I open internet explorer and a few minutes later I get either redirect to another window or a pop up comes up with similar sites. I did an Avast scan and there was 4 files named lwpwr.exe with different versions, but avast could not remove the archive. I was able to directly delete several .bat files that were created by this. I did another scan and found that a program folder called pchealthcenter, It also was deleted but Im still having same problem. I did steps 1,2 3(didnt need to update),4 and 5. I have both logs from the online scan and hijack this I am posting both to save a little time. First is the online scan log then the hijack this log. The beginning of each scan log is in red. Thanks guys *New Info at the bottom of the 2 logfiles I added the scan log of Avast Thursday, September 18, 2008 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Thursday, September 18, 2008 09:00:26 Records in database: 1247536 Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes Scan area My Computer A:\ C:\ D:\ E:\ F:\ G:\ Scan statistics Files scanned 89123 Threat name 2 Infected objects 4 Suspicious objects 0 Duration of the scan 03:50:14 File name Threat name Threats count D:\Music\Dads Music\04 Track 4.wma Infected: Trojan-Downloader.WMA.Wimad.k 1 D:\Music\Dads Music\Top of Charts - 2005 (jessica).wma Infected: Trojan-Downloader.WMA.Wimad.k 1 D:\My documents DO NOT REMOVE! 2\System Alert trojan\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1 D:\My documents DO NOT REMOVE! 2\System Alert trojan\SmitfraudFix.zip Infected: not-a-virus:RiskTool.Win32.Reboot.f 1 The selected area was scanned. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:47:28 AM, on 9/18/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?wa=...ly=http://mail.live.com/default.aspx&id=64855 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: {a4409f93-53d9-6bfa-19e4-cc40ff6c3fb4} - {4bf3c6ff-04cc-4e91-afb6-9d3539f9044a} - C:\WINDOWS\system32\tnejls.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {8F34BF8A-B566-42A5-BB11-876CCB175F7A} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: (no name) - {ADFD5FD2-2DD2-4572-80DA-C74F1193FBA1} - (no file) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [88acc6e6] rundll32.exe "C:\WINDOWS\system32\guitfehf.dll",b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.4.15.0\gears.dll O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.4.15.0\gears.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D0927948-8B2A-4CA3-924A-26DF4731E067}: NameServer = 24.29.103.15,24.29.103.16 O17 - HKLM\System\CS1\Services\Tcpip\..\{D0927948-8B2A-4CA3-924A-26DF4731E067}: NameServer = 24.29.103.15,24.29.103.16 O20 - AppInit_DLLs: tnejls.dll O20 - Winlogon Notify: cbXOFxxv - cbXOFxxv.dll (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe -- End of file - 6374 bytes *Added info Avast logfile: 9/16/2008 7:25:04 PM SYSTEM 1388 Sign of "Win32:Tipa [Cryp]" has been found in "C:\Program Files\PCHealthCenter\0.exe" file. 9/16/2008 7:25:22 PM SYSTEM 1388 Sign of "Win32:Vapsup-IM [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\mqgldfvo.exe" file. 9/16/2008 7:25:26 PM SYSTEM 1388 Sign of "Win32:Tipa [Cryp]" has been found in "C:\Program Files\PCHealthCenter\1.exe" file. 9/16/2008 7:25:32 PM SYSTEM 1388 Sign of "BV:Vapsup-C" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\install.bat" file. 9/16/2008 7:25:40 PM SYSTEM 1388 Sign of "Win32:Tipa [Cryp]" has been found in "C:\Program Files\PCHealthCenter\2.exe" file. 9/16/2008 7:25:48 PM SYSTEM 1388 Sign of "Win32:Agent-LTS [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\dtseqrxk.dll" file. 9/16/2008 7:25:53 PM SYSTEM 1388 Sign of "Win32:Tipa [Cryp]" has been found in "C:\Program Files\PCHealthCenter\3.exe" file. 9/16/2008 7:26:02 PM SYSTEM 1388 Sign of "Win32:Vapsup-IM [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\mqgldfvo.exe" file. 9/16/2008 7:26:09 PM SYSTEM 1388 Sign of "Win32:Tipa [Cryp]" has been found in "C:\Program Files\PCHealthCenter\0.exe" file. 9/16/2008 7:26:26 PM SYSTEM 1388 Sign of "Win32:Vapsup-IM [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\mqgldfvo.exe" file. 9/16/2008 7:26:32 PM SYSTEM 1388 Sign of "Win32:Tipa [Cryp]" has been found in "C:\Program Files\PCHealthCenter\4.exe" file. 9/16/2008 7:26:36 PM SYSTEM 1388 Sign of "BV:Vapsup-C" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\install.bat" file. 9/16/2008 7:26:40 PM SYSTEM 1388 Sign of "Win32:Tipa [Cryp]" has been found in "C:\Program Files\PCHealthCenter\1.exe" file. 9/16/2008 7:26:46 PM SYSTEM 1388 Sign of "BV:Vapsup-C" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\install.bat" file. 9/16/2008 7:27:02 PM SYSTEM 1388 Sign of "BV:Vapsup-C" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\install.bat" file. 9/16/2008 7:29:30 PM SYSTEM 1388 Sign of "Win32:Agent-LTS [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\dtseqrxk.dll" file. 9/16/2008 7:29:46 PM SYSTEM 1388 Sign of "Win32:Vapsup-IM [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\mqgldfvo.exe" file. 9/16/2008 7:30:44 PM SYSTEM 1388 Sign of "Win32:Tipa [Cryp]" has been found in "C:\Program Files\PCHealthCenter\2.exe" file. 9/16/2008 7:30:52 PM SYSTEM 1388 Sign of "Win32:Agent-LTS [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\dtseqrxk.dll" file. 9/16/2008 7:31:18 PM SYSTEM 1388 Sign of "Win32:Vapsup-IM [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\mqgldfvo.exe" file. 9/16/2008 7:32:48 PM SYSTEM 1388 Sign of "Win32:Vapsup-IM [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\mqgldfvo.exe" file. 9/16/2008 7:32:55 PM SYSTEM 1388 Sign of "Win32:Vapsup-IM [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\mqgldfvo.exe" file. 9/16/2008 7:33:03 PM SYSTEM 1388 Sign of "Win32:Vapsup-IM [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\mqgldfvo.exe" file. 9/16/2008 7:33:24 PM SYSTEM 1388 Sign of "Win32:Vapsup-IM [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\mqgldfvo.exe" file. 9/16/2008 7:33:31 PM SYSTEM 1388 Sign of "Win32:Vapsup-IM [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\mqgldfvo.exe" file. 9/16/2008 7:34:18 PM SYSTEM 1388 Sign of "Win32:Vapsup-IM [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\mqgldfvo.exe" file. 9/16/2008 7:34:29 PM SYSTEM 1388 Sign of "BV:Vapsup-C" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\install.bat" file. 9/16/2008 7:34:33 PM SYSTEM 1388 Sign of "Win32:Tipa [Cryp]" has been found in "C:\Program Files\PCHealthCenter\3.exe" file. 9/16/2008 7:34:37 PM SYSTEM 1388 Sign of "BV:Vapsup-C" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\install.bat" file. 9/16/2008 7:34:50 PM SYSTEM 1388 Sign of "BV:Vapsup-C" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\install.bat" file. 9/16/2008 7:36:11 PM SYSTEM 1388 Sign of "BV:Vapsup-C" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\install.bat" file. 9/16/2008 7:36:18 PM SYSTEM 1388 Sign of "BV:Vapsup-C" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\install.bat" file. 9/16/2008 7:36:46 PM SYSTEM 1388 Sign of "BV:Vapsup-C" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\install.bat" file. 9/16/2008 7:38:14 PM SYSTEM 1388 Sign of "BV:Vapsup-C" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\install.bat" file. 9/16/2008 7:38:36 PM SYSTEM 1388 Sign of "Win32:Agent-LTS [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\dtseqrxk.dll" file. 9/16/2008 7:38:46 PM SYSTEM 1388 Sign of "Win32:Agent-LTS [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\dtseqrxk.dll" file. 9/16/2008 7:38:56 PM SYSTEM 1388 Sign of "Win32:Tipa [Cryp]" has been found in "C:\Program Files\PCHealthCenter\4.exe" file. 9/16/2008 7:39:02 PM SYSTEM 1388 Sign of "Win32:Agent-LTS [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\dtseqrxk.dll" file. 9/16/2008 7:39:46 PM SYSTEM 1388 Sign of "Win32:Agent-LTS [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\dtseqrxk.dll" file. 9/16/2008 7:41:09 PM SYSTEM 1388 Sign of "Win32:Agent-LTS [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\dtseqrxk.dll" file. 9/16/2008 7:41:13 PM SYSTEM 1388 Sign of "Win32:Agent-LTS [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\dtseqrxk.dll" file. 9/16/2008 7:41:26 PM SYSTEM 1388 Sign of "Win32:Agent-LTS [Trj]" has been found in "C:\DOCUME~1\Garfield\LOCALS~1\Temp\ac8zt2\dtseqrxk.dll" file. 9/17/2008 4:26:40 AM SYSTEM 1448 Sign of "Win32:Trojan-gen {Other}" has been found in "http://premium.bestguardownload.com/cleanuptool.com/CleanupTool/setup_en.cab\UGES_0001_N122M2603NetInstaller.exe" file. 9/17/2008 4:27:15 AM SYSTEM 1448 Sign of "Win32:Faker-I [Spy]" has been found in "http://premium.bestguardownload.com/cleanuptool.com/CleanupTool/setup_sbd_en.exe" file. 9/18/2008 1:53:58 AM SYSTEM 1416 Sign of "Win32odnuha-BJ [Rtk]" has been found in "C:\WINDOWS\system32\cmcfg3.dll\[UPX]" file. 9/18/2008 2:01:29 AM SYSTEM 1416 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\cbXOFxxv.dll" file. 9/18/2008 2:02:23 AM SYSTEM 1416 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\cbXOFxxv.dll" file. 9/18/2008 3:04:10 AM Garfield 224 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\cbXOFxxv.dll" file. 9/18/2008 3:16:03 AM SYSTEM 1424 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\cbXRHawv.dll" file. 9/18/2008 3:25:28 AM SYSTEM 1424 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\cbXRHawv.dll" file. 9/18/2008 3:45:02 AM Garfield 3916 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\iifcdExY.dll" file. 9/19/2008 2:50:54 AM Garfield 3724 Sign of "Win32:WimAD-I [Trj]" has been found in "D:\Music\Dads Music\04 Track 4.wma" file. 9/19/2008 2:52:41 AM Garfield 3860 Sign of "Win32:WimAD-I [Trj]" has been found in "D:\Music\Dads Music\Top of Charts - 2005 (jessica).wma" file.
Hi grfldd411 First, please download ComboFix. With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection. • Run Combo-Fix.exe and follow the prompts. **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later. • Wait for the scan to be completed. • If it requires a reboot, please do it. • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt) Do not click on the ComoboFix window, as it may cause it to stall. After that, rename HijackThis to scanner.exe and then post a new HijackThis log. Best Regards
----------------------------------------------------------------- ComboFix 08-09-19.01 - Garfield 2008-09-19 13:49:34.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1730 [GMT -4:00] Running from: C:\Documents and Settings\Garfield\Desktop\Combo-Fix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-08-19 to 2008-09-19 ))))))))))))))))))))))))))))))) . 2008-09-18 01:56 . 2008-09-18 01:56 137,344 --a------ C:\WINDOWS\system32\gupxyxrr.dll 2008-09-18 01:53 . 2008-09-18 01:53 116,224 --a------ C:\WINDOWS\system32\ilgnpcdr.exe 2008-09-17 11:39 . 2008-09-17 11:39 <DIR> d-------- C:\Program Files\Trend Micro 2008-09-13 17:00 . 2008-09-13 17:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-09-13 17:00 . 2008-09-13 17:00 1,409 --a------ C:\WINDOWS\QTFont.for 2008-09-11 02:02 . 2008-09-11 02:02 <DIR> d-------- C:\Program Files\MagicDisc 2008-09-11 02:02 . 2008-07-28 17:19 116,736 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys 2008-09-08 14:17 . 2008-09-08 14:17 <DIR> d-------- C:\Program Files\danny_kay1710 2008-09-07 02:05 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe 2008-09-07 02:04 . 2008-09-07 02:05 <DIR> d-------- C:\Program Files\The Rosetta Stone 2008-09-07 01:58 . 2008-09-11 14:13 <DIR> d-------- C:\WINDOWS\system32\hdined32.nls.{00021401-0000-0000-C000-000000000046} 2008-09-07 01:54 . 2008-09-07 02:03 <DIR> d-------- C:\Program Files\burnatonce 2008-09-01 01:13 . 2008-07-22 10:45 1,214,526 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb 2008-09-01 01:13 . 2008-07-22 10:45 790,846 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb 2008-09-01 01:13 . 2008-07-22 10:45 9,696 -----c--- C:\WINDOWS\system32\dllcache\drvmain.sdb 2008-08-31 14:17 . 2008-08-31 14:17 <DIR> d-------- C:\Program Files\NOS 2008-08-31 14:17 . 2008-08-31 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS 2008-08-27 17:03 . 2008-08-27 17:03 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll 2008-08-23 04:58 . 2008-08-23 05:00 <DIR> d-------- C:\Program Files\Executive Software 2008-08-22 03:23 . 2008-08-22 03:24 <DIR> d-------- C:\Documents and Settings\Administrator . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-19 08:26 --------- d-----w C:\Program Files\Call of Duty 2008-09-19 08:26 --------- d-----w C:\Documents and Settings\Garfield\Application Data\Xfire 2008-09-19 07:50 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-09-19 07:50 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2008-09-19 07:43 --------- d-----w C:\Program Files\Xfire 2008-09-19 06:57 --------- d-----w C:\Program Files\Java 2008-09-18 08:39 --------- d-----w C:\Program Files\RegScrubXP 2008-09-17 04:46 --------- d-----w C:\Documents and Settings\Garfield\Application Data\U3 2008-09-17 01:18 --------- d-----w C:\Documents and Settings\Garfield\Application Data\LimeWire 2008-09-16 23:17 --------- d-----w C:\Documents and Settings\Garfield\Application Data\uTorrent 2008-09-10 17:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink 2008-09-07 03:23 --------- d-----w C:\Program Files\Ahead 2008-08-30 19:38 --------- d-----w C:\Program Files\Google 2008-08-30 05:54 --------- d-----w C:\Documents and Settings\Garfield\Application Data\WeatherBug 2008-08-14 18:40 --------- d-----w C:\Program Files\Axon Data 2008-08-08 08:36 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-06 05:05 --------- d-----w C:\Program Files\Free FLV Converter 2008-08-04 03:50 --------- d-----w C:\Documents and Settings\Garfield\Application Data\rockbox.org 2008-07-25 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee 2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-06-24 22:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll 2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 94208] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056] "Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2008-04-29 158624] "SoundMan"="SOUNDMAN.EXE" [2002-06-29 C:\WINDOWS\SOUNDMAN.EXE] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{93994DE8-8239-4655-B1D1-5F4E91300429}"= "C:\Program Files\DVD Region+CSS Free\DVDShell.dll" [2004-10-09 49152] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 20:12 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] --a----t- 2008-08-30 15:37 133104 C:\Documents and Settings\Garfield\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] -ra------ 2001-07-09 05:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2008-03-29 14:56 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "gusvc"=3 (0x3) "Ati HotKey Poller"=2 (0x2) "Viewpoint Manager Service"=2 (0x2) "aawservice"=3 (0x3) "SupportSoft RemoteAssist"=3 (0x3) "gupdate1c90ad7e84c2fc6"=2 (0x2) "getPlus(R) Helper"=3 (0x3) "avast! Web Scanner"=3 (0x3) "avast! Mail Scanner"=3 (0x3) "avast! Antivirus"=2 (0x2) "aswUpdSv"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Xfire\\xfire.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Call of Duty\\CoDMP.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\Call of Duty\\CoDUOMP.exe"= "C:\\Program Files\\EA GAMES\\MOHAA\\moh_spearhead.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 40704] S3 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 61856] S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 245664] S4 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-06-26 31592] S4 gupdate1c90ad7e84c2fc6;Google Update Service (gupdate1c90ad7e84c2fc6);C:\Program Files\Google\Update\GoogleUpdate.exe [2008-08-30 133104] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H] \Shell\AutoRun\command - H:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9f352c9-1c31-11dd-b589-00402b4dd4db}] \Shell\AutoRun\command - G:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2008-08-30 C:\WINDOWS\Tasks\GoogleUpdateTaskMachine.job - C:\Program Files\Google\Update\GoogleUpdate.exe [2008-08-30 15:37] 2008-09-07 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job - C:\Documents and Settings\Garfield\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-08-30 15:37] . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Garfield\Application Data\Mozilla\Firefox\Profiles\v5ocvxig.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://bl129w.blu129.mail.live.com/mail/InboxLight.aspx?n=993122538&wa=wsignin1.0 FF -: plugin - C:\Documents and Settings\Garfield\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll FF -: plugin - C:\Program Files\Google\Update\1.2.131.11\npGoogleOneClick5.dll FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-19 13:51:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-09-19 13:52:58 ComboFix-quarantined-files.txt 2008-09-19 17:52:34 ComboFix2.txt 2008-09-19 17:04:17 ComboFix3.txt 2008-09-19 16:37:13 Pre-Run: 11,360,509,952 bytes free Post-Run: 11,348,566,016 bytes free 156 --- E O F --- 2008-09-10 18:41:48 I ran hijack this and encounted an error: I ran it again and had no error. So I have posted both beginning with the log with error, then without. #1 with error Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:54:15 PM, on 9/19/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\scanner.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?wa=...ly=http://mail.live.com/default.aspx&id=64855 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.4.15.0\gears.dll O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.4.15.0\gears.dll O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D0927948-8B2A-4CA3-924A-26DF4731E067}: NameServer = 24.29.103.15,24.29.103.16 O17 - HKLM\System\CS1\Services\Tcpip\..\{D0927948-8B2A-4CA3-924A-26DF4731E067}: NameServer = 24.29.103.15,24.29.103.16 O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe -- End of file - 4754 bytes #2 without error: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:54:46 PM, on 9/19/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\scanner.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?wa=...ly=http://mail.live.com/default.aspx&id=64855 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.4.15.0\gears.dll O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.4.15.0\gears.dll O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D0927948-8B2A-4CA3-924A-26DF4731E067}: NameServer = 24.29.103.15,24.29.103.16 O17 - HKLM\System\CS1\Services\Tcpip\..\{D0927948-8B2A-4CA3-924A-26DF4731E067}: NameServer = 24.29.103.15,24.29.103.16 O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe -- End of file - 4754 bytes I also included the error see below. Thanks
Hey I was able to get rid of the viruses. I finally got rid of the last couple that were giving problems. It turns out avast couldnt get rid of archives(RAR) files that were infected. They were located in the restore point 2 instances. So what I did was turn off system restore, rebooted then re enabled sys restore and they went by by. Below is the bootlog of avast and what it found. Thanks again for all your help you guys never let me down. D. Vasquez 09/20/2008 21:00 Scan of C:\ File C:\QooBox\Quarantine\C\WINDOWS\system32\ejwluo.dll.vir is infected by Win32:Rootkit-gen [Rtk], Deleted File C:\QooBox\Quarantine\C\WINDOWS\system32\oslnlkmi.dll.vir is infected by Win32:Rootkit-gen [Rtk], Deleted File C:\QooBox\Quarantine\C\WINDOWS\system32\ssqNdBUm.dll.vir is infected by Win32:Trojan-gen {Other}, Deleted File C:\QooBox\Quarantine\C\WINDOWS\system32\yayaWQKD.dll.vir is infected by Win32:Trojan-gen {Other}, Deleted File C:\System Volume Information\_restore{C9677680-3B02-4F4C-B0EA-26529898954F}\RP2\A0000036.exe is infected by Win32:Tipa [Cryp], Deleted File C:\System Volume Information\_restore{C9677680-3B02-4F4C-B0EA-26529898954F}\RP2\A0000037.exe\MicroAV.cpl is infected by Win32:Trojan-gen {Other}, Delete: Error 42111 {The operation is not supported for this type of archive.} File C:\System Volume Information\_restore{C9677680-3B02-4F4C-B0EA-26529898954F}\RP2\A0000037.exe\MicroAV.exe is infected by Win32:Spyware-gen [Trj], Delete: Error 42111 {The operation is not supported for this type of archive.} File C:\System Volume Information\_restore{C9677680-3B02-4F4C-B0EA-26529898954F}\RP2\A0000038.exe is infected by Win32:Rootkit-gen [Rtk], Deleted File C:\System Volume Information\_restore{C9677680-3B02-4F4C-B0EA-26529898954F}\RP2\A0000041.dll is infected by Win32:Trojan-gen {Other}, Deleted File C:\System Volume Information\_restore{C9677680-3B02-4F4C-B0EA-26529898954F}\RP2\A0000042.dll is infected by Win32:Rootkit-gen [Rtk], Deleted File C:\System Volume Information\_restore{C9677680-3B02-4F4C-B0EA-26529898954F}\RP2\A0000052.dll is infected by Win32:Trojan-gen {Other}, Deleted File C:\System Volume Information\_restore{C9677680-3B02-4F4C-B0EA-26529898954F}\RP2\A0000053.dll is infected by Win32:Trojan-gen {Other}, Deleted File C:\System Volume Information\_restore{C9677680-3B02-4F4C-B0EA-26529898954F}\RP3\A0000170.dll is infected by Win32:Trojan-gen {Other}, Deleted File C:\System Volume Information\_restore{C9677680-3B02-4F4C-B0EA-26529898954F}\RP4\A0000242.dll is infected by Win32:Trojan-gen {Other}, Deleted File C:\System Volume Information\_restore{C9677680-3B02-4F4C-B0EA-26529898954F}\RP4\A0000243.dll is infected by Win32:Trojan-gen {Other}, Deleted File C:\System Volume Information\_restore{C9677680-3B02-4F4C-B0EA-26529898954F}\RP4\A0000245.dll is infected by Win32:Rootkit-gen [Rtk], Deleted File C:\System Volume Information\_restore{C9677680-3B02-4F4C-B0EA-26529898954F}\RP4\A0000246.dll is infected by Win32:Rootkit-gen [Rtk], Deleted File C:\System Volume Information\_restore{C9677680-3B02-4F4C-B0EA-26529898954F}\RP4\A0000256.dll is infected by Win32:Rootkit-gen [Rtk], Deleted File C:\WINDOWS\system32\gupxyxrr.dll is infected by Win32:Rootkit-gen [Rtk], Deleted Number of searched folders: 5904 Number of tested files: 340002 Number of infected files: 19
Looks like Avast got it all: you only had infected files in the quarantine of Qoobox (for Qoologic trojan removal), in your System Restore (which you flushed... good job!), and an inactive file laying around. You look clean! Enjoy! Best Regards
