Explorer problems, avg cant update, pc freezes.

[lostonexxx]

Hi there,
The other night, while google image searching, I got asked to install an activex control. Not to intelligently, I allowed the install and all hell broke loose. My webbrowser was redirected to some fake antivirus software page and a scanner installed on my pc. I removed the scanner through add/remove programs. Then the little windows warning symbol came up saying that I may have been infected by spyware. So I downloaded avg free edition (I didnt have an anti virus) and it installed and scanned finding nothing. I tried to update avg as it said that I was not protected because I had no updates. And my pc froze,,,,,,,,,
Following a reboot, I cannot open My computer, internet explorer, avg etc. And the few programs that do load up, do not run properly. And I cannot access the internet. Oh and avg popped up saying it had discovered a trojan, but the window was incomplete and the pc froze again.
I downloaded the gmer.exe and dds.exe from the links in this forum and had to transfer them via flashdrive to my pc in safemode.
The programs wont run in normal startup so I ran them in safe mode too.
I am running windows xp media center edition 2005.
I have also run avg several times in safe mode and found nothing.

Heres the dds


DDS (Version 1.0) - NTFSx86 MINIMAL
Run by Xander Cage at 12:45:19.05 on 03/12/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.511.371 [GMT 0:00]

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\WINDOWS\Explorer.EXE
D:\Documents and Settings\Xander Cage\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - d:\program files\avg\avg8\avgssie.dll
BHO: {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - d:\program files\webmediaviewer\hpmun.dll
BHO: {95E9BCC0-2E84-4500-8A9C-0B7A96769124} - d:\program files\anvtrgrsoftware\AnvTrgrWarning.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - d:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {2EEF94DF-75F6-42E9-B7FB-AF5A170A6E2E} - d:\program files\webmediaviewer\browseul.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - d:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - d:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [AnvTrgr] "d:\program files\anvtrgrsoftware\AnvTrgr.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] d:\progra~1\avg\avg8\avgtray.exe
dRun: [CTFMON.EXE] d:\windows\system32\CTFMON.EXE
mExplorerRun: [VMware hptray] d:\program files\webmediaviewer\hpmon.exe
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll

============= SERVICES / DRIVERS ===============

S1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [2008-12-2 97928]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;d:\windows\system32\drivers\avgmfx86.sys [2008-12-2 26824]
S2 A5C7DA6261682860;A5C7DA6261682860;\??\d:\documents and settings\xander cage\desktop\a5c7da6261682860\A5C7DA6261682860 []
S2 avg8wd;AVG Free8 WatchDog;d:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-2 231704]
S2 LicCtrlService;LicCtrl Service;d:\windows\runservice.exe [2008-9-5 2560]
S3 ati2mtaa;ati2mtaa;d:\windows\system32\drivers\ati2mtaa.sys [2008-2-29 327040]

=============== Created Last 30 ================

2008-12-03 12:16 250 a------- d:\windows\gmer.ini
2008-12-03 11:49 <DIR> --d----- d:\docume~1\xander~1\applic~1\Malwarebytes
2008-12-03 11:48 15,504 a------- d:\windows\system32\drivers\mbam.sys
2008-12-03 11:48 38,496 a------- d:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 11:48 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2008-12-03 11:48 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-02 01:39 <DIR> --d-h--- D:\$AVG8.VAULT$
2008-12-02 01:23 10,520 a------- d:\windows\system32\avgrsstx.dll
2008-12-02 01:22 97,928 a------- d:\windows\system32\drivers\avgldx86.sys
2008-12-02 01:22 <DIR> --d----- d:\windows\system32\drivers\Avg
2008-12-02 01:22 <DIR> --d----- d:\docume~1\xander~1\applic~1\AVGTOOLBAR
2008-12-02 01:01 <DIR> --d----- d:\program files\WebMediaViewer
2008-11-26 00:59 <DIR> --d----- d:\program files\Utherverse Digital Inc
2008-11-18 00:19 <DIR> --d----- d:\program files\DownloadToolz
2008-11-15 18:50 78,464 ac------ d:\windows\system32\dllcache\usbvideo.sys
2008-11-15 18:50 20,992 ac------ d:\windows\system32\dllcache\dshowext.ax
2008-11-15 18:50 78,464 a------- d:\windows\system32\drivers\usbvideo.sys
2008-11-15 18:50 20,992 a------- d:\windows\system32\dshowext.ax
2008-11-15 01:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Avg8
2008-11-12 17:34 453,632 -c------ d:\windows\system32\dllcache\mrxsmb.sys

==================== Find3M ====================

2008-12-02 00:57 <DIR> --d----- d:\docume~1\xander~1\applic~1\uTorrent
2008-12-01 09:52 15,360 a--s---- d:\windows\system32\cwegus.dll
2008-10-30 17:27 <DIR> --d----- d:\program files\Pinnacle
2008-10-30 11:18 <DIR> --d----- d:\program files\Messenger
2008-10-30 07:43 <DIR> --d----- d:\program files\Microsoft CAPICOM 2.1.0.2
2008-10-30 07:31 <DIR> --d----- d:\program files\MSXML 4.0
2008-10-28 20:36 <DIR> --d----- d:\program files\common files\Logitech
2008-10-16 14:06 268,648 a------- d:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- d:\windows\system32\muweb.dll
2008-10-15 09:11 <DIR> --d----- d:\program files\MUSHclient
2008-10-13 02:22 <DIR> --d----- d:\program files\K-Lite Codec Pack
2008-09-30 16:43 1,286,152 a------- d:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 a------- d:\windows\system32\win32k.sys
2008-09-14 22:39 43,520 a------- d:\windows\system32\CmdLineExt03.dll
2008-09-05 20:23 45,056 a------- d:\windows\mmfs.dll
2008-09-05 20:23 2,560 a------- d:\windows\Runservice.exe
2008-09-04 16:42 1,106,944 a------- d:\windows\system32\msxml3.dll

============= FINISH: 12:45:54.61 ===============

Any and all help greatly appreciated

Oh yeah, dont know if its important, but If I load iexplorer, it shows on the taskmanager menu, but cannot be seen or use otherwise, and there are 2 or 3 of the same program in taskmanager that I havnt seen before, hmop or something like that. And in add remove programs there is an ieplorer add on with no file size. And if you try to remove it, it says you must restart before uninstalling it. Queue an endless loop of restarting before uninstalling etc.

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

[lostonexxx]

Thanks for the speedy reply sUBs.
I had to run it in safemode because it wouldnt run in the normal mode. I hope thats ok, I didnt see anything saying that it couldnt in the instructions. The first run crashed the pc at the end, so I ran it again after a restart. It worked ok, and the log says it removed the hpmon.exe that was bugging me before. Here is the log.

ComboFix 08-12-05.06 - Xander Cage 2008-12-06 12:07:40.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.392 [GMT 0:00]
Running from: d:\documents and settings\Xander Cage\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
d:\program files\webmediaviewer
d:\program files\webmediaviewer\browseul.dll
d:\program files\webmediaviewer\hpmom.exe
d:\program files\webmediaviewer\hpmon.exe
d:\program files\webmediaviewer\hpmun.dll
d:\program files\webmediaviewer\hpmun.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-03 12:16 . 2008-12-03 12:17 250 --a------ d:\windows\gmer.ini
2008-12-03 11:49 . 2008-12-03 11:49 <DIR> d-------- d:\documents and settings\Xander Cage\Application Data\Malwarebytes
2008-12-03 11:48 . 2008-12-03 11:48 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2008-12-03 11:48 . 2008-12-03 11:48 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 11:48 . 2008-10-22 16:10 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 11:48 . 2008-10-22 16:10 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2008-12-02 01:39 . 2008-12-02 01:39 <DIR> d--h----- D:\$AVG8.VAULT$
2008-12-02 01:23 . 2008-12-02 01:23 10,520 --a------ d:\windows\system32\avgrsstx.dll
2008-12-02 01:22 . 2008-12-02 01:22 <DIR> d-------- d:\windows\system32\drivers\Avg
2008-12-02 01:22 . 2008-12-02 01:22 <DIR> d-------- d:\documents and settings\Xander Cage\Application Data\AVGTOOLBAR
2008-12-02 01:22 . 2008-12-02 01:22 97,928 --a------ d:\windows\system32\drivers\avgldx86.sys
2008-12-02 01:01 . 2008-12-02 01:26 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2008-11-26 00:59 . 2008-11-26 00:59 <DIR> d-------- d:\program files\Utherverse Digital Inc
2008-11-18 00:19 . 2008-11-18 00:19 <DIR> d-------- d:\program files\DownloadToolz
2008-11-15 18:50 . 2004-08-03 23:10 78,464 --a------ d:\windows\system32\drivers\usbvideo.sys
2008-11-15 18:50 . 2004-08-03 23:10 78,464 --a--c--- d:\windows\system32\dllcache\usbvideo.sys
2008-11-15 18:50 . 2004-08-04 00:56 20,992 --a------ d:\windows\system32\dshowext.ax
2008-11-15 18:50 . 2004-08-04 00:56 20,992 --a--c--- d:\windows\system32\dllcache\dshowext.ax
2008-11-15 01:23 . 2008-12-02 01:22 <DIR> d-------- d:\documents and settings\All Users\Application Data\Avg8
2008-11-12 17:34 . 2008-10-24 11:10 453,632 -----c--- d:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 00:57 --------- d-----w d:\documents and settings\Xander Cage\Application Data\uTorrent
2008-12-01 17:19 --------- d-----w d:\documents and settings\Xander Cage\Application Data\dvdcss
2008-12-01 09:52 15,360 --s-a-w d:\windows\system32\cwegus.dll
2008-11-15 01:28 --------- d-----w d:\program files\Logitech
2008-11-15 01:24 --------- d-----w d:\program files\Common Files\InstallShield
2008-10-30 17:27 --------- d-----w d:\program files\Pinnacle
2008-10-30 07:43 --------- d-----w d:\program files\Microsoft CAPICOM 2.1.0.2
2008-10-30 07:31 --------- d-----w d:\program files\MSXML 4.0
2008-10-28 20:36 --------- d-----w d:\program files\Common Files\Logitech
2008-10-28 20:35 --------- d--h--w d:\program files\InstallShield Installation Information
2008-10-24 11:10 453,632 ----a-w d:\windows\system32\drivers\mrxsmb.sys
2008-10-18 12:12 --------- d-----w d:\documents and settings\All Users\Application Data\Lavasoft
2008-10-16 14:13 202,776 ----a-w d:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w d:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w d:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w d:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w d:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w d:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w d:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w d:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w d:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w d:\windows\system32\muweb.dll
2008-10-15 09:11 --------- d-----w d:\program files\MUSHclient
2008-10-13 02:22 --------- d-----w d:\program files\K-Lite Codec Pack
2008-09-30 16:43 1,286,152 ----a-w d:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w d:\windows\system32\win32k.sys
2008-09-14 22:39 43,520 ----a-w d:\windows\system32\CmdLineExt03.dll
2002-07-26 16:02 153,088 ----a-w d:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnvTrgr"="d:\program files\AnvTrgrsoftware\AnvTrgr.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2008-03-02 98304]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-02 1261336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"VMware hptray"="d:\program files\WebMediaViewer\hpmon.exe" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
d:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
d:\program files\Alcohol Soft\Alcohol 120\axcmd.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-12-02 01:22 1261336 d:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brastk]
d:\windows\system32\brastk.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-10 07:00 15360 d:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 04:04 59392 d:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 21:22 3739648 d:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
d:\program files\Logitech\Video\ManifestEngine.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
d:\program files\Logitech\Video\ISStart.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
d:\program files\Logitech\Video\LogiTray.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2005-07-19 17:32 221184 d:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 d:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
d:\windows\system32\PSDrvCheck.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-02 13:59 98304 d:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check]
--a------ 2004-04-06 18:05 61440 d:\windows\system32\PCLECoInst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
--a------ 2004-04-23 11:00 192512 d:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"TapiSrv"=3 (0x3)
"StarWindServiceAE"=2 (0x2)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"CryptSvc"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

S1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\Drivers\avgldx86.sys [2008-12-02 97928]
S2 A5C7DA6261682860;A5C7DA6261682860;\??\d:\documents and settings\Xander Cage\Desktop\A5C7DA6261682860\A5C7DA6261682860 []
S2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-02 231704]
S2 LicCtrlService;LicCtrl Service;d:\windows\runservice.exe [2008-09-05 2560]
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{4d5b7736-a3bc-4e5b-9fa2-1bcc3e587abb} - (no file)



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 12:10:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A5C7DA6261682860]
"ImagePath"="\??\d:\documents and settings\Xander Cage\Desktop\A5C7DA6261682860\A5C7DA6261682860"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A5C7DA6261682860]
"ImagePath"="\??\d:\documents and settings\Xander Cage\Desktop\A5C7DA6261682860\A5C7DA6261682860"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(244)
d:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(332)
d:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-06 12:12:33
ComboFix-quarantined-files.txt 2008-12-06 12:12:25

Pre-Run: 1,970,913,280 bytes free
Post-Run: 1,959,899,136 bytes free

172 --- E O F --- 2008-11-13 11:27:07

I couldnt install the windows recovery in safe mode as I had no internet connection. Also I have just noticed that I have xp pro, not media centre. I didnt know that :D
And the utorrent and utherverse programs had been uninstalled previously, I dont know why they are still showing up.
Thanks again :)

[sUBs]

Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:

FILE::
d:\windows\system32\cwegus.dll
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnvTrgr"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brastk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=-
"wscsvc"=-
"TapiSrv"=-
"srservice"=-
"Spooler"=-
"CryptSvc"=-
"avg8wd"=-
"avg8emc"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000

Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------


In your next post, please include fresh logs from:

1. Online scan
2. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[lostonexxx]

Wow quick reply

I transfered the CFScript file across to the pc in safe mode, rebooted into normal mode and tried the drag and drop. This caused the computer to freeze for about twenty minutes, before I rebooted into safe mode again. In safe mode it ran perfectly. The log follows.
I rebooted into normal mode to try and access the internet for the other scan. Iexplorer starts running according to task manager, but is not visible on screen. My computer now opens though, but it just has the little flashlight searching endlessly. The system is immensely slow in normal mode.

ComboFix 08-12-05.06 - Xander Cage 2008-12-06 13:33:18.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.388 [GMT 0:00]
Running from: d:\documents and settings\Xander Cage\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Xander Cage\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
d:\windows\system32\cwegus.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\cwegus.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-03 12:16 . 2008-12-03 12:17 250 --a------ d:\windows\gmer.ini
2008-12-03 11:49 . 2008-12-03 11:49 <DIR> d-------- d:\documents and settings\Xander Cage\Application Data\Malwarebytes
2008-12-03 11:48 . 2008-12-03 11:48 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2008-12-03 11:48 . 2008-12-03 11:48 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 11:48 . 2008-10-22 16:10 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 11:48 . 2008-10-22 16:10 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2008-12-02 01:39 . 2008-12-02 01:39 <DIR> d--h----- D:\$AVG8.VAULT$
2008-12-02 01:23 . 2008-12-02 01:23 10,520 --a------ d:\windows\system32\avgrsstx.dll
2008-12-02 01:22 . 2008-12-02 01:22 <DIR> d-------- d:\windows\system32\drivers\Avg
2008-12-02 01:22 . 2008-12-02 01:22 <DIR> d-------- d:\documents and settings\Xander Cage\Application Data\AVGTOOLBAR
2008-12-02 01:22 . 2008-12-02 01:22 97,928 --a------ d:\windows\system32\drivers\avgldx86.sys
2008-12-02 01:01 . 2008-12-02 01:26 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2008-11-26 00:59 . 2008-11-26 00:59 <DIR> d-------- d:\program files\Utherverse Digital Inc
2008-11-18 00:19 . 2008-11-18 00:19 <DIR> d-------- d:\program files\DownloadToolz
2008-11-15 18:50 . 2004-08-03 23:10 78,464 --a------ d:\windows\system32\drivers\usbvideo.sys
2008-11-15 18:50 . 2004-08-03 23:10 78,464 --a--c--- d:\windows\system32\dllcache\usbvideo.sys
2008-11-15 18:50 . 2004-08-04 00:56 20,992 --a------ d:\windows\system32\dshowext.ax
2008-11-15 18:50 . 2004-08-04 00:56 20,992 --a--c--- d:\windows\system32\dllcache\dshowext.ax
2008-11-15 01:23 . 2008-12-02 01:22 <DIR> d-------- d:\documents and settings\All Users\Application Data\Avg8
2008-11-12 17:34 . 2008-10-24 11:10 453,632 -----c--- d:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 00:57 --------- d-----w d:\documents and settings\Xander Cage\Application Data\uTorrent
2008-12-01 17:19 --------- d-----w d:\documents and settings\Xander Cage\Application Data\dvdcss
2008-11-15 01:28 --------- d-----w d:\program files\Logitech
2008-11-15 01:24 --------- d-----w d:\program files\Common Files\InstallShield
2008-10-30 17:27 --------- d-----w d:\program files\Pinnacle
2008-10-30 07:43 --------- d-----w d:\program files\Microsoft CAPICOM 2.1.0.2
2008-10-30 07:31 --------- d-----w d:\program files\MSXML 4.0
2008-10-28 20:36 --------- d-----w d:\program files\Common Files\Logitech
2008-10-28 20:35 --------- d--h--w d:\program files\InstallShield Installation Information
2008-10-24 11:10 453,632 ----a-w d:\windows\system32\drivers\mrxsmb.sys
2008-10-18 12:12 --------- d-----w d:\documents and settings\All Users\Application Data\Lavasoft
2008-10-16 14:13 202,776 ----a-w d:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w d:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w d:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w d:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w d:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w d:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w d:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w d:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w d:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w d:\windows\system32\muweb.dll
2008-10-15 09:11 --------- d-----w d:\program files\MUSHclient
2008-10-13 02:22 --------- d-----w d:\program files\K-Lite Codec Pack
2008-09-30 16:43 1,286,152 ----a-w d:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w d:\windows\system32\win32k.sys
2008-09-14 22:39 43,520 ----a-w d:\windows\system32\CmdLineExt03.dll
2002-07-26 16:02 153,088 ----a-w d:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2008-03-02 98304]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-02 1261336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"VMware hptray"="d:\program files\WebMediaViewer\hpmon.exe" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
d:\program files\Alcohol Soft\Alcohol 120\axcmd.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-12-02 01:22 1261336 d:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-10 07:00 15360 d:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 04:04 59392 d:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 21:22 3739648 d:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
d:\program files\Logitech\Video\ManifestEngine.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
d:\program files\Logitech\Video\ISStart.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
d:\program files\Logitech\Video\LogiTray.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2005-07-19 17:32 221184 d:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 d:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
d:\windows\system32\PSDrvCheck.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-02 13:59 98304 d:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check]
--a------ 2004-04-06 18:05 61440 d:\windows\system32\PCLECoInst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
--a------ 2004-04-23 11:00 192512 d:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"StarWindServiceAE"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

S1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\Drivers\avgldx86.sys [2008-12-02 97928]
S2 A5C7DA6261682860;A5C7DA6261682860;\??\d:\documents and settings\Xander Cage\Desktop\A5C7DA6261682860\A5C7DA6261682860 []
S2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-02 231704]
S2 LicCtrlService;LicCtrl Service;d:\windows\runservice.exe [2008-09-05 2560]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 13:36:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A5C7DA6261682860]
"ImagePath"="\??\d:\documents and settings\Xander Cage\Desktop\A5C7DA6261682860\A5C7DA6261682860"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\A5C7DA6261682860]
"ImagePath"="\??\d:\documents and settings\Xander Cage\Desktop\A5C7DA6261682860\A5C7DA6261682860"
.
Completion time: 2008-12-06 13:38:20
ComboFix-quarantined-files.txt 2008-12-06 13:37:54
ComboFix2.txt 2008-12-06 12:12:35

Pre-Run: 1,949,175,808 bytes free
Post-Run: 1,937,850,368 bytes free

142 --- E O F --- 2008-11-13 11:27:07

[sUBs]

Your symptoms should be gone now. I'll wait to see the results of the Kaspersky scan.

[lostonexxx]

I think you missed the beginning of my last post

I cannot access My computer, it comes up with the explorer screen, with a little flashlight which just keeps moving side to side endlessly. I can run a drive through the run command but thats it.
Also internet explorer isnt visible. But it appears in the task manager. Avg still will not update.

[sUBs]

Sorry about that. Please return to safe mode & run this cfscript

Code:

Driver::
A5C7DA6261682860
Collect::
d:\documents and settings\Xander Cage\Desktop\A5C7DA6261682860\A5C7DA6261682860
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"VMware hptray"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]

Let me know if that improves anything

[lostonexxx]

After that cfscript my pc is working well again

Heres the new combofix log and kapersky log.

ComboFix 08-12-05.06 - Xander Cage 2008-12-06 18:22:32.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.393 [GMT 0:00]
Running from: d:\documents and settings\Xander Cage\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Xander Cage\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_A5C7DA6261682860
-------\Service_A5C7DA6261682860


((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-03 12:16 . 2008-12-03 12:17 250 --a------ d:\windows\gmer.ini
2008-12-03 11:49 . 2008-12-03 11:49 <DIR> d-------- d:\documents and settings\Xander Cage\Application Data\Malwarebytes
2008-12-03 11:48 . 2008-12-03 11:48 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2008-12-03 11:48 . 2008-12-03 11:48 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 11:48 . 2008-10-22 16:10 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 11:48 . 2008-10-22 16:10 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2008-12-02 01:39 . 2008-12-02 01:39 <DIR> d--h----- D:\$AVG8.VAULT$
2008-12-02 01:23 . 2008-12-02 01:23 10,520 --a------ d:\windows\system32\avgrsstx.dll
2008-12-02 01:22 . 2008-12-02 01:22 <DIR> d-------- d:\windows\system32\drivers\Avg
2008-12-02 01:22 . 2008-12-02 01:22 <DIR> d-------- d:\documents and settings\Xander Cage\Application Data\AVGTOOLBAR
2008-12-02 01:22 . 2008-12-02 01:22 97,928 --a------ d:\windows\system32\drivers\avgldx86.sys
2008-12-02 01:01 . 2008-12-02 01:26 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2008-11-26 00:59 . 2008-11-26 00:59 <DIR> d-------- d:\program files\Utherverse Digital Inc
2008-11-18 00:19 . 2008-11-18 00:19 <DIR> d-------- d:\program files\DownloadToolz
2008-11-15 18:50 . 2004-08-03 23:10 78,464 --a------ d:\windows\system32\drivers\usbvideo.sys
2008-11-15 18:50 . 2004-08-03 23:10 78,464 --a--c--- d:\windows\system32\dllcache\usbvideo.sys
2008-11-15 18:50 . 2004-08-04 00:56 20,992 --a------ d:\windows\system32\dshowext.ax
2008-11-15 18:50 . 2004-08-04 00:56 20,992 --a--c--- d:\windows\system32\dllcache\dshowext.ax
2008-11-15 01:23 . 2008-12-02 01:22 <DIR> d-------- d:\documents and settings\All Users\Application Data\Avg8
2008-11-12 17:34 . 2008-10-24 11:10 453,632 -----c--- d:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 00:57 --------- d-----w d:\documents and settings\Xander Cage\Application Data\uTorrent
2008-12-01 17:19 --------- d-----w d:\documents and settings\Xander Cage\Application Data\dvdcss
2008-11-15 01:28 --------- d-----w d:\program files\Logitech
2008-11-15 01:24 --------- d-----w d:\program files\Common Files\InstallShield
2008-10-30 17:27 --------- d-----w d:\program files\Pinnacle
2008-10-30 07:43 --------- d-----w d:\program files\Microsoft CAPICOM 2.1.0.2
2008-10-30 07:31 --------- d-----w d:\program files\MSXML 4.0
2008-10-28 20:36 --------- d-----w d:\program files\Common Files\Logitech
2008-10-28 20:35 --------- d--h--w d:\program files\InstallShield Installation Information
2008-10-24 11:10 453,632 ----a-w d:\windows\system32\drivers\mrxsmb.sys
2008-10-18 12:12 --------- d-----w d:\documents and settings\All Users\Application Data\Lavasoft
2008-10-16 14:13 202,776 ----a-w d:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w d:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w d:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w d:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w d:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w d:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w d:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w d:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w d:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w d:\windows\system32\muweb.dll
2008-10-15 09:11 --------- d-----w d:\program files\MUSHclient
2008-10-13 02:22 --------- d-----w d:\program files\K-Lite Codec Pack
2008-09-30 16:43 1,286,152 ----a-w d:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w d:\windows\system32\win32k.sys
2008-09-14 22:39 43,520 ----a-w d:\windows\system32\CmdLineExt03.dll
2002-07-26 16:02 153,088 ----a-w d:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_12.11.13.99 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 20:02:28 163,328 ----a-w d:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2008-03-02 98304]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-02 1261336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-12-02 01:22 1261336 d:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-10 07:00 15360 d:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 04:04 59392 d:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 21:22 3739648 d:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2005-07-19 17:32 221184 d:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 d:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-02 13:59 98304 d:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check]
--a------ 2004-04-06 18:05 61440 d:\windows\system32\PCLECoInst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
--a------ 2004-04-23 11:00 192512 d:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"StarWindServiceAE"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\Drivers\avgldx86.sys [2008-12-02 97928]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-02 231704]
R2 LicCtrlService;LicCtrl Service;d:\windows\runservice.exe [2008-09-05 2560]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 18:29:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
d:\windows\ehome\ehRecvr.exe
d:\windows\ehome\ehSched.exe
d:\windows\system32\dllhost.exe
d:\windows\system32\wscntfy.exe
d:\program files\AVG\AVG8\avgrsx.exe
d:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-12-06 18:36:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 18:36:29
ComboFix2.txt 2008-12-06 13:38:23
ComboFix3.txt 2008-12-06 12:12:35

Pre-Run: 1,946,390,528 bytes free
Post-Run: 1,347,039,232 bytes free

142 --- E O F --- 2008-11-13 11:27:07




And the kaspersky one



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 7, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 06, 2008 19:53:45
Records in database: 1440831
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 34217
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:45:12


File name / Threat name / Threats count
D:\Qoobox\Quarantine\D\WINDOWS\system32\cwegus.dll.vir Infected: Hoax.Win32.Agent.he 1

The selected area was scanned.


You are an absolute star sUBs

[sUBs]

Did ComboFix ask for a file to be uploaded? Is it uploaded yet?

If not so, please locate & double click on this file - C:\QooBox\CF-Submit.htm

[lostonexxx]

Im afraid it didnt, and I cannot find it

Have I done something wrong?

[sUBs]

Please locate & post the contents of this file

C:\QooBox\ComboFix-quarantined-files.txt

[lostonexxx]

I believe this is what you were after

2008-02-29 13:25:04 A------- 15,360 D:\Qoobox\Quarantine\D\WINDOWS\system32\cwegus.dll.vir
2008-12-02 01:02:33 A------- 47,368 D:\Qoobox\Quarantine\D\Program Files\WebMediaViewer\browseul.dll.vir
2008-12-02 01:02:38 A------- 35,758 D:\Qoobox\Quarantine\D\Program Files\WebMediaViewer\hpmun.exe.vir
2008-12-02 01:02:38 A------- 86,225 D:\Qoobox\Quarantine\D\Program Files\WebMediaViewer\hpmon.exe.vir
2008-12-02 01:03:17 A------- 37,659 D:\Qoobox\Quarantine\D\Program Files\WebMediaViewer\hpmun.dll.vir
2008-12-02 01:03:19 A------- 33,667 D:\Qoobox\Quarantine\D\Program Files\WebMediaViewer\hpmom.exe.vir
2008-12-06 11:19:19 A------- 270 D:\Qoobox\Quarantine\catchme.log
2008-12-06 11:23:19 A------- 5,914 D:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-12-06 11:24:43 A------- 0 D:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-12-06 11:24:43 A------- 0 D:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-12-06 11:24:43 A------- 0 D:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-12-06 11:24:54 A------- 144 D:\Qoobox\Quarantine\Registry_backups\HKCU-Run-AnvTrgr.reg.dat
2008-12-06 11:25:01 A------- 162 D:\Qoobox\Quarantine\Registry_backups\HKLM-Explorer_Run-VMware hptray.reg.dat
2008-12-06 11:25:11 A------- 158 D:\Qoobox\Quarantine\Registry_backups\SharedTaskScheduler-{4d5b7736-a3bc-4e5b-9fa2-1bcc3e587abb}.reg.dat
2008-12-06 11:25:23 A------- 652 D:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-AlcoholAutomount.reg.dat
2008-12-06 11:25:24 A------- 560 D:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-brastk.reg.dat
2008-12-06 11:25:24 A------- 616 D:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-LogitechVideoTray.reg.dat
2008-12-06 11:25:24 A------- 618 D:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-LogitechVideoRepair.reg.dat
2008-12-06 11:25:24 A------- 622 D:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-PinnacleDriverCheck.reg.dat
2008-12-06 11:25:24 A------- 668 D:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-LogitechSoftwareUpdate.reg.dat
2008-12-06 18:22:22 A------- 3,032 D:\Qoobox\Quarantine\[4]-Submit_2008-12-06@18.22.zip
2008-12-06 18:24:53 A------- 1,316 D:\Qoobox\Quarantine\Registry_backups\Legacy_A5C7DA6261682860.reg.dat
2008-12-06 18:24:54 A------- 3,112 D:\Qoobox\Quarantine\Registry_backups\Service_A5C7DA6261682860.reg.dat

[sUBs]

D:\Qoobox\Quarantine\[4]-Submit_2008-12-06@18.22.zip

This is the file that needs to be uploaded. We want to get it to the antivirus companies so that they may add detections for this malware. Please upload it to this website: http://www.bleepingcomputer.com/subm....php?channel=4

Kindly include a link to this topic in the message.

[lostonexxx]

Uploaded with pleasure

[sUBs]

Thank you.

Your system is clean & in good order. We just need to remove Qoobox by uninstalling ComboFix. Kindly follow these simple steps in order to keep your computer clean and secure:

1. Uninstall ComboFix ... do not skip this step
   This process will perform some post cleanup measures.
   Do this by going to to Start > Run & typing in ComboFix /u
   
   
   
2. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
3. Microsoft Windows Update ? http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
4. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[lostonexxx]

Windows cannot find "Combofix/u" please check ya de ya da etc.

Am I being dense?

[sUBs]

You need a blank space between combofix and /u

Like so ...

ComboFix <space>/U

[lostonexxx]

I was being dense then.

Thank you so much for the help sUBs, its very greatly appreciated.

Take care now

[sUBs]

LOL ... you aren't dense. Just tired after a hard battle

Surf safe