Hijacked Browser it seems

August 6th, 2016

Hi people, seem to be having a problem when I am using my browser (Firefox ofcourse) It will sometimes every few minutes popup a window linking me to – http://url.adtrgt.com/cpv.jsp?.... Either a white screen page or some advertisement,
I have run NOD32 Scan, Spyboy, Adaware but cant seem to get rid of it. Any ideas please?
Kind Regards
Press
Answer #1
Lets see what were looking at first.
Please download the current version of HijackThis from here.
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

Answer #2
Thanks for the fast response. Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:40:15, on 20/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office 2003\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office 2003\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall Pro\ie_bar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jimmy\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office 2003\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll caqonf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Nod32 AV (EsetNod32Fix) - Unknown owner - C:\WINDOWS\
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 8922 bytes

Answer #3
Looks like an old version of vundo.
1. Download combofix from here
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
2. Double click combofix.exe & follow the prompts to install the recovery console.
3. When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix’s window whilst it’s running. That may cause it to stall.
Answer #4
Thanks again.
ComboFix 08-11-19.08 - Jimmy 2008-11-20 19:48:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1338 [GMT 0:00]
Running from: c:\documents and settings\Jimmy\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
/wow section - STAGE 41
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Jimmy\Application Data\Antivirus2008y
c:\documents and settings\Jimmy\Application Data\inst.exe
c:\windows\adaway.lic
c:\windows\system32\caqonf.dll
c:\windows\system32\cbXNFwvs.dll
c:\windows\system32\cbXPfCtR.dll
c:\windows\system32\CfPponpo.ini
c:\windows\system32\CfPponpo.ini2
c:\windows\system32\ddcaWMdc.dll
c:\windows\system32\ehsfkdqn.dll
c:\windows\system32\eodjiuwg.dll
c:\windows\system32\gonrwj.dll
c:\windows\system32\kejoyvqv.dll
c:\windows\system32\lgrfmi.dll
c:\windows\system32\maqokgrs.dll
c:\windows\system32\ooczmq.dll
c:\windows\system32\opnopPfC.dll
c:\windows\system32\rkafvn.dll
c:\windows\system32\rqRjjhhi.dll
c:\windows\system32\ufpphcxv.dll
.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.
2008-11-20 19:40 . 2008-11-20 19:40<DIR>d--------c:\program files\Trend Micro
2008-11-20 17:27 . 2008-11-20 17:47<DIR>d--------c:\program files\Adware Away
2008-11-20 16:56 . 2008-11-20 16:55102,664--a------c:\windows\system32\drivers\tmcomm.sys
2008-11-20 16:55 . 2008-11-20 17:00<DIR>d--------c:\documents and settings\Jimmy\.housecall6.6
2008-11-20 13:14 . 2008-11-20 13:14<DIR>d--------c:\program files\Lavasoft
2008-11-20 13:14 . 2008-11-20 13:16<DIR>d--------c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-20 13:08 . 2008-11-20 13:0895--a------c:\windows\wininit.ini
2008-11-20 10:24 . 2008-11-20 10:2441,472--a------c:\windows\system32\xbspnerw.dll
2008-11-19 23:07 . 2008-11-19 23:0741,472--a------c:\windows\system32\xsbrwqtl.dll
2008-11-18 23:06 . 2008-11-18 23:0641,472--a------c:\windows\system32\pwwskcdh.dll
2008-11-17 23:05 . 2008-11-17 23:0541,472--a------c:\windows\system32\avguvdbi.dll
2008-11-17 20:36 . 2008-11-20 10:24<DIR>d--------c:\documents and settings\Jimmy\Application Data\skypePM
2008-11-17 20:36 . 2008-11-17 20:3656--ah-----c:\windows\system32\ezsidmv.dat
2008-11-17 20:35 . 2008-11-20 12:14<DIR>d--------c:\documents and settings\Jimmy\Application Data\Skype
2008-11-17 20:34 . 2008-11-17 20:35<DIR>d--------c:\program files\Skype
2008-11-17 20:34 . 2008-11-17 20:34<DIR>d--------c:\program files\Common Files\Skype
2008-11-17 20:34 . 2008-11-17 20:34<DIR>d--------c:\documents and settings\All Users\Application Data\Skype
2008-11-17 20:30 . 2008-11-17 22:44<DIR>d--------c:\documents and settings\Jimmy\Application Data\Hamachi
2008-11-17 20:29 . 2008-11-17 22:08<DIR>d--------c:\program files\Hamachi
2008-11-17 20:29 . 2008-11-17 20:2917,480--a------c:\windows\system32\drivers\hamachi.sys
2008-11-17 20:24 . 2004-08-04 00:5621,504--a------c:\windows\system32\hidserv.dll
2008-11-17 20:24 . 2004-08-04 00:5621,504--a--c---c:\windows\system32\dllcache\hidserv.dll
2008-11-16 22:42 . 2008-11-16 22:42<DIR>d--------c:\documents and settings\Jimmy\Battleground Europe
2008-11-16 22:41 . 2008-11-16 22:41<DIR>d--------c:\program files\Playnet
2008-11-16 22:41 . 2004-05-03 12:26200,704--a------c:\windows\system32\teulKit.dll
2008-11-16 22:39 . 2008-11-16 22:39<DIR>d--------c:\program files\CRS
2008-11-16 22:36 . 2008-11-16 22:36<DIR>d--------c:\program files\DVD Shrink
2008-11-16 22:36 . 2008-11-16 22:37<DIR>d--------c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-13 18:10 . 2008-11-13 18:10<DIR>dr-h-----c:\documents and settings\Jimmy\Application Data\SecuROM
2008-11-13 18:07 . 2008-11-13 18:07<DIR>d--------C:\ProgramData
2008-11-13 18:07 . 2008-11-13 18:07<DIR>d--------c:\program files\Electronic Arts
2008-11-13 18:07 . 2008-11-13 18:071,114--a------c:\windows\system32\ealregsnapshot1.reg
2008-11-10 21:48 . 2008-11-17 21:25<DIR>d--------C:\Downloads
2008-11-10 21:46 . 2008-11-17 22:06<DIR>d--------c:\program files\FlashGet
2008-11-05 19:27 . 2008-11-05 19:27<DIR>d--------c:\program files\EA Sports
2008-11-05 19:22 . 2008-11-05 19:22<DIR>d--------c:\program files\DAEMON Tools Toolbar
2008-11-05 19:22 . 2008-11-06 00:12<DIR>d--------c:\program files\DAEMON Tools Lite
2008-11-01 18:36 . 2008-11-13 18:10107,888--a------c:\windows\system32\CmdLineExt.dll
2008-11-01 18:34 . 2008-05-30 14:113,850,760--a------c:\windows\system32\D3DX9_38.dll
2008-11-01 18:34 . 2008-05-30 14:111,491,992--a------c:\windows\system32\D3DCompiler_38.dll
2008-11-01 18:34 . 2008-05-30 14:19507,400--a------c:\windows\system32\XAudio2_1.dll
2008-11-01 18:34 . 2008-05-30 14:11467,984--a------c:\windows\system32\d3dx10_38.dll
2008-11-01 18:34 . 2008-05-30 14:18238,088--a------c:\windows\system32\xactengine3_1.dll
2008-11-01 18:34 . 2008-05-30 14:1765,032--a------c:\windows\system32\XAPOFX1_0.dll
2008-11-01 18:34 . 2008-05-30 14:1725,608--a------c:\windows\system32\X3DAudio1_4.dll
2008-11-01 18:33 . 2008-11-01 18:33<DIR>d--------c:\windows\Logs
2008-11-01 18:32 . 2008-11-11 12:41682,280--a------c:\windows\system32\pbsvc.exe
2008-10-30 01:24 . 2008-10-30 01:2442,320--a------c:\windows\system32\xfcodec.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 13:14---------d-----wc:\program files\Common Files\Wise Installation Wizard
2008-11-20 13:06---------d---a-wc:\documents and settings\All Users\Application Data\TEMP
2008-11-20 12:40---------d-----wc:\program files\Yahoo!
2008-11-20 12:34---------d-----wc:\program files\Spybot - Search & Destroy
2008-11-20 12:12---------d-----wc:\program files\Call of Duty Game of the Year Edition
2008-11-20 12:0722,328----a-wc:\windows\system32\drivers\PnkBstrK.sys
2008-11-20 12:07107,832----a-wc:\windows\system32\PnkBstrB.exe
2008-11-18 13:05---------d-----wc:\program files\Xfire
2008-11-17 22:44---------d-----wc:\documents and settings\Jimmy\Application Data\Xfire
2008-11-13 18:07---------d--h--wc:\program files\InstallShield Installation Information
2008-11-11 12:4166,872----a-wc:\windows\system32\PnkBstrA.exe
2008-11-11 12:4122,328----a-wc:\documents and settings\Jimmy\Application Data\PnkBstrK.sys
2008-11-11 12:36---------d-----wc:\program files\Activision
2008-11-01 18:26---------d-----wc:\program files\Ubisoft
2008-10-20 18:56---------d-----wc:\documents and settings\Jimmy\Application Data\Vso
2008-10-19 21:14---------d-----wc:\program files\AGEIA Technologies
2008-10-19 20:52717,296----a-wc:\windows\system32\drivers\sptd.sys
2008-10-19 20:51---------d-----wc:\documents and settings\Jimmy\Application Data\DAEMON Tools
2008-10-09 13:11---------d-----wc:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-01 12:08---------d-----wc:\program files\Apple Software Update
2008-10-01 12:08---------d-----wc:\documents and settings\All Users\Application Data\Apple
2008-09-21 14:27---------d-----wc:\program files\Songbird
2008-09-21 14:26---------d-----wc:\documents and settings\Jimmy\Application Data\Songbird2
2008-09-21 14:25---------d-----wc:\documents and settings\All Users\Application Data\SongbirdVLC
2008-06-29 22:2647,360----a-wc:\documents and settings\Jimmy\Application Data\pcouffin.sys
2008-04-19 15:06848--sha-wc:\windows\system32\KGyGaAvL.sys
2008-03-06 04:3116,384--sha-wc:\windows\system32\config\systemprofile\Cookies\index.dat
2008-03-06 04:3132,768--sha-wc:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-03-06 04:3132,768--sha-wc:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008030620080307\index.dat
2008-03-06 04:3132,768--sha-wc:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-22 2772992]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-25 8527872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-25 81920]
"GrooveMonitor"="c:\program files\Microsoft Office 2003\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2008-02-29 1065472]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2008-02-29 419144]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-12 185896]
"EPSON Stylus C46 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE" [2004-01-14 99840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-13 1443072]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-10-25 c:\windows\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication PackagesREG_MULTI_SZ msv1_0 c:\windows\system32\opnopPfC
[HKLM\~\startupfolder\C:^Documents and Settings^Jimmy^Start Menu^Programs^Startup^FIFA 09 Registration.lnk]
path=c:\documents and settings\Jimmy\Start Menu\Programs\Startup\FIFA 09 Registration.lnk
backup=c:\windows\pss\FIFA 09 Registration.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 12:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-10-25 16:37 2178832 c:\program files\Logitech\QuickCam\Quickcam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 17:21 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office 2003\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office 2003\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office 2003\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 SandBox;SandBox;c:\windows\system32\DRIVERS\SandBox.sys [2008-03-06 446976]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [2008-03-06 1176904]
R3 afw;Agnitum firewall driver;c:\windows\system32\DRIVERS\afw.sys [2008-03-06 206352]
S2 EsetNod32Fix;Nod32 AV;%WINDIR%\regedit.exe /s %Windir%\Fix.reg []
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [2008-03-06 33024]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12e7ec75-5267-11dd-8be6-001d7da5bd36}]
\Shell\AutoRun\command - f:\wd_windows_tools\Setup.exe
.
Contents of the 'Scheduled Tasks' folder
2008-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -
BHO-{1E5C9732-33A4-435E-9C96-D8137BDB3626} - c:\windows\system32\opnopPfC.dll
BHO-{93F81086-1097-4E14-B27B-FB61E254A264} - (no file)
BHO-{9e3350bd-7bbe-4272-80a1-2c0906267c8d} - c:\windows\system32\caqonf.dll
MSConfigStartUp-Antivirus2008y - c:\program files\Antivirus2008y\antvrs.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\oj8sbb93.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.co.uk
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 19:53:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ... scanning hidden autostart entries ...
scanning hidden files ... scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EsetNod32Fix]
"ImagePath"=hex:25,00,57,00,49,00,4e,00,44,00,49,00,52,00,25,00,5c,00,72,00,65,\
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EsetNod32Fix]
"ImagePath"=hex:25,00,57,00,49,00,4e,00,44,00,49,00,52,00,25,00,5c,00,72,00,65,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ESET\ESET Smart Security\ekrn.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\program files\Agnitum\Outpost Firewall Pro\op_mon.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-11-20 20:00:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-20 20:00:56
Pre-Run: 142,692,106,240 bytes free
Post-Run: 142,659,907,584 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
253

Answer #5
Hello, do this.
Now open a another new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\xbspnerw.dll
c:\windows\system32\xsbrwqtl.dll
c:\windows\system32\pwwskcdh.dll
c:\windows\system32\avguvdbi.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"="msv1_0"

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Image
This will open combofix.exe again, agree to it’s terms and allow it to run, it may want to reboot after it’s done. Post the resulting log back here.
Answer #6
ComboFix 08-11-19.08 - Jimmy 2008-11-20 22:59:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1477 [GMT 0:00]
Running from: c:\documents and settings\Jimmy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jimmy\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
FILE ::
c:\windows\system32\avguvdbi.dll
c:\windows\system32\pwwskcdh.dll
c:\windows\system32\xbspnerw.dll
c:\windows\system32\xsbrwqtl.dll
.
/wow section - STAGE 41
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\avguvdbi.dll
c:\windows\system32\pwwskcdh.dll
c:\windows\system32\xbspnerw.dll
c:\windows\system32\xsbrwqtl.dll
.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.
2008-11-20 19:40 . 2008-11-20 19:40<DIR>d--------c:\program files\Trend Micro
2008-11-20 17:27 . 2008-11-20 17:47<DIR>d--------c:\program files\Adware Away
2008-11-20 16:56 . 2008-11-20 16:55102,664--a------c:\windows\system32\drivers\tmcomm.sys
2008-11-20 16:55 . 2008-11-20 17:00<DIR>d--------c:\documents and settings\Jimmy\.housecall6.6
2008-11-20 13:14 . 2008-11-20 13:14<DIR>d--------c:\program files\Lavasoft
2008-11-20 13:14 . 2008-11-20 13:16<DIR>d--------c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-20 13:08 . 2008-11-20 13:0895--a------c:\windows\wininit.ini
2008-11-17 20:36 . 2008-11-20 10:24<DIR>d--------c:\documents and settings\Jimmy\Application Data\skypePM
2008-11-17 20:36 . 2008-11-17 20:3656--ah-----c:\windows\system32\ezsidmv.dat
2008-11-17 20:35 . 2008-11-20 12:14<DIR>d--------c:\documents and settings\Jimmy\Application Data\Skype
2008-11-17 20:34 . 2008-11-17 20:35<DIR>d--------c:\program files\Skype
2008-11-17 20:34 . 2008-11-17 20:34<DIR>d--------c:\program files\Common Files\Skype
2008-11-17 20:34 . 2008-11-17 20:34<DIR>d--------c:\documents and settings\All Users\Application Data\Skype
2008-11-17 20:30 . 2008-11-17 22:44<DIR>d--------c:\documents and settings\Jimmy\Application Data\Hamachi
2008-11-17 20:29 . 2008-11-17 22:08<DIR>d--------c:\program files\Hamachi
2008-11-17 20:29 . 2008-11-17 20:2917,480--a------c:\windows\system32\drivers\hamachi.sys
2008-11-17 20:24 . 2004-08-04 00:5621,504--a------c:\windows\system32\hidserv.dll
2008-11-17 20:24 . 2004-08-04 00:5621,504--a--c---c:\windows\system32\dllcache\hidserv.dll
2008-11-16 22:42 . 2008-11-16 22:42<DIR>d--------c:\documents and settings\Jimmy\Battleground Europe
2008-11-16 22:41 . 2008-11-16 22:41<DIR>d--------c:\program files\Playnet
2008-11-16 22:41 . 2004-05-03 12:26200,704--a------c:\windows\system32\teulKit.dll
2008-11-16 22:39 . 2008-11-16 22:39<DIR>d--------c:\program files\CRS
2008-11-16 22:36 . 2008-11-16 22:36<DIR>d--------c:\program files\DVD Shrink
2008-11-16 22:36 . 2008-11-16 22:37<DIR>d--------c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-13 18:10 . 2008-11-13 18:10<DIR>dr-h-----c:\documents and settings\Jimmy\Application Data\SecuROM
2008-11-13 18:07 . 2008-11-13 18:07<DIR>d--------C:\ProgramData
2008-11-13 18:07 . 2008-11-13 18:07<DIR>d--------c:\program files\Electronic Arts
2008-11-13 18:07 . 2008-11-13 18:071,114--a------c:\windows\system32\ealregsnapshot1.reg
2008-11-10 21:48 . 2008-11-17 21:25<DIR>d--------C:\Downloads
2008-11-10 21:46 . 2008-11-17 22:06<DIR>d--------c:\program files\FlashGet
2008-11-05 19:27 . 2008-11-05 19:27<DIR>d--------c:\program files\EA Sports
2008-11-05 19:22 . 2008-11-05 19:22<DIR>d--------c:\program files\DAEMON Tools Toolbar
2008-11-05 19:22 . 2008-11-06 00:12<DIR>d--------c:\program files\DAEMON Tools Lite
2008-11-01 18:36 . 2008-11-13 18:10107,888--a------c:\windows\system32\CmdLineExt.dll
2008-11-01 18:34 . 2008-05-30 14:113,850,760--a------c:\windows\system32\D3DX9_38.dll
2008-11-01 18:34 . 2008-05-30 14:111,491,992--a------c:\windows\system32\D3DCompiler_38.dll
2008-11-01 18:34 . 2008-05-30 14:19507,400--a------c:\windows\system32\XAudio2_1.dll
2008-11-01 18:34 . 2008-05-30 14:11467,984--a------c:\windows\system32\d3dx10_38.dll
2008-11-01 18:34 . 2008-05-30 14:18238,088--a------c:\windows\system32\xactengine3_1.dll
2008-11-01 18:34 . 2008-05-30 14:1765,032--a------c:\windows\system32\XAPOFX1_0.dll
2008-11-01 18:34 . 2008-05-30 14:1725,608--a------c:\windows\system32\X3DAudio1_4.dll
2008-11-01 18:33 . 2008-11-01 18:33<DIR>d--------c:\windows\Logs
2008-11-01 18:32 . 2008-11-11 12:41682,280--a------c:\windows\system32\pbsvc.exe
2008-10-30 01:24 . 2008-10-30 01:2442,320--a------c:\windows\system32\xfcodec.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 21:22138,464----a-wc:\windows\system32\drivers\PnkBstrK.sys
2008-11-20 21:22111,928----a-wc:\windows\system32\PnkBstrB.exe
2008-11-20 13:14---------d-----wc:\program files\Common Files\Wise Installation Wizard
2008-11-20 13:06---------d---a-wc:\documents and settings\All Users\Application Data\TEMP
2008-11-20 12:40---------d-----wc:\program files\Yahoo!
2008-11-20 12:34---------d-----wc:\program files\Spybot - Search & Destroy
2008-11-20 12:12---------d-----wc:\program files\Call of Duty Game of the Year Edition
2008-11-18 13:05---------d-----wc:\program files\Xfire
2008-11-17 22:44---------d-----wc:\documents and settings\Jimmy\Application Data\Xfire
2008-11-13 18:07---------d--h--wc:\program files\InstallShield Installation Information
2008-11-11 12:4166,872----a-wc:\windows\system32\PnkBstrA.exe
2008-11-11 12:4122,328----a-wc:\documents and settings\Jimmy\Application Data\PnkBstrK.sys
2008-11-11 12:36---------d-----wc:\program files\Activision
2008-11-01 18:26---------d-----wc:\program files\Ubisoft
2008-10-20 18:56---------d-----wc:\documents and settings\Jimmy\Application Data\Vso
2008-10-19 21:14---------d-----wc:\program files\AGEIA Technologies
2008-10-19 20:52717,296----a-wc:\windows\system32\drivers\sptd.sys
2008-10-19 20:51---------d-----wc:\documents and settings\Jimmy\Application Data\DAEMON Tools
2008-10-09 13:11---------d-----wc:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-01 12:08---------d-----wc:\program files\Apple Software Update
2008-10-01 12:08---------d-----wc:\documents and settings\All Users\Application Data\Apple
2008-09-21 14:27---------d-----wc:\program files\Songbird
2008-09-21 14:26---------d-----wc:\documents and settings\Jimmy\Application Data\Songbird2
2008-09-21 14:25---------d-----wc:\documents and settings\All Users\Application Data\SongbirdVLC
2008-06-29 22:2647,360----a-wc:\documents and settings\Jimmy\Application Data\pcouffin.sys
2008-04-19 15:06848--sha-wc:\windows\system32\KGyGaAvL.sys
2008-03-06 04:3116,384--sha-wc:\windows\system32\config\systemprofile\Cookies\index.dat
2008-03-06 04:3132,768--sha-wc:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-03-06 04:3132,768--sha-wc:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008030620080307\index.dat
2008-03-06 04:3132,768--sha-wc:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-22 2772992]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-25 8527872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-25 81920]
"GrooveMonitor"="c:\program files\Microsoft Office 2003\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2008-02-29 1065472]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2008-02-29 419144]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-12 185896]
"EPSON Stylus C46 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE" [2004-01-14 99840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-13 1443072]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-10-25 c:\windows\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication PackagesREG_SZ msv1_0
[HKLM\~\startupfolder\C:^Documents and Settings^Jimmy^Start Menu^Programs^Startup^FIFA 09 Registration.lnk]
path=c:\documents and settings\Jimmy\Start Menu\Programs\Startup\FIFA 09 Registration.lnk
backup=c:\windows\pss\FIFA 09 Registration.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 12:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-10-25 16:37 2178832 c:\program files\Logitech\QuickCam\Quickcam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 17:21 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office 2003\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office 2003\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office 2003\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 SandBox;SandBox;c:\windows\system32\DRIVERS\SandBox.sys [2008-03-06 446976]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [2008-03-06 1176904]
R3 afw;Agnitum firewall driver;c:\windows\system32\DRIVERS\afw.sys [2008-03-06 206352]
S2 EsetNod32Fix;Nod32 AV;%WINDIR%\regedit.exe /s %Windir%\Fix.reg []
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [2008-03-06 33024]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12e7ec75-5267-11dd-8be6-001d7da5bd36}]
\Shell\AutoRun\command - f:\wd_windows_tools\Setup.exe
.
Contents of the 'Scheduled Tasks' folder
2008-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 23:04:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ... scanning hidden autostart entries ...
scanning hidden files ... scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EsetNod32Fix]
"ImagePath"=hex:25,00,57,00,49,00,4e,00,44,00,49,00,52,00,25,00,5c,00,72,00,65,\
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EsetNod32Fix]
"ImagePath"=hex:25,00,57,00,49,00,4e,00,44,00,49,00,52,00,25,00,5c,00,72,00,65,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ESET\ESET Smart Security\ekrn.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\program files\Agnitum\Outpost Firewall Pro\op_mon.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\taskmgr.exe
c:\windows\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-11-20 23:14:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-20 23:14:06
ComboFix2.txt 2008-11-20 20:01:01
Pre-Run: 142,653,521,920 bytes free
Post-Run: 142,645,764,096 bytes free
221
Answer #7
Hello, looks much better.
Please uninstall Adware Away as it is considered to be a rogue scanner, full of false positives and not to be trusted.
Delete this folder if it still exists after you’ve uninstalled it.
c:\program files\Adware Away
Please delete combofix from your desktop, and delete these two folders:
C:\Qoobox
C:\Combofix
==
Java needs updating.
Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 update 10 from here:
    http://java.sun.com/javase/downloads/index.jsp

  • Select the first option where it says “Java Runtime Environment (JRE) 6 update 10“.
  • Click the “Download” button to the right.
  • In the Window that opens, select your platform and language, check the “agree” box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running – especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    – Examples of older versions in Add or Remove Programs:
    – Java 2 Runtime Environment, SE v1.4.2
    – J2SE Runtime Environment 5.0
    – J2SE Runtime Environment 5.0 Update 2

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe that you downloaded to install the newest version.

How is everything now?
Answer #8
Thanks , I will do that when I am around at that computer tomorrow. Everything seems to be alot better now, thank you very much. Fancy teaching me:P

Related Posts:

Posted in Uncategorized

 

| Sitemap |