IE Pop-ups - Malware

[ferrarilover]

Hi,

My IE has recently been giving random ad pop-ups (even when I use Firefox instead of IE, IE still gives ad pop-ups).

I run AVG several times to remove the trojan but to no avail.

AVG started detecting infect files in my Temporary Files Folder and recently it has started detecting the trojan in my Windows/System32 folder!

Below is main.txt after running DSS. I don't know why but extra.txt did not appear the second time I ran DSS but it did the first time. I have also attached the Panda ActiveScan log.

Hope you can solve my problem..
Really appreciate what you guys are doing for the tech community!



Deckard's System Scanner v20071014.68
Run by Ken Wong on 2008-08-05 18:06:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Ken Wong.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:06 PM, on 05-Aug-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Qlock\qlock.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Kenamp\Setups\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\KENWON~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\f1Y26158.dll (file missing)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {B9B2EE1A-E314-4338-A305-BE845EACB102} (CS Control) - https://www.taonline.com.my/TAOnline/EF/control/csw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares\chatServer.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

--
End of file - 6602 bytes

-- Files created between 2008-07-05 and 2008-08-05 -----------------------------

2008-08-05 17:51:37 0 d-------- C:\Program Files\Trend Micro
2008-08-05 17:27:53 0 d-------- C:\ie-spyad_zo
2008-08-05 17:19:11 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-05 17:18:57 0 d-------- C:\Program Files\SpywareBlaster
2008-08-05 15:07:46 0 d-------- C:\Program Files\Panda Security
2008-08-02 23:43:46 0 d-------- C:\Documents and Settings\Ken Wong\Application Data\HouseCall 6.6
2008-08-02 23:17:30 0 d-------- C:\Documents and Settings\Ken Wong\.housecall6.6
2008-08-02 22:02:23 0 d-------- C:\Program Files\Alwil Software
2008-08-02 21:55:47 0 d-------- C:\Program Files\Java
2008-08-02 21:55:45 0 d-------- C:\Program Files\Common Files\Java
2008-07-28 23:58:08 0 d-------- C:\Program Files\Lavasoft
2008-07-28 23:58:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-28 23:57:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-28 22:18:27 0 d-------- C:\WINDOWS\pss
2008-07-22 13:54:03 0 d-------- C:\tmp
2008-07-15 16:29:57 0 d--hs---- C:\WINDOWS\ftpcache
2008-07-14 21:15:48 0 d-------- C:\Games
2008-07-14 17:01:25 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-07-14 17:01:15 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-07-14 17:00:39 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Real
2008-07-14 17:00:38 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-07-14 13:16:47 29760 --a------ C:\WINDOWS\system32\j3I5TrWw.exe
2008-07-10 10:14:42 0 d-------- C:\Documents and Settings\Ken Wong\Application Data\dvdcss


-- Find3M Report ---------------------------------------------------------------

2008-08-05 17:26:48 0 d-------- C:\Program Files\Valve
2008-08-02 23:27:51 0 d-------- C:\Program Files\Common Files
2008-08-02 18:20:21 0 d-------- C:\Program Files\SopCast
2008-08-02 18:16:52 0 d-------- C:\Program Files\a-squared Free
2008-07-22 12:22:15 0 d-------- C:\Documents and Settings\Ken Wong\Application Data\AVG7


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}]
C:\WINDOWS\system32\f1Y26158.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [12-Aug-04 09:10 PM]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [28-May-03 05:32 PM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [07-Oct-04 07:44 PM]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [21-Aug-04 06:04 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01-May-08 03:53 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10-Jun-08 04:27 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11-Feb-08 07:54 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [12-Aug-04 09:18 PM]
"@"="" []

C:\Documents and Settings\Ken Wong\Start Menu\Programs\Startup\
qlock.lnk - C:\Program Files\Qlock\qlock.exe [18-Dec-07 5:42:38 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 12-Jan-04 06:55 AM 110592 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b8a3920-d98b-11dc-a3b7-00114368b89a}]
AutoRun\command- F:\Secret.exe
explore\Command- F:\Secret.exe
open\Command- F:\Secret.exe

*Newly Created Service* - PAVBOOT



-- End of Deckard's System Scanner: finished at 2008-08-05 18:07:25 ------------



Thanks.

[1972vet]

I trust that you have not rebooted that computer...regardless, I need to say,
PLEASE DO NOT REBOOT.

Let's first back up the Registry.

Copy the data below into a blank notepad and save it as regbackup.bat

Code:

@echo off
:: variables
set drive=C:\Backup
set backupcmd=xcopy /s /c /d /e /h /i /r /y

echo ### Backing up the Registry...
if not exist "%drive%\Registry" mkdir "%drive%\Registry"
if exist "%drive%\Registry\regbackup.reg" del "%drive%\Registry\regbackup.reg"
regedit /e "%drive%\Registry\regbackup.reg"
echo Backup Complete!
@pause

Double-Click that .bat file and allow it to run.
PLEASE ONLY RUN THIS FILE ONE TIME FOR NOW...

Press any key when it completes.

This script copies the registry to the directory defined in the %drive% variable, or "C:\Backup". If the script is run multiple times, it will rewrite if the source files are newer. As it stands now though, we only want to run this batch file just this once...you can delete the file once it completes sucessfully. Navigate to C:\Backup\Registry where you should find the regbackup.reg file. If you find it then just close that folder and continue to delete the regbackup.bat file we created and placed on the Desktop.


Next, click start-->run...then type or copy and paste the following in the run box and click "OK":
regedit
...when the Registry Editor opens, navigate to the following Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Secret
\"<System>\Secret.exe\" FormaT

To do that, click once on the ► next to the folder labeled HKEY_LOCAL_MACHINE, scroll down to the Software folder and do the same in succession until you reach the Run folder. When you find it, click on the Run folder and look to the right pane for the entry named Secret. Click on that entry once to highlight it, then right-click and select Delete... If prompted, click OK and Close the Registry Editor.

Rebooting now should not cause the activation of what I suspected was the Troj/Delf-LW...Once infected with that trojan, when the computer is next rebooted and Troj/Delf-LW is launched on startup, it first disables the Task Manager, and tries to prevent a log-off or shutdown from occuring.

Troj/Delf-LW then proceeds to attempt to delete every file and folder on the entire system, while displaying a progress bar entitled "Updating System Configuration".

Once Troj/Delf-LW has finished deleting files, it displays a message saying "Yedinmi Yarraaa?". You shouldn't see that (not now, since we deleted the entry from the run key) but I've posted this information for the benefit of other forum readers.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt
New HijackThis log.

[ferrarilover]

Hi 1972vet... thanks for the reply,

Unfortunately, I have rebooted since my last post..
Do I have to do anything different now?
Sorry but I'm a little of a noob..

This trojan sounds serious.. The new symptom that occured is a premature shutdown of my IE browser even before I click the 'X' (close) button.

Hope you can further advise me..

Thanks.

[1972vet]

If you can, please follow through with the instructions I posted for you. Thanks!

[ferrarilover]

Hi,

I have backed up the reg and used regedit but found no Secret in the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
path..


Thanks.

[1972vet]

Great! Is it possible then to show us the combofix log you generated?

[ferrarilover]

Hi 1972vet,

What I meant was after running regbackup.bat. I followed the next step which was regedit, but was unable to delete Secret in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run path as I couldn't find the reg (Secret) there, and therefore could not proceed with the next step.

Thanks.

[1972vet]

Quote:

Hi 1972vet,

What I meant was after running regbackup.bat. I followed the next step which was regedit, but was unable to delete Secret in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run path as I couldn't find the reg (Secret) there, and therefore could not proceed with the next step.

Just because you couldn't find the reg key I referenced doesn't mean you can't proceed to the next step in those instructions.

The fact that you can't locate that Reg key is a good thing. The malicious software would have grabbed that key and created the entry "secret"...The reg key referenced in your dss scan log here is of course, different but got my attention nonetheless:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b8a3920-d98b-11dc-a3b7-00114368b89a}]
AutoRun\command- F:\Secret.exe
explore\Command- F:\Secret.exe
open\Command- F:\Secret.exe

...This obviously is not what I thought it was...witness, your reboot without the message indicated, so we both can sigh with relief!

The next step in the instruction was to download and run combofix. Why then are you not able to perform that step?

[ferrarilover]

Hi,

When I double-click ComboFix.exe, it seems to run an update. After that, ComboFix says that it will restart, which it does, and updates again, then restarts, and goes into a repetitive loop.


Thanks.

[1972vet]

Download a fresh copy Here...sUBs updates quite often. Yours may be outdated at this point anyway. Post back your results. Thanks!

[ferrarilover]

Hi,

Finally got ComboFix to run.
log.txt:

ComboFix 08-08-06.02 - Ken Wong 2008-08-07 9:49:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.191 [GMT 8:00]
Running from: C:\Documents and Settings\Ken Wong\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ken Wong\Application Data\macromedia\Flash Player\#SharedObjects\2A7ZWFXU\iforex.com
C:\Documents and Settings\Ken Wong\Application Data\macromedia\Flash Player\#SharedObjects\2A7ZWFXU\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Ken Wong\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Ken Wong\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-06 11:15 . 2008-08-06 11:15 <DIR> d-------- C:\Backup
2008-08-05 20:28 . 2008-08-06 23:30 83,458 --a------ C:\WINDOWS\system32\7QyLIJJC.exe
2008-08-05 17:51 . 2008-08-05 17:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 17:42 . 2008-08-05 17:42 <DIR> d-------- C:\Deckard
2008-08-05 17:27 . 2008-08-05 17:29 <DIR> d-------- C:\ie-spyad_zo
2008-08-05 17:19 . 2008-08-05 17:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-05 17:18 . 2008-08-05 17:21 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-05 15:08 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-05 15:07 . 2008-08-05 15:07 <DIR> d-------- C:\Program Files\Panda Security
2008-08-02 23:43 . 2008-08-02 23:51 <DIR> d-------- C:\Documents and Settings\Ken Wong\Application Data\HouseCall 6.6
2008-08-02 23:17 . 2008-08-04 09:03 <DIR> d-------- C:\Documents and Settings\Ken Wong\.housecall6.6
2008-08-02 22:02 . 2008-08-02 22:02 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-02 22:02 . 2003-03-19 05:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-08-02 21:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-02 21:55 . 2008-08-02 21:56 <DIR> d-------- C:\Program Files\Java
2008-08-02 21:55 . 2008-08-02 21:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-28 23:58 . 2008-07-28 23:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-28 23:58 . 2008-07-28 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-28 23:57 . 2008-07-28 23:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-22 13:54 . 2008-07-22 13:58 <DIR> d-------- C:\tmp
2008-07-15 16:29 . 2008-07-15 16:29 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-14 21:15 . 2008-07-14 21:15 <DIR> d-------- C:\Games
2008-07-14 17:35 . 2008-07-14 17:35 0 --a------ C:\WINDOWS\system32\7QyLIJJC.exe.a_a
2008-07-14 13:16 . 2008-07-14 13:16 29,760 --a------ C:\WINDOWS\system32\j3I5TrWw.exe
2008-07-14 13:16 . 2008-07-14 13:16 0 --a------ C:\WINDOWS\system32\j3I5TrWw.exe.a_a
2008-07-10 10:14 . 2008-07-10 10:14 <DIR> d-------- C:\Documents and Settings\Ken Wong\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 09:26 --------- d-----w C:\Program Files\Valve
2008-08-02 15:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-02 10:20 --------- d-----w C:\Program Files\SopCast
2008-08-02 10:16 --------- d-----w C:\Program Files\a-squared Free
2008-07-31 15:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-22 04:22 --------- d-----w C:\Documents and Settings\Ken Wong\Application Data\AVG7
2008-05-16 03:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 21:18 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 21:10 339968]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 17:32 86016]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-10-07 19:44 610304]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-08-21 18:04 155648]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-05-01 15:53 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-11 19:54 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-11 23:06 219136]

C:\Documents and Settings\Ken Wong\Start Menu\Programs\Startup\
qlock.lnk - C:\Program Files\Qlock\qlock.exe [2007-12-18 17:42:38 4158464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 06:55 110592 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 14:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-11 19:54 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 20:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b8a3920-d98b-11dc-a3b7-00114368b89a}]
\Shell\AutoRun\command - F:\Secret.exe
\Shell\explore\Command - F:\Secret.exe
\Shell\open\Command - F:\Secret.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Ken Wong\Application Data\Mozilla\Firefox\Profiles\vzuzzlcu.default\


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 09:52:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-08-07 9:53:23
ComboFix-quarantined-files.txt 2008-08-07 01:53:20

Pre-Run: 48,746,819,584 bytes free
Post-Run: 50,027,581,440 bytes free

132 --- E O F --- 2008-04-09 17:10:26


Again, many thanks!

[1972vet]

Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

File::
C:\WINDOWS\system32\7QyLIJJC.exe
C:\WINDOWS\system32\7QyLIJJC.exe.a_a
C:\WINDOWS\system32\j3I5TrWw.exe
C:\WINDOWS\system32\j3I5TrWw.exe.a_a
F:\Secret.exe


Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b8a3920-d98b-11dc-a3b7-00114368b89a}]

[ferrarilover]

Hi there,
The following is the new log txt file:


ComboFix 08-08-08.02 - Ken Wong 2008-08-09 0:09:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.177 [GMT 8:00]
Running from: C:\Documents and Settings\Ken Wong\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ken Wong\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\7QyLIJJC.exe
C:\WINDOWS\system32\7QyLIJJC.exe.a_a
C:\WINDOWS\system32\j3I5TrWw.exe
C:\WINDOWS\system32\j3I5TrWw.exe.a_a
F:\Secret.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\7QyLIJJC.exe
C:\WINDOWS\system32\7QyLIJJC.exe.a_a
C:\WINDOWS\system32\j3I5TrWw.exe
C:\WINDOWS\system32\j3I5TrWw.exe.a_a

.
((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.

2008-08-06 11:15 . 2008-08-06 11:15 <DIR> d-------- C:\Backup
2008-08-05 17:51 . 2008-08-05 17:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 17:42 . 2008-08-05 17:42 <DIR> d-------- C:\Deckard
2008-08-05 17:27 . 2008-08-05 17:29 <DIR> d-------- C:\ie-spyad_zo
2008-08-05 17:19 . 2008-08-05 17:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-05 17:18 . 2008-08-05 17:21 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-05 15:08 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-05 15:07 . 2008-08-05 15:07 <DIR> d-------- C:\Program Files\Panda Security
2008-08-02 23:43 . 2008-08-02 23:51 <DIR> d-------- C:\Documents and Settings\Ken Wong\Application Data\HouseCall 6.6
2008-08-02 23:17 . 2008-08-04 09:03 <DIR> d-------- C:\Documents and Settings\Ken Wong\.housecall6.6
2008-08-02 22:02 . 2008-08-02 22:02 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-02 22:02 . 2003-03-19 05:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-08-02 21:56 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-02 21:55 . 2008-08-02 21:56 <DIR> d-------- C:\Program Files\Java
2008-08-02 21:55 . 2008-08-02 21:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-28 23:58 . 2008-07-28 23:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-28 23:58 . 2008-07-28 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-28 23:57 . 2008-07-28 23:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-22 13:54 . 2008-07-22 13:58 <DIR> d-------- C:\tmp
2008-07-15 16:29 . 2008-07-15 16:29 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-14 21:15 . 2008-07-14 21:15 <DIR> d-------- C:\Games
2008-07-10 10:14 . 2008-07-10 10:14 <DIR> d-------- C:\Documents and Settings\Ken Wong\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 09:26 --------- d-----w C:\Program Files\Valve
2008-08-02 15:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-02 10:20 --------- d-----w C:\Program Files\SopCast
2008-08-02 10:16 --------- d-----w C:\Program Files\a-squared Free
2008-07-31 15:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-22 04:22 --------- d-----w C:\Documents and Settings\Ken Wong\Application Data\AVG7
2008-05-16 03:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 21:18 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 21:10 339968]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 17:32 86016]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-10-07 19:44 610304]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-08-21 18:04 155648]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-05-01 15:53 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-11 19:54 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-11 23:06 219136]

C:\Documents and Settings\Ken Wong\Start Menu\Programs\Startup\
qlock.lnk - C:\Program Files\Qlock\qlock.exe [2007-12-18 17:42:38 4158464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 06:55 110592 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 14:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-11 19:54 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 20:01]
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 00:10:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-08-09 0:12:10
ComboFix-quarantined-files.txt 2008-08-08 16:11:56
ComboFix2.txt 2008-08-07 01:53:24

Pre-Run: 49,694,035,968 bytes free
Post-Run: 49,983,594,496 bytes free

126 --- E O F --- 2008-04-09 17:10:26

[1972vet]

That log looks good. May I see a fresh HijackThis log now please?

[ferrarilover]

Hi,
Here you go,
Unfortunately I'm still receiving threat notices from AVG, but thank you for your continuous help:

Deckard's System Scanner v20071014.68
Run by Ken Wong on 2008-08-12 17:40:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Ken Wong.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:52 PM, on 12-Aug-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Qlock\qlock.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
D:\Kenamp\Setups\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\KENWON~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {B9B2EE1A-E314-4338-A305-BE845EACB102} (CS Control) - https://www.taonline.com.my/TAOnline/EF/control/csw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

--
End of file - 6767 bytes

-- Files created between 2008-07-12 and 2008-08-12 -----------------------------

2008-08-12 15:03:13 0 d-------- C:\Program Files\Alarm
2008-08-07 09:48:12 68096 --a------ C:\WINDOWS\zip.exe
2008-08-07 09:48:12 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-07 09:48:12 98816 --a------ C:\WINDOWS\sed.exe
2008-08-07 09:48:12 80412 --a------ C:\WINDOWS\grep.exe
2008-08-07 09:48:11 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-07 09:48:11 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-07 09:48:11 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-07 09:48:11 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-06 14:02:22 0 dr-hs---- C:\cmdcons
2008-08-06 14:02:14 0 d-------- C:\WINDOWS\setup.pss
2008-08-06 14:01:35 0 d-------- C:\WINDOWS\setupupd
2008-08-06 11:15:25 0 d-------- C:\Backup
2008-08-05 17:51:37 0 d-------- C:\Program Files\Trend Micro
2008-08-05 17:27:53 0 d-------- C:\ie-spyad_zo
2008-08-05 17:19:11 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-05 17:18:57 0 d-------- C:\Program Files\SpywareBlaster
2008-08-05 15:07:46 0 d-------- C:\Program Files\Panda Security
2008-08-02 23:43:46 0 d-------- C:\Documents and Settings\Ken Wong\Application Data\HouseCall 6.6
2008-08-02 23:17:30 0 d-------- C:\Documents and Settings\Ken Wong\.housecall6.6
2008-08-02 22:02:23 0 d-------- C:\Program Files\Alwil Software
2008-08-02 21:55:47 0 d-------- C:\Program Files\Java
2008-08-02 21:55:45 0 d-------- C:\Program Files\Common Files\Java
2008-07-28 23:58:08 0 d-------- C:\Program Files\Lavasoft
2008-07-28 23:58:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-28 23:57:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-28 22:18:27 0 d-------- C:\WINDOWS\pss
2008-07-22 13:54:03 0 d-------- C:\tmp
2008-07-15 16:29:57 0 d--hs---- C:\WINDOWS\ftpcache
2008-07-14 21:15:48 0 d-------- C:\Games
2008-07-14 17:01:25 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-07-14 17:01:15 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-07-14 17:00:39 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Real
2008-07-14 17:00:38 0 dr------- C:\Documents and Settings\NetworkService\Favorites


-- Find3M Report ---------------------------------------------------------------

2008-08-09 00:09:57 0 d-------- C:\Program Files\Common Files
2008-08-05 17:26:48 0 d-------- C:\Program Files\Valve
2008-08-02 18:20:21 0 d-------- C:\Program Files\SopCast
2008-08-02 18:16:52 0 d-------- C:\Program Files\a-squared Free
2008-07-22 12:22:15 0 d-------- C:\Documents and Settings\Ken Wong\Application Data\AVG7
2008-07-10 10:14:42 0 d-------- C:\Documents and Settings\Ken Wong\Application Data\dvdcss


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [12-Aug-04 09:10 PM]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [28-May-03 05:32 PM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [07-Oct-04 07:44 PM]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [21-Aug-04 06:04 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01-May-08 03:53 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10-Jun-08 04:27 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11-Feb-08 07:54 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [12-Aug-04 09:18 PM]

C:\Documents and Settings\Ken Wong\Start Menu\Programs\Startup\
qlock.lnk - C:\Program Files\Qlock\qlock.exe [18-Dec-07 5:42:38 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 12-Jan-04 06:55 AM 110592 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot




-- End of Deckard's System Scanner: finished at 2008-08-12 17:42:20 ------------

[1972vet]

This log also looks clean (no malware). There is one stray Registry entry that can go and one that is questionable:

Run HijackThis again and check the box next to these:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Do you know this web site and are you certain it's safe?:
O16 - DPF: {B9B2EE1A-E314-4338-A305-BE845EACB102} (CS Control) - https://www.taonline.com.my/TAOnline/EF/control/csw.cab
I don't...and google doesn't know much about it either (which is usually a red flag). If you know the site is safe then leave it, but if you don't check the box next to that entry as well.

Close all windows except for the HijackThis application's window then click the Fix Checked button.

Reboot the computer and post back a fresh HijackThis log. Advise how the system behaves for you now and what warning messages you still receive...I suspect what your AVG may be complaining about are the archived malware files that we removed with combofix. Please post the warning message which shows the exact path to the offensive file. Thanks!

[ferrarilover]

Hi,
Been monitoring PC after the 'Fix Checked' action and there are no more problems after that.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:24 AM, on 16-Aug-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Ken Wong\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Qlock\qlock.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\Ken Wong\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {B9B2EE1A-E314-4338-A305-BE845EACB102} (CS Control) - https://www.taonline.com.my/TAOnline/EF/control/csw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

--
End of file - 6876 bytes


Thank you 1972vet for all your help..

Really appreciate it!

[1972vet]

Just for good measure, let's give Kaspersky a chance to see if we missed anything along the way:

Please perform a scan with Kaspersky Webscan Online Virus Scanner

• Click the "Kaspersky Online Scanner" link above.
• Read the Requirements and Privacy statement, then select "Accept".
• A new window will appear...Select Update.

Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.

• Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
• Select Scan Report.
• The report will only show threats (if any were found).
• Select "Save error report as"...Then in the file name just type in kaspersky, and under "save as type" select text .txt then save it to your Desktop.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version.

Post back the results. Thanks!

[ferrarilover]

Alright mate..

Heres the report, cheers:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 17, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 17, 2008 10:56:56
Records in database: 1101719
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 54317
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:25:57

No malware has been detected. The scan area is clean.

The selected area was scanned.

[1972vet]

Excellent! You did good work my friend. You should delete the regbackup.bat file we created...you can delete the C:\Backup text file as well.

Next, please click start-->run...then copy and paste the Bold text below into the run box and click "OK":

ComboFix /u

Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.


To assist in the prevention of spyware infections:

Immunize your browser by installing Spywareblaster. What does it do?

• Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
• Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
• Restricts the actions of potentially unwanted sites in Internet Explorer.

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least (but not more than ) one of these types of third party firewalls running on board:
Kerio Personal Firewall
Zone Alarm
Outpost Free
Comodo

Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup.

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

So how did I get infected in the first place?
Regards, and Happy Surfing!