-------- C:\Documents and Settings\Owner\Application Data\DivX
2007-12-05 21:35:20 0 d-------- C:\Program Files\DivX
2007-12-04 01:33:18 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-04 01:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 01:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 01:33:16 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-11-29 22:30:28 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:28:24 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-11-29 22:28:24 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-11-28 21:52:32 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-27 18:03:39 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [13/09/2004 10:33]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [15/03/2004 00:04]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [20/12/2007 16:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]
"ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [05/07/2005 00:32]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [27/06/2005 07:31]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [26/01/2007 17:37]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [06/09/2007 16:14]
"2ca129d3"="C:\WINDOWS\khigef.dll" [16/01/2008 22:07]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [17/02/1999 12:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fdibhhej]
C:\WINDOWS\system32\fdibhhej.dll 14/01/2008 20:25 138240 C:\WINDOWS\system32\fdibhhej.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 05/07/2005 00:33 188482 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

-- End of Deckard's System Scanner: finished at 2008-01-17 19:11:38 ------------

infidel · 01-21-2008, 02:24 AM

BUMP

Problem has got worse, number of viruses being shown by AVG...please help

infidel · 01-28-2008, 02:16 AM

Bump!

tetonbob · 01-28-2008, 10:22 PM

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

If you have any questions along the way, STOP and ask them before proceeding.

infidel · 03-02-2008, 02:45 PM

Hi, im really sorry about the very long delay,

COmbifix log:

ComboFix 08-03-03.4 - Owner 2008-03-02 21:35:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1355 [GMT 0:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-02 18:49 . 2008-03-02 18:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iolo
2008-03-02 18:49 . 2008-03-02 18:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iolo
2008-03-02 18:49 . 2008-03-02 18:49 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-03-02 18:41 . 2008-03-02 18:39 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-02 18:41 . 2008-03-02 18:41 2,550 --a------ C:\WINDOWS\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 21:36 129,056 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-02 21:02 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-03-02 20:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-02 20:37 --------- d-----w C:\Program Files\Creative
2008-03-02 20:35 --------- d-----w C:\Program Files\CCleaner
2008-03-02 20:24 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-02 18:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-26 21:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-18 19:11 72,704 ----a-w C:\WINDOWS\pmlklk.dll
2008-01-17 17:24 --------- d-----w C:\Program Files\PCPitstop
2008-01-17 17:02 --------- d-----w C:\Program Files\Java
2008-01-16 22:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\PrevxCSI
2008-01-16 22:10 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2006-11-12 12:00 19,456,157 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_11_12_10_44_30_full.dmp.zip
2006-11-05 17:28 18,810,585 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_10_29_20_47_33_full.dmp.zip
2006-10-26 14:17 19,323,601 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_10_26_12_59_15_full.dmp.zip
2006-10-26 14:15 19,216,143 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_10_25_13_40_52_full.dmp.zip
2006-10-10 18:50 19,279,531 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_10_10_03_04_07_full.dmp.zip
2006-09-29 09:59 19,228,168 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_09_28_00_31_36_full.dmp.zip
2006-09-23 19:20 19,546,257 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_09_17_19_51_35_full.dmp.zip
2006-09-05 09:05 19,007,473 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_09_04_12_53_46_full.dmp.zip
2006-08-31 12:32 1,670,656 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2006-08-31 12:32 1,342,976 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2006-08-20 22:27 19,179,513 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_08_13_12_00_37_full.dmp.zip
2006-08-11 10:14 10,698,976 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2006-08-07 18:14 19,228,489 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_08_07_01_40_55_full.dmp.zip
2006-03-13 16:18 526,336 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2006-02-20 21:00 224,256 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2006-02-08 22:44 51,712 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2006-02-07 11:43 2,178,048 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2005-09-16 12:14 50,688 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2005-09-16 12:14 1,583,616 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2005-09-09 11:07 16,384 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2005-09-09 11:06 1,556,480 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2005-09-09 11:02 91,136 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2005-09-09 11:02 1,556,480 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2005-06-25 14:38 1,531,904 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2005-06-25 14:38 1,158,144 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 10:33 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 00:04 122933]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-20 16:52 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [2005-07-05 00:32 639040]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 07:31 135168]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-26 17:37 98304]
"2ca129d3"="C:\WINDOWS\pmlklk.dll" [2008-01-18 19:11 72704]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-27 17:16 219136]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fdibhhej]
C:\WINDOWS\system32\fdibhhej.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2005-07-05 00:33 188482 C:\WINDOWS\system32\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-08-05 20:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-12 13:55 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-01-26 17:37 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 00:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=

R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2006-02-22 12:25]
S3 e3abb741-f704-4d56-b70a-5e7b51b0e36f;e3abb741-f704-4d56-b70a-5e7b51b0e36f;D:\Player\cds300.dll []
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 19:01]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 21:36:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-03 21:37:40
.
2008-02-21 18:03:06 --- E O F ---

Hijack this log:

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:40:30, on 03/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [2ca129d3] rundll32.exe "C:\WINDOWS\pmlklk.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: PCPitstop-Tracks-Checker - http://www.pcpitstop.com/privacy/PCPTracks.cab
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - http://site.ebrary.com/lib/bham/supp.../ebraryRdr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://by106fd.bay106.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} - http://support.euro.dell.com/global/...r/PROFILER.CAB
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} -
O16 - DPF: {B2CD6005-80DA-4EC6-9D35-ECA638F8C086} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} -
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/...l/gtdownde.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...09/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\Player\__CDS2.dll (file missing)
O20 - Winlogon Notify: fdibhhej - C:\WINDOWS\system32\fdibhhej.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8625 bytes

-- Files created between 2008-02-03 and 2008-03-03 -----------------------------

2008-03-03 21:40:20 0 d-------- C:\Program Files\Trend Micro
2008-03-02 21:33:58 0 d-------- C:\cmdcons
2008-03-02 21:33:13 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-02 21:33:13 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-02 21:33:13 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-02 21:33:13 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-02 20:34:39 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-03-02 18:49:20 0 d-------- C:\Documents and Settings\Owner\Application Data\iolo
2008-03-02 18:49:20 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-03-02 18:41:14 691545 --a------ C:\WINDOWS\unins000.exe
2008-03-02 18:41:14 2550 --a------ C:\WINDOWS\unins000.dat

-- Find3M Report ---------------------------------------------------------------

2008-03-02 20:37:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-02 20:37:13 0 d-------- C:\Program Files\Creative
2008-03-02 20:35:49 0 d-------- C:\Program Files\CCleaner
2008-03-02 20:21:52 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-26 21:32:10 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-18 21:30:02 56 --a------ C:\WINDOWS\system32\fdibhhej.cmd
2008-01-18 19:11:17 72704 --a------ C:\WINDOWS\pmlklk.dll
2008-01-17 17:24:50 0 d-------- C:\Program Files\PCPitstop
2008-01-17 17:02:20 0 d-------- C:\Program Files\Java
2008-01-16 22:11:33 0 d-------- C:\Documents and Settings\Owner\Application Data\PrevxCSI
2007-12-04 01:33:18 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-04 01:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 01:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 01:33:16 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [13/09/2004 10:33]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [15/03/2004 00:04]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [20/12/2007 16:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]
"ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [05/07/2005 00:32]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [27/06/2005 07:31]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [26/01/2007 17:37]
"2ca129d3"="C:\WINDOWS\pmlklk.dll" [18/01/2008 19:11]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [14/11/2007 16:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [17/02/1999 12:05:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fdibhhej]
C:\WINDOWS\system32\fdibhhej.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 05/07/2005 00:33 188482 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

-- End of Deckard's System Scanner: finished at 2008-03-03 21:40:52 ------------

All help is very, very much appreciated, i have updated my zonealarm and spybot etc to help stop any further problems

tetonbob · 03-02-2008, 03:07 PM

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/hijackthis-log-help/212660-assistance-needed-tfra-tfrc-tfr8.html

KillAll::

File::
C:\WINDOWS\khigef.dll
C:\WINDOWS\system32\fdibhhej.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"2ca129d3"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fdibhhej]

Collect::
C:\WINDOWS\pmlklk.dll
C:\WINDOWS\system32\fdibhhej.cmd

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------------------------------

Open HijackThis (not DSS) and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

infidel · 03-03-2008, 01:55 PM

Combifix log:

ComboFix 08-03-03.4 - Owner 2008-03-04 20:29:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1503 [GMT 0:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\khigef.dll
C:\WINDOWS\system32\fdibhhej.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pmlklk.dll
C:\WINDOWS\system32\fdibhhej.cmd

.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-03 21:40 . 2008-03-03 21:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-02 18:49 . 2008-03-02 18:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iolo
2008-03-02 18:49 . 2008-03-02 18:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iolo
2008-03-02 18:49 . 2008-03-02 18:49 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-03-02 18:41 . 2008-03-02 18:39 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-02 18:41 . 2008-03-02 18:41 2,550 --a------ C:\WINDOWS\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 20:37 190,496 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-04 20:35 3,284 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-02 21:02 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-03-02 20:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-02 20:37 --------- d-----w C:\Program Files\Creative
2008-03-02 20:35 --------- d-----w C:\Program Files\CCleaner
2008-03-02 18:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-26 21:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-17 17:24 --------- d-----w C:\Program Files\PCPitstop
2008-01-17 17:02 --------- d-----w C:\Program Files\Java
2008-01-16 22:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\PrevxCSI
2008-01-16 22:10 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 10:33 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 00:04 122933]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-20 16:52 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [2005-07-05 00:32 639040]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 07:31 135168]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-26 17:37 98304]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-27 17:16 219136]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2005-07-05 00:33 188482 C:\WINDOWS\system32\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-08-05 20:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-12 13:55 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-01-26 17:37 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 00:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=

R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2006-02-22 12:25]
S3 e3abb741-f704-4d56-b70a-5e7b51b0e36f;e3abb741-f704-4d56-b70a-5e7b51b0e36f;D:\Player\cds300.dll []
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 19:01]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 20:38:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Apoint\Apntex.exe
.
**************************************************************************
.
Completion time: 2008-03-04 20:46:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 20:46:45
ComboFix2.txt 2008-03-03 21:37:41
.
2008-02-21 18:03:06 --- E O F ---

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:49:55, on 04/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: PCPitstop-Tracks-Checker - http://www.pcpitstop.com/privacy/PCPTracks.cab
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - http://site.ebrary.com/lib/bham/supp.../ebraryRdr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://by106fd.bay106.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} - http://support.euro.dell.com/global/...r/PROFILER.CAB
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} -
O16 - DPF: {B2CD6005-80DA-4EC6-9D35-ECA638F8C086} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} -
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/...l/gtdownde.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...09/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\Player\__CDS2.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8537 bytes

I also submitted the file as requested

Many thanks

tetonbob · 03-03-2008, 02:05 PM

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

vfind -ltf "%systemdrive%\TFR*.dll" >log.txt
notepad log.txt

Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:

Double click on peek.bat & allow it to run. A notepad file will open. Copy that information into your next reply, please.

infidel · 03-04-2008, 12:17 PM

Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0

tetonbob · 03-04-2008, 12:21 PM

Ok, that's good.

Please run this online scan to help look for remnants.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

infidel · 03-05-2008, 01:14 PM

It didnt seem to give me an option to save as text so i went to file and save as:

Kaspersky Online ScannerWelcome to the Kaspersky Online Scanner! Use it to
scan your PC for viruses and other malware for free
Warning: if you have installed Kaspersky Online Scanner Pro, please
manually uninstall it using "Add/Remove Programs" before installing this
version! Otherwise this version will not function correctly.

Benefits:

Kaspersky Anti-Virus exceptional detection rates and thorough scanning
Hourly AV database updates available each time the Online Scanner is
launched
Heuristic analysis to detect unknown viruses
Simple installation (just click on a link)

Requirements and limitations:

When using this service for the first time, you have to run with
Administrator privileges in order to install the product. Also, you will
need to download and install files about 400 KB in size followed by 9 MB
of virus definitions.
However, if you use the Online Scanner again, you will only need to
download the files that have been updated since your last scan.
The Online Scanner service offered by Kaspersky Lab uses Microsoft ActiveX
technology. Microsoft ActiveX Technology and the Kaspersky Online Scanner
work only with MS Internet Explorer 6.0 or higher.
We cannot guarantee that the Online Scanner will function correctly if you
are using any other browser or any Internet Explorer extensions (such as
AvantBrowser). If you use a different browser, you can use the Kaspersky
File Scanner to scan individual files.
The free Kaspersky Online Scanner does not scan boot sectors and MBRs, so
it cannot detect malicious code located in these areas.
Please note: The free Kaspersky Online Scanner does not protect against
malicious code, and cannot prevent future infections. It only detects
malware that has already penetrated your computer. We strongly recommend
that you install a full antivirus solution to protect your system.

Privacy statement:

The Kaspersky Online Scanner will collect information about the malicious
programs found on your computer during the scanning process. The
information will be sent to the Kaspersky Virus Lab for statistical
purposes. No personal information about you or specific information about
your system will be collected or transmitted to Kaspersky Lab.

Select: All, None, Suspicious Selected objects: 0

Scan settings:
Here you can configure the scanning process.

Scan using the following antivirus database:
standard - detect viruses, worms, Trojans,
rootkits
extended - protect your computer from Spyware,
adware, dialers and potentially dangerous
software such as remote access utilities, prank
programs and jokes. We do not recommend this
option to beginners or inexperienced users.

Scan options:
Scan Archives - scan files inside archives
Note: affects all targets except 'A
File...' scan target.
Scan Mail Bases - scan e-mails/attachments
inside mail base files
Note: affects all targets except 'My
Email' and 'A File...' scan targets.

Initialize Kaspersky Online Scanner
(downloading and installing Kaspersky Online
Scanner ActiveX from the server into your
computer)

Update Kaspersky Anti-Virus Databases [100%]:
(downloading and installing the latest Kaspersky
Anti-Virus Databases)

Please wait to update the virus definitions...
Downloading from url:
ftp://downloads4.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kavset.xml
Downloading remote file: soft.xml
Downloading remote file: updcfg.xml
Downloading remote file: kernel.avc
Downloading remote file: krnunp.avc
Downloading remote file: krnexe.avc
Downloading remote file: krnmacro.avc
Downloading remote file: krnjava.avc
Downloading remote file: krndos.avc
Downloading remote file: krngen.avc
Downloading remote file: krnexe32.avc
Downloading remote file: krnengn.avc
Downloading remote file: krn001.avc
Downloading remote file: krn002.avc
Downloading remote file: krn003.avc
Downloading remote file: krn004.avc
Downloading remote file: krn005.avc
Downloading remote file: smart.avc
Downloading remote file: ocr.avc
Downloading remote file: chuka.avc
Downloading remote file: fa001.avc
Downloading remote file: base001c.avc
Downloading remote file: base002c.avc
Downloading remote file: base003c.avc
Downloading remote file: base004c.avc
Downloading remote file: base005c.avc
Downloading remote file: base006c.avc
Downloading remote file: base007c.avc
Downloading remote file: base008c.avc
Downloading remote file: base009c.avc
Downloading remote file: base010c.avc
Downloading remote file: base011c.avc
Downloading remote file: base012c.avc
Downloading remote file: base013c.avc
Downloading remote file: base014c.avc
Downloading remote file: base015c.avc
Downloading remote file: base016c.avc
Downloading remote file: base017c.avc
Downloading remote file: base018c.avc
Downloading remote file: base019c.avc
Downloading remote file: base020c.avc
Downloading remote file: base021c.avc
Downloading remote file: base022c.avc
Downloading remote file: base023c.avc
Downloading remote file: base024c.avc
Downloading remote file: base025c.avc
Downloading remote file: base026c.avc
Downloading remote file: base027c.avc
Downloading remote file: base028c.avc
Downloading remote file: base029c.avc
Downloading remote file: base030c.avc
Downloading remote file: base031c.avc
Downloading remote file: base032c.avc
Downloading remote file: base033c.avc
Downloading remote file: base034c.avc
Downloading remote file: base035c.avc
Downloading remote file: base036c.avc
Downloading remote file: base037c.avc
Downloading remote file: base038c.avc
Downloading remote file: base039c.avc
Downloading remote file: base040c.avc
Downloading remote file: base041c.avc
Downloading remote file: base042c.avc
Downloading remote file: base043c.avc
Downloading remote file: base044c.avc
Downloading remote file: base045c.avc
Downloading remote file: base046c.avc
Downloading remote file: base047c.avc
Downloading remote file: base048c.avc
Downloading remote file: base049c.avc
Downloading remote file: base050c.avc
Downloading remote file: base051c.avc
Downloading remote file: base052c.avc
Downloading remote file: base053c.avc
Downloading remote file: base054c.avc
Downloading remote file: base055c.avc
Downloading remote file: base056c.avc
Downloading remote file: base057c.avc
Downloading remote file: base058c.avc
Downloading remote file: base059c.avc
Downloading remote file: base060c.avc
Downloading remote file: base061c.avc
Downloading remote file: base062c.avc
Downloading remote file: base063c.avc
Downloading remote file: base064c.avc
Downloading remote file: base065c.avc
Downloading remote file: base066c.avc
Downloading remote file: base067c.avc
Downloading remote file: base068c.avc
Downloading remote file: base069c.avc
Downloading remote file: base070c.avc
Downloading remote file: base071c.avc
Downloading remote file: base072c.avc
Downloading remote file: base073c.avc
Downloading remote file: base074c.avc
Downloading remote file: base075c.avc
Downloading remote file: base076c.avc
Downloading remote file: base077c.avc
Downloading remote file: base078c.avc
Downloading remote file: base079c.avc
Downloading remote file: base080c.avc
Downloading remote file: base081c.avc
Downloading remote file: base082c.avc
Downloading remote file: base083c.avc
Downloading remote file: base084c.avc
Downloading remote file: base085c.avc
Downloading remote file: base086c.avc
Downloading remote file: base087c.avc
Downloading remote file: base088c.avc
Downloading remote file: base089c.avc
Downloading remote file: base090c.avc
Downloading remote file: base091c.avc
Downloading remote file: base092c.avc
Downloading remote file: base093c.avc
Downloading remote file: base094c.avc
Downloading remote file: base095c.avc
Downloading remote file: base096c.avc
Downloading remote file: base097c.avc
Downloading remote file: base098c.avc
Downloading remote file: base099c.avc
Downloading remote file: base100c.avc
Downloading remote file: base101c.avc
Downloading remote file: base102c.avc
Downloading remote file: base103c.avc
Downloading remote file: base104c.avc
Downloading remote file: base105c.avc
Downloading remote file: base106c.avc
Downloading remote file: base107c.avc
Downloading remote file: base108c.avc
Downloading remote file: base109c.avc
Downloading remote file: base110c.avc
Downloading remote file: base111c.avc
Downloading remote file: base112c.avc
Downloading remote file: base113c.avc
Downloading remote file: base114c.avc
Downloading remote file: base115c.avc
Downloading remote file: base116c.avc
Downloading remote file: base117c.avc
Downloading remote file: dailyc.avc
Downloading remote file: ext001c.avc
Downloading remote file: ext002c.avc
Downloading remote file: ext003c.avc
Downloading remote file: ext004c.avc
Downloading remote file: ext005c.avc
Downloading remote file: ext006c.avc
Downloading remote file: ext007c.avc
Downloading remote file: ext008c.avc
Downloading remote file: ext009c.avc
Downloading remote file: ext010c.avc
Downloading remote file: ext011c.avc
Downloading remote file: ext012c.avc
Downloading remote file: ext013c.avc
Downloading remote file: ext014c.avc
Downloading remote file: ext015c.avc
Downloading remote file: daily-ec.avc
Downloading remote file: base001.avc
Downloading remote file: base002.avc
Downloading remote file: base003.avc
Downloading remote file: base004.avc
Downloading remote file: base005.avc
Downloading remote file: base006.avc
Downloading remote file: base007.avc
Downloading remote file: base008.avc
Downloading remote file: base009.avc
Downloading remote file: base010.avc
Downloading remote file: base011.avc
Downloading remote file: base012.avc
Downloading remote file: base013.avc
Downloading remote file: base014.avc
Downloading remote file: base015.avc
Downloading remote file: base016.avc
Downloading remote file: base017.avc
Downloading remote file: base018.avc
Downloading remote file: base019.avc
Downloading remote file: base020.avc
Downloading remote file: base021.avc
Downloading remote file: base022.avc
Downloading remote file: base023.avc
Downloading remote file: base024.avc
Downloading remote file: base025.avc
Downloading remote file: base026.avc
Downloading remote file: base027.avc
Downloading remote file: base028.avc
Downloading remote file: base029.avc
Downloading remote file: base030.avc
Downloading remote file: base031.avc
Downloading remote file: base032.avc
Downloading remote file: base033.avc
Downloading remote file: base034.avc
Downloading remote file: base035.avc
Downloading remote file: base036.avc
Downloading remote file: base037.avc
Downloading remote file: base038.avc
Downloading remote file: base039.avc
Downloading remote file: base040.avc
Downloading remote file: base041.avc
Downloading remote file: base042.avc
Downloading remote file: base043.avc
Downloading remote file: base044.avc
Downloading remote file: base045.avc
Downloading remote file: base046.avc
Downloading remote file: base047.avc
Downloading remote file: base048.avc
Downloading remote file: base049.avc
Downloading remote file: base050.avc
Downloading remote file: base051.avc
Downloading remote file: base052.avc
Downloading remote file: base053.avc
Downloading remote file: base054.avc
Downloading remote file: base055.avc
Downloading remote file: base056.avc
Downloading remote file: base057.avc
Downloading remote file: base058.avc
Downloading remote file: base059.avc
Downloading remote file: base060.avc
Downloading remote file: base061.avc
Downloading remote file: base062.avc
Downloading remote file: base063.avc
Downloading remote file: base064.avc
Downloading remote file: base065.avc
Downloading remote file: base066.avc
Downloading remote file: base067.avc
Downloading remote file: base068.avc
Downloading remote file: base069.avc
Downloading remote file: base070.avc
Downloading remote file: base071.avc
Downloading remote file: base072.avc
Downloading remote file: base073.avc
Downloading remote file: base074.avc
Downloading remote file: base075.avc
Downloading remote file: base076.avc
Downloading remote file: base077.avc
Downloading remote file: base078.avc
Downloading remote file: base079.avc
Downloading remote file: base080.avc
Downloading remote file: base081.avc
Downloading remote file: base082.avc
Downloading remote file: base083.avc
Downloading remote file: base084.avc
Downloading remote file: base085.avc
Downloading remote file: base086.avc
Downloading remote file: base087.avc
Downloading remote file: base088.avc
Downloading remote file: base089.avc
Downloading remote file: base090.avc
Downloading remote file: base091.avc
Downloading remote file: base092.avc
Downloading remote file: base093.avc
Downloading remote file: base094.avc
Downloading remote file: base095.avc
Downloading remote file: base096.avc
Downloading remote file: base097.avc
Downloading remote file: base098.avc
Downloading remote file: base099.avc
Downloading remote file: base100.avc
Downloading remote file: base101.avc
Downloading remote file: base102.avc
Downloading remote file: base103.avc
Downloading remote file: base104.avc
Downloading remote file: base105.avc
Downloading remote file: base106.avc
Downloading remote file: base107.avc
Downloading remote file: base108.avc
Downloading remote file: base109.avc
Downloading remote file: base110.avc
Downloading remote file: base111.avc
Downloading remote file: base112.avc
Downloading remote file: base113.avc
Downloading remote file: base114.avc
Downloading remote file: base115.avc
Downloading remote file: base116.avc
Downloading remote file: base117.avc
Downloading remote file: base118.avc
Downloading remote file: base119.avc
Downloading remote file: base120.avc
Downloading remote file: base121.avc
Downloading remote file: base122.avc
Downloading remote file: base123.avc
Downloading remote file: base124.avc
Downloading remote file: base125.avc
Downloading remote file: base126.avc
Downloading remote file: base127.avc
Downloading remote file: base128.avc
Downloading remote file: base129.avc
Downloading remote file: base130.avc
Downloading remote file: base131.avc
Downloading remote file: base132.avc
Downloading remote file: base133.avc
Downloading remote file: base134.avc
Downloading remote file: base135.avc
Downloading remote file: base136.avc
Downloading remote file: base137.avc
Downloading remote file: base138.avc
Downloading remote file: base139.avc
Downloading remote file: base140.avc
Downloading remote file: base141.avc
Downloading remote file: base142.avc
Downloading remote file: base143.avc
Downloading remote file: base144.avc
Downloading remote file: base145.avc
Downloading remote file: base146.avc
Downloading remote file: base147.avc
Downloading remote file: base148.avc
Downloading remote file: base149.avc
Downloading remote file: base150.avc
Downloading remote file: base151.avc
Downloading remote file: base152.avc
Downloading remote file: base153.avc
Downloading remote file: base154.avc
Downloading remote file: base155.avc
Downloading remote file: base156.avc
Downloading remote file: base157.avc
Downloading remote file: base158.avc
Downloading remote file: base159.avc
Downloading remote file: base160.avc
Downloading remote file: base161.avc
Downloading remote file: base162.avc
Downloading remote file: base163.avc
Downloading remote file: base999.avc
Downloading remote file: unp000.avc
Downloading remote file: unp001.avc
Downloading remote file: unp002.avc
Downloading remote file: unp003.avc
Downloading remote file: unp004.avc
Downloading remote file: unp005.avc
Downloading remote file: unp006.avc
Downloading remote file: unp007.avc
Downloading remote file: unp008.avc
Downloading remote file: unp009.avc
Downloading remote file: unp010.avc
Downloading remote file: unp011.avc
Downloading remote file: unp012.avc
Downloading remote file: unp013.avc
Downloading remote file: unp014.avc
Downloading remote file: unp015.avc
Downloading remote file: unp016.avc
Downloading remote file: unp017.avc
Downloading remote file: unp018.avc
Downloading remote file: unp019.avc
Downloading remote file: unp020.avc
Downloading remote file: unp021.avc
Downloading remote file: unp022.avc
Downloading remote file: unp023.avc
Downloading remote file: unp024.avc
Downloading remote file: unp025.avc
Downloading remote file: unp026.avc
Downloading remote file: unp027.avc
Downloading remote file: unp028.avc
Downloading remote file: unp029.avc
Downloading remote file: unp030.avc
Downloading remote file: unp031.avc
Downloading remote file: unp032.avc
Downloading remote file: unp033.avc
Downloading remote file: unp034.avc
Downloading remote file: unp035.avc
Downloading remote file: unp036.avc
Downloading remote file: unp037.avc
Downloading remote file: unp038.avc
Downloading remote file: unp039.avc
Downloading remote file: daily.avc
Downloading remote file: daily-ex.avc
Downloading remote file: urgent.avc
Downloading remote file: mail.avc
Downloading remote file: ext001.avc
Downloading remote file: ext002.avc
Downloading remote file: ext003.avc
Downloading remote file: ext004.avc
Downloading remote file: ext005.avc
Downloading remote file: ext006.avc
Downloading remote file: ext007.avc
Downloading remote file: ext008.avc
Downloading remote file: ext009.avc
Downloading remote file: ext999.avc
Downloading remote file: gen001.avc
Downloading remote file: gen002.avc
Downloading remote file: gen003.avc
Downloading remote file: gen004.avc
Downloading remote file: gen005.avc
Downloading remote file: gen999.avc
Downloading remote file: ca.avc
Downloading remote file: fa.avc
Downloading remote file: eicar.avc
Downloading remote file: verdicts.ini
Downloading remote file: engine.dt
Downloading remote file: engine.cfg
Downloading remote file: avcmhk5.mhk
Downloading remote file: black.lst
Downloading remote file: avp.set
Downloading remote file: avp_ext.set
Downloading remote file: avp_x.set
Downloading remote file: avp.vnd
Downloading remote file: avp.klb
Downloading remote file: soft.ver
Update finished. Ready to scan.
Next
Please select a target to scan:
You can configure the scanning process by
pressing "Scan Settings" button.

Critical Areas
scan critical areas of your hard disks
specified in %windir% and %tmp% system variables
Memory
scan disk modules of running processes
My Computer
scan all your hard and mapped disks
My Email
scan all your hard and mapped disks only for the
following extensions: *.PST; *.MSG; *.OST;
*.MDB; *.DBX; *.EML; *.MBS
Folders...
scan selected folders
A File...
scan a one file

Warning: The Kaspersky Online Scanner may not
run successfully while any other Anti-Virus
software is running. If you have Anti-Virus
software installed, please disable your AV
protection before running the Kaspersky Online
Scanner.
Selected target: My Computer
Source: C:\; D:\;

Report is empty.
Please note: The free Kaspersky Online Scanner
does not provide comprehensive protection and
cannot prevent future infections. It only
detects malware that has already penetrated your
storage devices. We strongly recommend that you
use a fully-functional antivirus solution to
protect your computer at all times.

Please wait, this process may take a long time
depending on the selected target. If you want to
continue browsing, open a new window.

Scan Progress [99%]:

Total number of scanned objects:114261
Number of viruses found:0
Number of infected objects:0
Number of suspicious objects:0
Duration of the scan process:01:13:10
Stop Scan

Get a Free Trial

Buy Kaspersky Anti-Virus

Help

Virus Encyclopedia

Kaspersky Lab

Product Info
You have Kaspersky Online Scanner version 5.0.98.0
installed. The current anti-virus database was
released on Wednesday, March 05, 2008 and contains
599445 records.

System Info
Operating System: Microsoft Windows XP Home
Edition, Service Pack 2 (Build 2600)Please wait
while the Kaspersky Online Scanner is initializing
and updating...

Copyright (C) Kaspersky Lab 1997 - 2007
Portions Copyright (C) Lan Crypto

tetonbob · 03-05-2008, 02:26 PM

Even though what you've posted is not what the scan log should look like, if this is accurate, you should be in good shape:

Total number of scanned objects:114261
Number of viruses found:0
Number of infected objects:0
Number of suspicious objects:0
Duration of the scan process:01:13:10
Stop Scan

Do you recall if this was the result of your scan?

You should have been presented with these options at the completion of the scan:

If your machine is behaving well, and you're certain the above is from your scan, I'll post some final instructions.

let me know.

infidel · 03-06-2008, 01:40 AM

it said that the scan was done and that there were no infections etc. it didnt come up with that dialogue box the only option was stop scan, but it did say stop scan, i dont know whether it was that my computer was being slow bringing up the dialogue box

tetonbob · 03-06-2008, 08:43 AM

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to

-> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
- Once updated you should see another prompt that the task was completed.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.
FIREWALL
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

infidel · 03-10-2008, 12:49 PM

Great, many many many thanks for your help, it is really appreciated
Uninstalled combifix and did the mvps
i have spybot,zone alarm and spybot and i keep them regularly updated,
i try to keep my java up to date too
i have my windows on regular update

01-21-2008, 02:24 AM	#2 (permalink)
infidel Registered User Join Date: Feb 2006 Posts: 14 OS: XP	Re: Assistance needed-TFRA/TFRC/TFR8 BUMP Problem has got worse, number of viruses being shown by AVG...please help

01-28-2008, 02:16 AM	#3 (permalink)
infidel Registered User Join Date: Feb 2006 Posts: 14 OS: XP	Re: Assistance needed-TFRA/TFRC/TFR8 Bump!

01-28-2008, 10:22 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,164 OS: 2000 Pro; XP Pro; XP Home	Re: Assistance needed-TFRA/TFRC/TFR8 Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Post the log from ComboFix when you've accomplished that, along with a new HijackThis log. If you have any questions along the way, STOP and ask them before proceeding. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

03-02-2008, 02:45 PM	#5 (permalink)
infidel Registered User Join Date: Feb 2006 Posts: 14 OS: XP	Re: Assistance needed-TFRA/TFRC/TFR8 Hi, im really sorry about the very long delay, COmbifix log: ComboFix 08-03-03.4 - Owner 2008-03-02 21:35:46.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1355 [GMT 0:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 ))))))))))))))))))))))))))))))) . 2008-03-02 18:49 . 2008-03-02 18:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iolo 2008-03-02 18:49 . 2008-03-02 18:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iolo 2008-03-02 18:49 . 2008-03-02 18:49 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg 2008-03-02 18:41 . 2008-03-02 18:39 691,545 --a------ C:\WINDOWS\unins000.exe 2008-03-02 18:41 . 2008-03-02 18:41 2,550 --a------ C:\WINDOWS\unins000.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-03 21:36 129,056 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-03-02 21:02 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2008-03-02 20:37 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-02 20:37 --------- d-----w C:\Program Files\Creative 2008-03-02 20:35 --------- d-----w C:\Program Files\CCleaner 2008-03-02 20:24 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-03-02 18:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-01-26 21:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7 2008-01-18 19:11 72,704 ----a-w C:\WINDOWS\pmlklk.dll 2008-01-17 17:24 --------- d-----w C:\Program Files\PCPitstop 2008-01-17 17:02 --------- d-----w C:\Program Files\Java 2008-01-16 22:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\PrevxCSI 2008-01-16 22:10 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx 2006-11-12 12:00 19,456,157 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_11_12_10_44_30_full.dmp.zip 2006-11-05 17:28 18,810,585 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_10_29_20_47_33_full.dmp.zip 2006-10-26 14:17 19,323,601 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_10_26_12_59_15_full.dmp.zip 2006-10-26 14:15 19,216,143 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_10_25_13_40_52_full.dmp.zip 2006-10-10 18:50 19,279,531 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_10_10_03_04_07_full.dmp.zip 2006-09-29 09:59 19,228,168 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_09_28_00_31_36_full.dmp.zip 2006-09-23 19:20 19,546,257 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_09_17_19_51_35_full.dmp.zip 2006-09-05 09:05 19,007,473 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_09_04_12_53_46_full.dmp.zip 2006-08-31 12:32 1,670,656 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp 2006-08-31 12:32 1,342,976 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp 2006-08-20 22:27 19,179,513 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_08_13_12_00_37_full.dmp.zip 2006-08-11 10:14 10,698,976 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip 2006-08-07 18:14 19,228,489 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_08_07_01_40_55_full.dmp.zip 2006-03-13 16:18 526,336 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp 2006-02-20 21:00 224,256 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp 2006-02-08 22:44 51,712 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp 2006-02-07 11:43 2,178,048 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp 2005-09-16 12:14 50,688 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp 2005-09-16 12:14 1,583,616 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp 2005-09-09 11:07 16,384 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp 2005-09-09 11:06 1,556,480 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp 2005-09-09 11:02 91,136 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp 2005-09-09 11:02 1,556,480 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp 2005-06-25 14:38 1,531,904 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp 2005-06-25 14:38 1,158,144 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 10:33 155648] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 00:04 122933] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-20 16:52 579072] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [2005-07-05 00:32 639040] "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 07:31 135168] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-26 17:37 98304] "2ca129d3"="C:\WINDOWS\pmlklk.dll" [2008-01-18 19:11 72704] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-27 17:16 219136] C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fdibhhej] C:\WINDOWS\system32\fdibhhej.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] C:\WINDOWS\system32\LgNotify.dll 2005-07-05 00:33 188482 C:\WINDOWS\system32\LgNotify.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] --a------ 2005-08-05 20:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] --a------ 2004-08-12 13:55 110592 C:\WINDOWS\system32\bthprops.cpl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-01-26 17:37 98304 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] --a------ 2003-08-19 00:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"= R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2006-02-22 12:25] S3 e3abb741-f704-4d56-b70a-5e7b51b0e36f;e3abb741-f704-4d56-b70a-5e7b51b0e36f;D:\Player\cds300.dll [] S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 19:01] . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-03 21:36:57 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-03-03 21:37:40 . 2008-02-21 18:03:06 --- E O F --- Hijack this log: -- HijackThis (run as Owner.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:40:30, on 03/03/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\S24EvMon.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\1XConfig.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Documents and Settings\Owner\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [2ca129d3] rundll32.exe "C:\WINDOWS\pmlklk.dll",b O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: PCPitstop-Tracks-Checker - http://www.pcpitstop.com/privacy/PCPTracks.cab O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - http://site.ebrary.com/lib/bham/supp.../ebraryRdr.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://by106fd.bay106.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} - http://support.euro.dell.com/global/...r/PROFILER.CAB O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - http://www.pcpitstop.com/mhLbl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - O16 - DPF: {B2CD6005-80DA-4EC6-9D35-ECA638F8C086} - O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - http://www.windowsecurity.com/trojanscan/axscan.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} - O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/...l/gtdownde.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.com/files/driveragent.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...09/mcfscan.cab O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\Player\__CDS2.dll (file missing) O20 - Winlogon Notify: fdibhhej - C:\WINDOWS\system32\fdibhhej.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 8625 bytes -- Files created between 2008-02-03 and 2008-03-03 ----------------------------- 2008-03-03 21:40:20 0 d-------- C:\Program Files\Trend Micro 2008-03-02 21:33:58 0 d-------- C:\cmdcons 2008-03-02 21:33:13 68096 --a------ C:\WINDOWS\system32\zip.exe 2008-03-02 21:33:13 98816 --a------ C:\WINDOWS\system32\sed.exe 2008-03-02 21:33:13 80412 --a------ C:\WINDOWS\system32\grep.exe 2008-03-02 21:33:13 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-03-02 20:34:39 0 dr-h----- C:\Documents and Settings\Owner\Recent 2008-03-02 18:49:20 0 d-------- C:\Documents and Settings\Owner\Application Data\iolo 2008-03-02 18:49:20 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo 2008-03-02 18:41:14 691545 --a------ C:\WINDOWS\unins000.exe 2008-03-02 18:41:14 2550 --a------ C:\WINDOWS\unins000.dat -- Find3M Report --------------------------------------------------------------- 2008-03-02 20:37:14 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-03-02 20:37:13 0 d-------- C:\Program Files\Creative 2008-03-02 20:35:49 0 d-------- C:\Program Files\CCleaner 2008-03-02 20:21:52 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2008-01-26 21:32:10 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7 2008-01-18 21:30:02 56 --a------ C:\WINDOWS\system32\fdibhhej.cmd 2008-01-18 19:11:17 72704 --a------ C:\WINDOWS\pmlklk.dll 2008-01-17 17:24:50 0 d-------- C:\Program Files\PCPitstop 2008-01-17 17:02:20 0 d-------- C:\Program Files\Java 2008-01-16 22:11:33 0 d-------- C:\Documents and Settings\Owner\Application Data\PrevxCSI 2007-12-04 01:33:18 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?> 2007-12-04 01:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®> 2007-12-04 01:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®> 2007-12-04 01:33:16 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®> -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [13/09/2004 10:33] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [15/03/2004 00:04] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [20/12/2007 16:52] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11] "ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [05/07/2005 00:32] "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [27/06/2005 07:31] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [26/01/2007 17:37] "2ca129d3"="C:\WINDOWS\pmlklk.dll" [18/01/2008 19:11] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [14/11/2007 16:05] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [17/02/1999 12:05:56] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoDispBackgroundPage"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fdibhhej] C:\WINDOWS\system32\fdibhhej.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] C:\WINDOWS\system32\LgNotify.dll 05/07/2005 00:33 188482 C:\WINDOWS\system32\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs BthServ -- End of Deckard's System Scanner: finished at 2008-03-03 21:40:52 ------------ All help is very, very much appreciated, i have updated my zonealarm and spybot etc to help stop any further problems

03-03-2008, 01:55 PM	#7 (permalink)
infidel Registered User Join Date: Feb 2006 Posts: 14 OS: XP	Re: Assistance needed-TFRA/TFRC/TFR8 Combifix log: ComboFix 08-03-03.4 - Owner 2008-03-04 20:29:30.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1503 [GMT 0:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt * Created a new restore point FILE :: C:\WINDOWS\khigef.dll C:\WINDOWS\system32\fdibhhej.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\pmlklk.dll C:\WINDOWS\system32\fdibhhej.cmd . ((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 ))))))))))))))))))))))))))))))) . 2008-03-03 21:40 . 2008-03-03 21:40 <DIR> d-------- C:\Program Files\Trend Micro 2008-03-02 18:49 . 2008-03-02 18:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iolo 2008-03-02 18:49 . 2008-03-02 18:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iolo 2008-03-02 18:49 . 2008-03-02 18:49 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg 2008-03-02 18:41 . 2008-03-02 18:39 691,545 --a------ C:\WINDOWS\unins000.exe 2008-03-02 18:41 . 2008-03-02 18:41 2,550 --a------ C:\WINDOWS\unins000.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-04 20:37 190,496 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-03-04 20:35 3,284 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-03-02 21:02 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2008-03-02 20:37 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-02 20:37 --------- d-----w C:\Program Files\Creative 2008-03-02 20:35 --------- d-----w C:\Program Files\CCleaner 2008-03-02 18:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-01-26 21:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7 2008-01-17 17:24 --------- d-----w C:\Program Files\PCPitstop 2008-01-17 17:02 --------- d-----w C:\Program Files\Java 2008-01-16 22:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\PrevxCSI 2008-01-16 22:10 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 10:33 155648] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 00:04 122933] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-20 16:52 579072] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [2005-07-05 00:32 639040] "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 07:31 135168] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-26 17:37 98304] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-27 17:16 219136] C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] C:\WINDOWS\system32\LgNotify.dll 2005-07-05 00:33 188482 C:\WINDOWS\system32\LgNotify.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] --a------ 2005-08-05 20:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] --a------ 2004-08-12 13:55 110592 C:\WINDOWS\system32\bthprops.cpl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-01-26 17:37 98304 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] --a------ 2003-08-19 00:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"= R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2006-02-22 12:25] S3 e3abb741-f704-4d56-b70a-5e7b51b0e36f;e3abb741-f704-4d56-b70a-5e7b51b0e36f;D:\Player\cds300.dll [] S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 19:01] . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-04 20:38:07 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\S24EvMon.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\RegSrvc.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\1XConfig.exe C:\Program Files\Apoint\Apntex.exe . ************************************************************************ . Completion time: 2008-03-04 20:46:53 - machine was rebooted ComboFix-quarantined-files.txt 2008-03-04 20:46:45 ComboFix2.txt 2008-03-03 21:37:41 . 2008-02-21 18:03:06 --- E O F --- Hijack this log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:49:55, on 04/03/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\S24EvMon.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\1XConfig.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: PCPitstop-Tracks-Checker - http://www.pcpitstop.com/privacy/PCPTracks.cab O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - http://site.ebrary.com/lib/bham/supp.../ebraryRdr.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://by106fd.bay106.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} - http://support.euro.dell.com/global/...r/PROFILER.CAB O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - http://www.pcpitstop.com/mhLbl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - O16 - DPF: {B2CD6005-80DA-4EC6-9D35-ECA638F8C086} - O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - http://www.windowsecurity.com/trojanscan/axscan.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} - O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/...l/gtdownde.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.com/files/driveragent.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...09/mcfscan.cab O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\Player\__CDS2.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 8537 bytes I also submitted the file as requested Many thanks

03-04-2008, 12:17 PM	#9 (permalink)
infidel Registered User Join Date: Feb 2006 Posts: 14 OS: XP	Re: Assistance needed-TFRA/TFRC/TFR8 Entries: 0 (0) Directories: 0 Files: 0 Bytes: 0 Blocks: 0

03-04-2008, 12:21 PM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,164 OS: 2000 Pro; XP Pro; XP Home	Re: Assistance needed-TFRA/TFRC/TFR8 Ok, that's good. Please run this online scan to help look for remnants. First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one. Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

03-05-2008, 02:26 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,164 OS: 2000 Pro; XP Pro; XP Home	Re: Assistance needed-TFRA/TFRC/TFR8 Even though what you've posted is not what the scan log should look like, if this is accurate, you should be in good shape: Total number of scanned objects:114261 Number of viruses found:0 Number of infected objects:0 Number of suspicious objects:0 Duration of the scan process:01:13:10 Stop Scan Do you recall if this was the result of your scan? You should have been presented with these options at the completion of the scan: If your machine is behaving well, and you're certain the above is from your scan, I'll post some final instructions. let me know. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

03-06-2008, 01:40 AM	#13 (permalink)
infidel Registered User Join Date: Feb 2006 Posts: 14 OS: XP	Re: Assistance needed-TFRA/TFRC/TFR8 it said that the scan was done and that there were no infections etc. it didnt come up with that dialogue box the only option was stop scan, but it did say stop scan, i dont know whether it was that my computer was being slow bringing up the dialogue box

03-06-2008, 08:43 AM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,164 OS: 2000 Pro; XP Pro; XP Home	Re: Assistance needed-TFRA/TFRC/TFR8 Your logs appear clean.You should be good to go. We still have a few items to address. Go to -> Run -> copy/paste in the following single line command & click OK combofix /u This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs: Microsoft Windows Update - http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. Once updated you should see another prompt that the task was completed. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Do not install more than one AntiVirus program because they will conflict with each other. FIREWALL Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here Do not install more than one firewall program because they will conflict with each other. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer Here are some additional utilities that will further enhance your safety. http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? MAKING INTERNET EXPLORER SAFER If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

03-10-2008, 12:49 PM	#15 (permalink)
infidel Registered User Join Date: Feb 2006 Posts: 14 OS: XP	Re: Assistance needed-TFRA/TFRC/TFR8 Great, many many many thanks for your help, it is really appreciated Uninstalled combifix and did the mvps i have spybot,zone alarm and spybot and i keep them regularly updated, i try to keep my java up to date too i have my windows on regular update