Jump to content


Photo

HijackThis Log


  • This topic is locked This topic is locked
10 replies to this topic

#1 diaokid

diaokid

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 12 January 2008 - 10:13 AM

Here's my HJT log file.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:11:39 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\GSICON.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\System32\AcerGoto.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\DaiWei\My Documents\HiJackThis_v2.exe
C:\DOCUME~1\DaiWei\LOCALS~1\Temp\hosta.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0

\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A693A5AB-BDBA-4AE7-A1C8-E41FEE1C020B} - C:\Program Files\Common Files\Microsoft

Shared\MSINFO\System76.Ins
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AcerGoto] C:\WINDOWS\System32\AcerGoto.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MsPrint32D] C:\WINDOWS\MsPrint32D.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [dsa7z] C:\WINDOWS\system32\N0TEB00K.EXE
O4 - HKLM\..\Policies\Explorer\Run: [compmgmt] C:\WINDOWS\system32\CTFM0N.EXE
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02

\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) -

http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -

http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?

linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -

http://messenger.zon...er.cab31267.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) -

http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupd...b?1112294063359
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) -

http://download.divx...owserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) -

http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

http://messenger.msn...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -

http://www.symantec....rl/SymAData.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) -

http://www.imagestat....cab?v=1,0,0,23
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B8DC0C1-CD3A-4046-B57D-EB59FF33FF32}: NameServer = 165.21.83.88 165.21.100.88
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32

\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11

\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 8588 bytes

Please assist. Thanks!! :thumbsup:

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 15 January 2008 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 19 January 2008 - 09:48 AM

Hi diaokid, and Welcome to SWI

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier.

Your version of HijackThis is outdated.
Please download the current version of 'Hijack This!:
http://www.trendsecu...p?page=download
Please save it in a convenient permanent folder such as C:\HJT\,
and be sure the next log is with the newer version.

When you post your HijackThis log, if you are using Notepad, please turn off Word Wrap. That is probably what caused all the extra line breaks in your log.

You are running GetRight from Headlight Software, a download manager for resuming downloads and choosing multiple download locations. The freeware version is/was spyware. The registered version isn't if you don't install the Aureate/Radiate software. I recommend uninstalling it and using one of the download managers mentioned in this article

If you decide to uninstall GetRight, Go to Start > Control Panel > Add or Remove Programs and remove the following program:
GetRight

If you decided to uninstall GetRight, using Windows Explorer, locate and delete the following folder:
C:\Program Files\GetRight

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:
C:\DOCUME~1\DaiWei\LOCALS~1\Temp\hosta.exe
Exit the Task Manager when finished.

Download ATF Cleaner by Atribune from here http://www.atribune....tent/view/25/1/ and save it to your Desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

* The purpose of the Prefetch folder is to increase the speed at which you can access the programs that you use on your PC. Unfortunately, Windows doesn't differentiate between a program you use every day and one you rarely use, which means that it may be prefetching a lot of stuff that you rarely use, adding to your startup time.
You may find that the first time you boot up after cleaning out this folder, your PC takes longer to start - the second, and subsequent, boots should be quicker.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.
Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A693A5AB-BDBA-4AE7-A1C8-E41FEE1C020B} - C:\Program Files\Common Files\Microsoft Shared\MSINFO\System76.Ins
O4 - HKLM\..\Policies\Explorer\Run: [dsa7z] C:\WINDOWS\system32\N0TEB00K.EXE
O4 - HKLM\..\Policies\Explorer\Run: [compmgmt] C:\WINDOWS\system32\CTFM0N.EXE


You can optionally check the following entry. This is part of Microsoft Office located in your Startup folder, but it's not needed, and it's a resource hog:
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

If you uninstalled GetRight as reocmmended, also check (if still there):
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm


Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.

Using Windows Explorer, locate the following files, and delete them:
C:\Documents and Settings\DaiWei\Local Settings\Temp\hosta.exe
C:\Program Files\Common Files\Microsoft Shared\MSINFO\System76.Ins
C:\WINDOWS\system32\N0TEB00K.EXE

Download ComboFix© by sUBs from one of these links:
http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
Save the file to your Desktop.
Double click combofix.exe & follow the prompts.
Don't click on the ComboFix window while its running; that could cause it to stall.
When finished, and after reboot, it should open a log, combofix.txt.
Post that log in your next reply.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 4".
  • Click the "Download" button to the right.
  • In the Window that opens, select Windows, your Language, check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe that you downloaded to install the newest version.
I recommend installing a software firewall. I didn't see one in your HijackThis log (the XP SP2 firewall isn't sufficient protection, it only checks incoming data). Two free firewalls are Sunbelt Kerio Personal Firewall available from http://www.sunbelt-s...e.com/Kerio.cfm, and Zone Alarm from zonelabs.com http://www.zonelabs....reeDownload.jsp. There is a tutorial on understanding firewalls at http://www.bleepingc...tutorial60.html and and a tutorial from Markus Jansson on setting up ZoneAlarm at http://www.markusjansson.net/eza.html. If you install ZoneAlarm (an excellent firewall), I recommend NOT installing the new optional feature Spy Blocker, as it's run by the questionable search engine Ask.com. You can read more about Ask.com here.

Please go to VirusTotal and submit the following file for a scan and post the results in your next reply:
C:\WINDOWS\system32\CTFM0N.EXE

Please post a new HijackThis log, the log form Dr.Web CureIt (DrWeb.cvs), the results from scanning the file at VirusTotal, and in a second reply (due to length) the log from ComboFix (combofix.txt), and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#4 diaokid

diaokid

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 02 February 2008 - 12:01 PM

thank you for helping. ^_^

first things first, i'm having trouble uninstalling getright. everytime i try to uninstall, the programme prompts me as to whether i wish to uninstall or update. upon clicking uninstall, nothing happens and getright is still on my pc.

here's the drweb.csv logfile:

orrr.exe;C:\WINDOWS\system32;Trojan.DownLoader.38445;Deleted.;
RegUBP2b-DaiWei.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
up[1].exe;C:\Documents and Settings\DaiWei\Local Settings\Temporary Internet Files\Content.IE5\P0HS40YP;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0059944.exe;C:\System Volume Information\_restore{5ABB4C38-3B23-4692-B2FF-0E617AD83917}\RP394;Trojan.DownLoader.38445;Deleted.;
A0059994.exe;C:\System Volume Information\_restore{5ABB4C38-3B23-4692-B2FF-0E617AD83917}\RP395;Trojan.DownLoader.38445;Deleted.;
21391046.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6632;Deleted.;
21493984.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6664;Deleted.;
21504390.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2699;Deleted.;
21515312.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6672;Deleted.;
01367546.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2659;Deleted.;
01374687.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
00895203.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6632;Deleted.;
00903390.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2659;Deleted.;
00908843.FIL;C:\$VAULT$.AVG;Trojan.PWS.Lineage.origin;Incurable.Moved.;
00917000.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
00944671.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2646;Deleted.;
00950578.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6672;Deleted.;
00958953.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6664;Deleted.;
00967296.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2699;Deleted.;
01135421.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
01160578.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
01169859.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6957;Deleted.;
01178250.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2699;Deleted.;
01192578.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6957;Deleted.;
01215515.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
01226046.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.7103;Deleted.;
01773218.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
01863625.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6663;Deleted.;
08547406.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
08547921.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6957;Deleted.;
08548015.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
08548109.FIL;C:\$VAULT$.AVG;Trojan.PWS.Lineage.origin;Incurable.Moved.;
08548250.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2659;Deleted.;
08548390.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
08548515.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6672;Deleted.;
08820953.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
08942500.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
15542671.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
00840218.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
00859000.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
00985468.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.7103;Deleted.;
02218906.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6663;Deleted.;
00706906.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
00715171.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6957;Deleted.;
00719390.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
00729609.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6957;Deleted.;
00736390.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
02333171.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
02347781.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
02370843.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6957;Deleted.;
02388281.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
02399031.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6957;Deleted.;
02413593.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
02453843.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6663;Deleted.;
02468890.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6957;Deleted.;
04046046.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
04060640.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
04078703.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6957;Deleted.;
04094031.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2699;Deleted.;
04112859.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6957;Deleted.;
04129093.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
04141500.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.7103;Deleted.;
04168187.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6663;Deleted.;
04182750.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6957;Deleted.;
03901640.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
00885203.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
00927984.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
00960296.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
00966828.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6957;Deleted.;
00987375.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
00997687.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
02163546.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
02196765.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
02274109.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6957;Deleted.;
02292031.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
02305625.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
03383625.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6663;Deleted.;
04021453.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
05484890.FIL;C:\$VAULT$.AVG;Trojan.PWS.Qqpass.origin;Incurable.Moved.;
20392250.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
20413875.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
20434296.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6957;Deleted.;
20440406.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
20449531.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
20470187.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
05757750.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
05766156.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
06212171.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
06760000.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
08640687.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
17051046.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6957;Deleted.;
17061843.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
18746062.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
18794890.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
18800890.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6663;Deleted.;
08980109.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
17839015.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6637;Deleted.;
18519937.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6654;Deleted.;
19554109.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2691;Deleted.;
19573875.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
19617265.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
20159515.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6957;Deleted.;
05482921.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
05483796.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
05483968.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
05484109.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
05484234.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
05484328.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
05484484.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
05484656.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
05491703.FIL;C:\$VAULT$.AVG;Trojan.PWS.Qqpass.origin;Incurable.Moved.;
05496343.FIL;C:\$VAULT$.AVG;Trojan.PWS.Qqpass.origin;Incurable.Moved.;
05496500.FIL;C:\$VAULT$.AVG;Trojan.PWS.Qqpass.origin;Incurable.Moved.;
05496625.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
05496765.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
05496875.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
05496984.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
05497125.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
05497250.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
05497343.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
05497453.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
05497562.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
05497687.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
05497812.FIL\data001;C:\$VAULT$.AVG\05497812.FIL;Tool.KnlKillp;;
05497812.FIL\data002;C:\$VAULT$.AVG\05497812.FIL;Tool.KnlKillp;;
05497812.FIL;C:\$VAULT$.AVG;Archive contains infected objects;Moved.;
05497953.FIL;C:\$VAULT$.AVG;Trojan.PWS.Qqpass.origin;Incurable.Moved.;
05498062.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
07422375.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
07422828.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
07423031.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
07423187.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
07423359.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
07423531.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2757;Deleted.;
07423906.FIL;C:\$VAULT$.AVG;Trojan.PWS.Wsgame.2725;Deleted.;
07424046.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.6670;Deleted.;
07424140.FIL;C:\$VAULT$.AVG;Trojan.PWS.Qqpass.origin;Incurable.Moved.;
01695515.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.42669;Deleted.;
01857843.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.38445;Deleted.;
01912046.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.38445;Deleted.;
01916546.FIL;C:\$VAULT$.AVG;Probably BACKDOOR.Trojan;Incurable.Moved.;

and i could not locate the following files which you instructed me to delete:
C:\Program Files\Common Files\Microsoft Shared\MSINFO\System76.Ins
C:\WINDOWS\system32\N0TEB00K.EXE

and here's the combofix log:

ComboFix 08-02.02.5 - DaiWei 2008-02-03 0:28:00.1 - FAT32x86
Running from: C:\Documents and Settings\DaiWei\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\armebsea.fon
C:\WINDOWS\Fonts\enfebfx.fon
C:\WINDOWS\Fonts\kafylcs.dll
C:\WINDOWS\Fonts\okmhfcs.dll
C:\windows\system32\applog
C:\windows\system32\applog\MKMODULE.LGC
C:\WINDOWS\system32\command.pif
C:\WINDOWS\system32\CTFM0N.EXE
C:\WINDOWS\system32\flyage.dll
C:\WINDOWS\system32\lo.dll
C:\WINDOWS\system32\sos2.txt

.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-01-30 21:10 . 2008-01-30 21:10 <DIR> d-------- C:\Documents and Settings\DaiWei\DoctorWeb
2008-01-17 22:31 . 2008-02-03 00:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-17 22:31 . 2008-01-17 22:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-13 16:03 . 2008-01-13 16:04 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-13 15:47 . 2008-01-13 15:47 <DIR> d-------- C:\Program Files\SeagateToolkit
2008-01-12 23:22 . 2008-01-12 23:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-12 23:22 . 2008-01-12 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-11 22:59 . 2007-10-11 07:56 1,159,680 --a------ C:\WINDOWS\system32\aesawa.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2005-07-28 11:31 26,056 ----a-w C:\Documents and Settings\DaiWei\Application Data\GDIPFONTCACHEV1.DAT
2005-06-13 08:24 26,056 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-05-20 12:17 56 --sh--r C:\WINDOWS\system32\203596C71E.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 03:36 36975]
"SoundMan"="soundman.exe" [2001-05-29 17:02 124416 C:\WINDOWS\soundman.exe]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 22:43 57344]
"GSICONEXE"="GSICON.EXE" [2002-12-16 16:40 90112 C:\WINDOWS\system32\gsicon.exe]
"DSLAGENTEXE"="dslagent.exe" [2002-03-22 09:54 16384 C:\WINDOWS\system32\dslagent.exe]
"AcerGoto"="C:\WINDOWS\System32\AcerGoto.exe" [2001-09-05 21:44 323584]
"ZingSpooler"="C:\Program Files\Common Files\Zing\ZingSpooler.exe" [2004-08-05 15:38 188416]
"Cmaudio"="cmicnfg.cpl" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15 271672]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-23 10:57 579072]
"ToolKit"="C:\Program Files\SeagateToolkit\Toolkit.exe" [2005-03-24 17:22 888832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 20:07 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{CB681598-AD5F-BC8C-77DC-748FAC8D3FBC}"= C:\WINDOWS\Fonts\kafylzy.dll [ ]
"{6A57CAD1-412F-9547-713F-9641FA3FC7A6}"= C:\WINDOWS\Fonts\okmhfzy.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-08-24 21:41 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FrogAgent.exe]
debugger=C:\WINDOWS\system32\wscntfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\katmain.exe]
debugger=C:\WINDOWS\system32\wscntfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kav.exe]
debugger=C:\WINDOWS\system32\wscntfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kavsvc.exe]
debugger=C:\WINDOWS\system32\wscntfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVCenter.exe]
debugger=C:\WINDOWS\system32\wscntfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvMonXP.exe]
debugger=C:\WINDOWS\system32\wscntfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVXP.exe]
debugger=C:\WINDOWS\system32\wscntfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Mcshield.exe]
debugger=C:\WINDOWS\system32\wscntfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmc.exe]
debugger=C:\WINDOWS\system32\wscntfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\naPrdMgr.exe]
debugger=C:\WINDOWS\system32\wscntfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwproxy.exe]
debugger=C:\WINDOWS\system32\wscntfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SnipeSword.exe]
debugger=C:\WINDOWS\system32\wscntfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TBMon.exe]
debugger=C:\WINDOWS\system32\wscntfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.exe]
debugger=C:\WINDOWS\system32\wscntfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UpdaterUI.exe]
debugger=C:\WINDOWS\system32\wscntfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VsTskMgr.exe]
debugger=C:\WINDOWS\system32\wscntfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-08-15 20:15 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-04-10 15:51 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

R1 dcswap;dcswap;C:\WINDOWS\System32\Drivers\dcswap.sys [2001-09-05 21:44]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 13:29]
R3 WBMSA;Winbond Memory Stick Storage (MS) Device Driver - A;C:\WINDOWS\system32\Drivers\WBMSA.SYS [2001-07-31 13:29]
S2 gafwload;DSL100U USB ADSL Modem Loader;C:\WINDOWS\system32\DRIVERS\gafwload.sys [2002-03-22 10:01]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 00:35:00
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-03 0:36:19
ComboFix-quarantined-files.txt 2008-02-02 16:36:14
.
2007-12-12 15:16:34 --- E O F ---

and here's the result of the scan for cftm0n.exe from virustotal:

MD5: 24232996a38c0b0cf151c2140ae29fc8
Date: 01.31.2008 19:23:12 (CET) [+1D]
Results: 0/32
Permalink: analisis/f93c04e7ff430b2d50efd84ace101e0c

#5 diaokid

diaokid

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 02 February 2008 - 12:06 PM

and the new hijack this log. (btw at the point of typing this i haven't installed zonealarm or updated java. will get down to it soon)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:23 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\System32\AcerGoto.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\DaiWei\My Documents\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AcerGoto] C:\WINDOWS\System32\AcerGoto.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ToolKit] "C:\Program Files\SeagateToolkit\Toolkit.exe" -L -S /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1112294063359
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestat....cab?v=1,0,0,23
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B8DC0C1-CD3A-4046-B57D-EB59FF33FF32}: NameServer = 165.21.83.88 165.21.100.88
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 7891 bytes

#6 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 02 February 2008 - 01:27 PM

Can you please repost the VirusTotal log?
It was apparently cut off by the maximum post length.

first things first, i'm having trouble uninstalling getright. everytime i try to uninstall, the programme prompts me as to whether i wish to uninstall or update. upon clicking uninstall, nothing happens and getright is still on my pc.

I no longer see it in your HijackThis log. It may just be showing the uninstall entry.
If you haven't already, using Windows Explorer, delete the following folder:
C:\Program Files\GetRight

Run HijackThis, click on "Open the Misc Tools section", and then on "Open Uninstall Manager", select the item below:
GetRight

For this next step, please ensure that ComboFix.exe is on your desktop:

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{CB681598-AD5F-BC8C-77DC-748FAC8D3FBC}"=-
"{6A57CAD1-412F-9547-713F-9641FA3FC7A6}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FrogAgent.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\katmain.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kav.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kavsvc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVCenter.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KvMonXP.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVXP.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Mcshield.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mmc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\naPrdMgr.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwproxy.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SnipeSword.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TBMon.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TrojDie.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UpdaterUI.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\VsTskMgr.exe]

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
First, please close all other open programs, including any non-essential programs running in your System Tray (do NOT close your antivirus or firewall).
Go to http://www.kaspersky...uk/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

Please post a new HijackThis log, the log from Kaspersky's online scan, and in a second reply (due to length) the results from scanning the file at VirusTotal, the log from ComboFix (combofix.txt), and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#7 diaokid

diaokid

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 03 February 2008 - 10:34 AM

hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:51 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\GSICON.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\System32\AcerGoto.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Picasa2\Picasa2.exe
C:\Documents and Settings\DaiWei\My Documents\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AcerGoto] C:\WINDOWS\System32\AcerGoto.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestat...ion=4,3,2,20802
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1112294063359
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestat....cab?v=1,0,0,23
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B8DC0C1-CD3A-4046-B57D-EB59FF33FF32}: NameServer = 165.21.83.88 165.21.100.88
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 8299 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, February 03, 2008 11:28:53 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/02/2008
Kaspersky Anti-Virus database records: 546327
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
M:\

Scan Statistics:
Total number of scanned objects: 48516
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 03:14:52

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\TEMP\ZLT07d22.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT07d29.TMP Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\OEM-5J552QKFG74.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\DaiWei\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\Temp\~DF54FF.tmp Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\Temp\~DF5531.tmp Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\Temp\~DF4334.tmp Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\History\History.IE5\MSHist012008020320080204\index.dat Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\Application Data\Google\Picasa2\db\albums.db Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\Application Data\Google\Picasa2\db\albumxml.db Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\Application Data\Google\Picasa2\db\thumbs.db Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\Application Data\Google\Picasa2\db\thumbs2.db Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\Application Data\Google\Picasa2\db\bigthumbs.db Object is locked skipped
C:\Documents and Settings\DaiWei\Local Settings\Application Data\Google\Picasa2\db\previews.db Object is locked skipped
C:\Documents and Settings\DaiWei\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\DaiWei\ntuser.dat Object is locked skipped
C:\Documents and Settings\DaiWei\DoctorWeb\Quarantine\up[1].exe Object is locked skipped
C:\System Volume Information\_restore{5ABB4C38-3B23-4692-B2FF-0E617AD83917}\RP397\A0060040.EXE Object is locked skipped
C:\System Volume Information\_restore{5ABB4C38-3B23-4692-B2FF-0E617AD83917}\RP397\A0060050.exe Object is locked skipped
C:\System Volume Information\_restore{5ABB4C38-3B23-4692-B2FF-0E617AD83917}\RP400\change.log Object is locked skipped
C:\System Volume Information\_restore{5ABB4C38-3B23-4692-B2FF-0E617AD83917}\RP382\A0059448.EXE Object is locked skipped
C:\System Volume Information\_restore{5ABB4C38-3B23-4692-B2FF-0E617AD83917}\RP383\A0059455.EXE Object is locked skipped
C:\System Volume Information\_restore{5ABB4C38-3B23-4692-B2FF-0E617AD83917}\RP385\A0059639.EXE Object is locked skipped
C:\System Volume Information\_restore{5ABB4C38-3B23-4692-B2FF-0E617AD83917}\RP385\A0059652.EXE Object is locked skipped
C:\System Volume Information\_restore{5ABB4C38-3B23-4692-B2FF-0E617AD83917}\RP386\A0059686.EXE Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\CTFM0N.EXE.vir Infected: Trojan.Win32.Agent.emu skipped

Scan process completed.

#8 diaokid

diaokid

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 03 February 2008 - 10:40 AM

from virustotal:

File has already been analysed:
MD5: 24232996a38c0b0cf151c2140ae29fc8
Date: 01.31.2008 19:23:12 (CET) [>2D]
Results: 0/32
Permalink: analisis/f93c04e7ff430b2d50efd84ace101e0c

not sure if this is what you want, so i clicked on the permalink/show last report:

File ctfmon.exe received on 01.31.2008 19:20:03 (CET)
Current status: finished

Result: 0/32 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.2.1.10 2008.01.31 -
AntiVir 7.6.0.59 2008.01.31 -
Authentium 4.93.8 2008.01.31 -
Avast 4.7.1098.0 2008.01.31 -
AVG 7.5.0.516 2008.01.31 -
BitDefender 7.2 2008.01.31 -
CAT-QuickHeal 9.00 2008.01.30 -
ClamAV 0.92 2008.01.31 -
DrWeb 4.44.0.09170 2008.01.31 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5500 2008.01.31 -
Ewido 4.0 2008.01.31 -
FileAdvisor 1 2008.01.31 -
Fortinet 3.14.0.0 2008.01.31 -
F-Prot 4.4.2.54 2008.01.30 -
F-Secure 6.70.13260.0 2008.01.31 -
Ikarus T3.1.1.20 2008.01.31 -
Kaspersky 7.0.0.125 2008.01.31 -
McAfee 5220 2008.01.31 -
Microsoft 1.3109 2008.01.31 -
NOD32v2 2840 2008.01.31 -
Norman 5.80.02 2008.01.31 -
Panda 9.0.0.4 2008.01.30 -
Prevx1 V2 2008.01.31 -
Rising 20.29.22.00 2008.01.30 -
Sophos 4.25.0 2008.01.31 -
Sunbelt 2.2.907.0 2008.01.31 -
Symantec 10 2008.01.31 -
TheHacker 6.2.9.203 2008.01.30 -
VBA32 3.12.2.6 2008.01.31 -
VirusBuster 4.3.26:9 2008.01.31 -
Webwasher-Gateway 6.6.2 2008.01.31 -
Additional information
File size: 15360 bytes
MD5: 24232996a38c0b0cf151c2140ae29fc8
SHA1: b36d03b56a30187ffc6257459d632a4faac48af2
PEiD: -

combofix log:
ComboFix 08-02.02.5 - DaiWei 2008-02-03 17:52:09.2 - FAT32x86
Running from: C:\Documents and Settings\DaiWei\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\DaiWei\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-03 17:02 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-03 16:58 . 2008-02-03 16:58 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-30 21:10 . 2008-01-30 21:10 <DIR> d-------- C:\Documents and Settings\DaiWei\DoctorWeb
2008-01-17 22:31 . 2008-02-03 16:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-17 22:31 . 2008-01-17 22:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-13 16:03 . 2008-01-13 16:04 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-13 15:47 . 2008-01-13 15:47 <DIR> d-------- C:\Program Files\SeagateToolkit
2008-01-12 23:22 . 2008-01-12 23:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-12 23:22 . 2008-01-12 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-11 22:59 . 2007-10-11 07:56 1,159,680 --a------ C:\WINDOWS\system32\aesawa.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2005-07-28 11:31 26,056 ----a-w C:\Documents and Settings\DaiWei\Application Data\GDIPFONTCACHEV1.DAT
2005-06-13 08:24 26,056 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-05-20 12:17 56 --sh--r C:\WINDOWS\system32\203596C71E.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="soundman.exe" [2001-05-29 17:02 124416 C:\WINDOWS\soundman.exe]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 22:43 57344]
"GSICONEXE"="GSICON.EXE" [2002-12-16 16:40 90112 C:\WINDOWS\system32\gsicon.exe]
"DSLAGENTEXE"="dslagent.exe" [2002-03-22 09:54 16384 C:\WINDOWS\system32\dslagent.exe]
"AcerGoto"="C:\WINDOWS\System32\AcerGoto.exe" [2001-09-05 21:44 323584]
"ZingSpooler"="C:\Program Files\Common Files\Zing\ZingSpooler.exe" [2004-08-05 15:38 188416]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15 271672]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-23 10:57 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 20:07 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-08-24 21:41 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-08-15 20:15 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-04-10 15:51 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

R1 dcswap;dcswap;C:\WINDOWS\System32\Drivers\dcswap.sys [2001-09-05 21:44]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 13:29]
R3 WBMSA;Winbond Memory Stick Storage (MS) Device Driver - A;C:\WINDOWS\system32\Drivers\WBMSA.SYS [2001-07-31 13:29]
S2 gafwload;DSL100U USB ADSL Modem Loader;C:\WINDOWS\system32\DRIVERS\gafwload.sys [2002-03-22 10:01]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 17:58:44
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-03 18:03:06
ComboFix-quarantined-files.txt 2008-02-03 10:02:58
ComboFix2.txt 2008-02-02 16:36:24
.
2007-12-12 15:16:34 --- E O F ---

Thanks!

#9 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 03 February 2008 - 09:16 PM

Everything looks good.
There is one infected file, but it's already in quarantine from ComboFix's, and will be removed when it's uninstalled.

Go to start > run and copy and paste next command in the field:
ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Create a Restore Point
  • Go to Start > Programs > Accessories > System Tools > System Restore
  • Select Create a Restore Point and then Next.
  • In the box for "Restore point description", enter a descriptive name and press Create
  • When the "Restore Point Created" window appears, click Close

Run Disk Cleanup
  • Go to Start > Run and type the below line:
    cleanmgr
  • Click OK
    • If you have more than one drive, select the drive Windows is installed on
    • Click OK
  • When Disk Cleanup opens, select the More Options tab
  • In the System Restore section (bottom of window), click Cleanup
    • In the confirmation window that opens, click Yes
  • Now click on the Disk Cleanup tab and select the following items:
    • Downloaded Program Files
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click OK
  • in the confirmation window, select Yes (Disk Cleanup will close).
There are several free utilities you can use to help keep malware off your system:

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at http://www.mvps.org/...p2002/hosts.htm.

IE/SPYAD adds sites associated with ads and spyware to your Internet Restricted Zone and you can download that at http://www.spywarewa...uc/resource.htm.

A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at http://www.javacools...m/products.html.

I recommend reading Tony Klein's article So How did I get Infected in the First Place? at http://forums.spywar...showtopic=60955

Does your problem appear resolved?

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#10 diaokid

diaokid

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 04 February 2008 - 11:13 AM

Yup...things seem fine!

Thanks for your help. Much appreciated!

Cheers.

#11 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 04 February 2008 - 06:26 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button