antivirus 2009

hello all, I ran a registry scan on my AV2009 infected computer and got the results below. please show me what to do with them! thanks alot!

HKU\S-1-5-21-73586283-329068152-725345543-1004\Software\Adobe\MediaBrowser\MRU\illustrator\ApplicationPath 9/1/2008 2:28 PM 91 bytes Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 8/31/2008 6:53 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/31/2008 6:53 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 8/31/2008 8:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata 11/24/2008 7:25 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\TDSS 11/24/2008 10:42 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys 11/28/2008 3:28 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys 11/29/2008 8:21 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys 11/29/2008 8:34 PM 0 bytes Hidden from Windows API.
C: 0 bytes Error mounting volume
D: 0 bytes Error mounting volume

 

Hey kw200

Thanks for opening a new thread!

Please download Malwarebytes Anti-Malware and install it. Follow the prompts and reboot if required.

Launch Malwarebytes either by running C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe or double-click the Malwarebytes' Anti-Malware shortcut on your Desktop.

Configuring Malwarebytes

• Click on the tab Settings.
• Make sure only these boxes are checked:

Code:

Terminate Internet Explorer
Automatically save and display logfile after removal
Always scan memory objects
Always scan registry objects
Always scan filesystem
Always scan extra and heuristics objects

Updating Malwarebytes

• Click on the tab Update.
• Press the button Check for Updates
• Wait for Malwarebytes to be fully updated.

Scanning Time

• Click on the tab Scanner.
• Check Perform full scan and click on Scan
• Wait for the scan to complete, and then click on Show Results.
• Make sure all items are checked, then click on Remove Selected.
**If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If you are asked to restart the computer, please do so immediately.

Post A Log

• A text box will pop up after the removal process is over. Post the contents of the text here.
• If no text box pops up, launch Malwarebytes, and click on the tab Logs.
• The logs will appear as mbam-log-*date-*time.txt. Select the latest one, and then click on Open.
• Post the log here.

Best Regards

 

I downloaded Malwarebyte but can't not run it. I tried different way to run it but it doesn't repond. I guess av2009 had updated itself. non of the antispyware on my system can connect to the internet to update. even my window security center can't update itself.

I can't use any of the instructions from this site because I can't launch the programs like malwarebyte, combofix, spybotsd.....!

if anyone can help ...I would greatly appreciate it!

 

Hey kw200

Try this alternate way to run Malwarebytes.

Please reboot your computer into Safe Mode With Networking by doing the following:
• Restart your computer
• After pressing the power button, repeatedly tap the F8 key.
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the option to run Windows in Safe Mode With Networking, then press Enter.
• Choose the administrator's account.

Please download Malwarebytes Anti-Malware and install it. Follow the prompts and reboot if required.

Go to C:\Program Files\Malwarebytes, and rename mbam.exe to kw200.exe. Try running it.

Configuring Malwarebytes

• Click on the tab Settings.
• Make sure only these boxes are checked:

Code:

Terminate Internet Explorer
Automatically save and display logfile after removal
Always scan memory objects
Always scan registry objects
Always scan filesystem
Always scan extra and heuristics objects

Updating Malwarebytes

• Click on the tab Update.
• Press the button Check for Updates
• Wait for Malwarebytes to be fully updated.

Scanning Time

• Click on the tab Scanner.
• Check Perform full scan and click on Scan
• Wait for the scan to complete, and then click on Show Results.
• Make sure all items are checked, then click on Remove Selected.
**If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If you are asked to restart the computer, please do so immediately.

Post A Log

• A text box will pop up after the removal process is over. Post the contents of the text here.
• If no text box pops up, launch Malwarebytes, and click on the tab Logs.
• The logs will appear as mbam-log-*date-*time.txt. Select the latest one, and then click on Open.
• Post the log here.

Best Regards

 

Thanks cdavfrew, I was able to run Malwarebite (but could not update the program yet, still get the "connection failed" message) here's the log I was able to generate.

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

12/1/2008 3:30:14 AM
mbam-log-2008-12-01 (03-30-14).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 146070
Time elapsed: 38 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{abadc07c-9990-405a-aa24-2c209b50ae79} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{abadc07c-9990-405a-aa24-2c209b50ae79} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\rc.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ps1.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSShrxx.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSkkai.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSoiqt.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSvkql.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\TDSSxfum.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Rootkit.Agent) -> Delete on reboot.


thanks again!

 

Hey kw200

In safe mode with networking, follow these instructions:

Now, please download ComboFix.
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Save it to your Desktop.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.

• Run Combo-Fix.exe and follow the prompts.
• Accept the End-User License Agreement.
• Allow the Recovery Console to be installed.
• When you see the window below, click on Yes.

• When the Recovery Console has been installed, click on Yes to start the scan.


**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be fully completed.
• If it requires a reboot, please do so.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

Best Regards

 

Ok! here is the updated malwarebyte log (with program up to date)



ComboFix 08-12-01.01 - Administrator 2008-12-01 20:39:13.3 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2823 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-01 07:23 . 2008-12-01 07:23 1,374 --a------ c:\windows\imsins.BAK
2008-12-01 00:44 . 2008-12-01 00:44 <DIR> d--h----- c:\windows\PIF
2008-12-01 00:37 . 2008-12-01 00:37 43,520 --a------ c:\windows\system32\svchstb.dll
2008-12-01 00:37 . 2008-12-01 00:37 16,384 --a------ c:\windows\system32\pretec.dat
2008-12-01 00:37 . 2008-12-01 00:37 1 --a------ c:\windows\system32\edl.dat
2008-11-30 23:30 . 2008-11-30 23:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-30 23:28 . 2008-12-01 00:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-30 23:28 . 2008-11-30 23:28 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-11-30 23:28 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-30 23:28 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-30 08:45 . 2008-11-30 09:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-30 08:45 . 2008-11-30 09:07 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-11-29 22:43 . 2008-11-29 22:43 <DIR> d-------- c:\program files\Lavasoft
2008-11-29 22:43 . 2008-11-30 09:07 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2008-11-29 20:27 . 2008-11-30 09:04 <DIR> d-a------ c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2008-11-29 20:27 . 2005-04-15 20:58 1,071,088 --a------ c:\windows\system32\MSCOMCTL.OCX
2008-11-29 20:27 . 2005-08-25 19:18 118,784 --a------ c:\windows\system32\MSSTDFMT.DLL
2008-11-29 20:13 . 2008-11-29 20:13 <DIR> d-------- c:\program files\CCleaner
2008-11-29 19:39 . 2008-11-29 19:39 <DIR> d-------- c:\program files\Sun
2008-11-29 10:39 . 2008-11-29 10:39 <DIR> d-------- c:\documents and settings\Administrator\Application Data\MalwareRemovalBot
2008-11-29 10:34 . 2008-11-30 09:24 <DIR> d-------- c:\documents and settings\Administrator
2008-11-27 08:58 . 2008-11-27 08:58 <DIR> d-------- c:\temp\FT62
2008-11-27 08:49 . 2008-04-13 16:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-11-27 08:48 . 2008-11-27 09:05 <DIR> d-------- c:\documents and settings\KW
2008-11-26 21:09 . 2008-11-26 21:09 73 --a------ c:\windows\st_affiliate.ini
2008-11-25 19:20 . 2008-11-25 19:20 <DIR> d-------- c:\program files\Common Files\Scanner
2008-11-24 21:58 . 2008-11-24 21:58 0 --a------ c:\windows\nsreg.dat
2008-11-24 19:10 . 2008-11-27 08:58 <DIR> d-------- C:\Temp
2008-11-24 19:10 . 2008-11-27 08:58 132,880 --a------ c:\windows\system32\MSINET.OCX
2008-11-24 08:59 . 2008-11-29 19:38 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-11 17:16 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 17:16 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 17:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2008-11-30 17:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-30 03:38 --------- d-----w c:\program files\Java
2008-11-22 02:22 --------- d-----w c:\program files\HP
2008-11-19 03:49 --------- d-----w c:\program files\Free Music Zilla
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-20 04:59 --------- d-----w c:\program files\Common Files\Java
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-15 04:12 --------- d-----w c:\program files\kSolo
2008-10-12 06:03 --------- d-----w c:\program files\Final Codecs
2008-10-11 02:25 --------- d-----w c:\program files\Common Files\Adobe
2008-10-11 02:23 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\ALM
2008-10-11 01:57 --------- d-----w c:\program files\Bonjour
2008-10-11 01:53 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-10-03 02:54 --------- d-----w c:\program files\Common Files\Voyetra
2008-10-03 02:47 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-03 02:47 --------- d-----w c:\program files\Turtle Beach
2008-10-03 02:47 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-03 02:47 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\InstallShield
2008-10-02 23:34 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-10-02 23:34 --------- d-----w c:\program files\Common Files\Real
2008-10-02 23:34 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2008-10-02 23:23 --------- d-----w c:\program files\DivX
2008-10-02 20:24 --------- d-----w c:\program files\VIA
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-16 00:14 129,784 ------w c:\windows\system32\pxafs.dll
2008-09-16 00:14 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-09-16 00:14 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-09-16 00:12 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-16 00:12 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-16 00:12 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-16 00:12 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-16 00:12 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-16 00:12 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-16 00:12 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-09-16 00:11 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-09-16 00:11 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-16 00:11 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-01 17:12 75 --sh--r c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-29 136600]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
1-Click Answers.lnk - c:\program files\1-Click Answers\answers.exe [2008-09-02 806912]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=nxtgfm.dll lqobbu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
"msacm.l3codecp"= l3codecp.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Hien Em.HIENEM^Start Menu^Programs^Startup^Voobys.lnk]
path=c:\documents and settings\Hien Em.HIENEM\Start Menu\Programs\Startup\Voobys.lnk
backup=c:\windows\pss\Voobys.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-12-01 00:37 4670704 c:\program files\Yahoo!\Messenger\yahoomessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=

S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-01 111184]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-01 20560]
S3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [2007-11-30 627840]
S3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\DRIVERS\OmniTV.sys [2008-08-31 243584]
S3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\DRIVERS\livecamv.sys [2008-09-01 31616]
S3 V0410Afx;Creative Camera VF0410 Audio Effects Driver;c:\windows\system32\DRIVERS\V0410Afx.sys [2008-09-01 142656]
S3 V0410Aud;Creative Camera VF0410 Noise Cancellation APO;c:\windows\system32\DRIVERS\V0410Aud.sys [2008-09-01 94720]
S3 V0410Dev;Creative Camera VF0410 Driver;c:\windows\system32\DRIVERS\V0410Dev.sys [2008-09-01 244704]
S3 V0410Vfx;Creative Camera VF0410 Video VFX Driver;c:\windows\system32\DRIVERS\V0410Vfx.sys [2008-09-01 7168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-12-01 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe []

2008-12-01 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MalwareRemovalBot - c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gib1l6eu.default\
FF -: plugin - c:\program files\Final Codecs\MozillaPlugins\nppl3260.dll
FF -: plugin - c:\program files\Final Codecs\MozillaPlugins\nprjplug.dll
FF -: plugin - c:\program files\Final Codecs\MozillaPlugins\nprpjplug.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\kSolo\npAVX.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 20:41:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(208)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-01 20:42:28
ComboFix-quarantined-files.txt 2008-12-02 04:42:20
ComboFix2.txt 2008-12-02 04:29:57
ComboFix3.txt 2008-12-02 02:07:04

Pre-Run: 19,801,874,432 bytes free
Post-Run: 19,785,150,464 bytes free

191 --- E O F --- 2008-12-02 01:26:16

 

sorry here's the updated combofix's log!


ComboFix 08-12-01.01 - Hien Em 2008-12-01 22:55:11.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2557 [GMT -8:00]
Running from: c:\documents and settings\Hien Em.HIENEM\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-01 07:23 . 2008-12-01 07:23 1,374 --a------ c:\windows\imsins.BAK
2008-12-01 00:44 . 2008-12-01 00:44 <DIR> d--h----- c:\windows\PIF
2008-12-01 00:37 . 2008-12-01 00:37 16,384 --a------ c:\windows\system32\pretec.dat
2008-12-01 00:37 . 2008-12-01 00:37 1 --a------ c:\windows\system32\edl.dat
2008-11-30 23:30 . 2008-11-30 23:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-30 23:28 . 2008-12-01 00:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-30 23:28 . 2008-11-30 23:28 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-11-30 23:28 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-30 23:28 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-30 08:45 . 2008-11-30 09:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-30 08:45 . 2008-11-30 09:07 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-11-29 22:43 . 2008-11-29 22:43 <DIR> d-------- c:\program files\Lavasoft
2008-11-29 22:43 . 2008-11-30 09:07 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2008-11-29 20:27 . 2008-11-30 09:04 <DIR> d-a------ c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2008-11-29 20:27 . 2005-04-15 20:58 1,071,088 --a------ c:\windows\system32\MSCOMCTL.OCX
2008-11-29 20:27 . 2005-08-25 19:18 118,784 --a------ c:\windows\system32\MSSTDFMT.DLL
2008-11-29 20:13 . 2008-11-29 20:13 <DIR> d-------- c:\program files\CCleaner
2008-11-29 19:39 . 2008-11-29 19:39 <DIR> d-------- c:\program files\Sun
2008-11-29 10:39 . 2008-11-29 10:39 <DIR> d-------- c:\documents and settings\Administrator\Application Data\MalwareRemovalBot
2008-11-29 10:34 . 2008-11-30 09:24 <DIR> d-------- c:\documents and settings\Administrator
2008-11-27 08:58 . 2008-11-27 08:58 <DIR> d-------- c:\temp\FT62
2008-11-27 08:49 . 2008-04-13 16:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-11-27 08:48 . 2008-11-27 09:05 <DIR> d-------- c:\documents and settings\KW
2008-11-26 21:09 . 2008-11-26 21:09 73 --a------ c:\windows\st_affiliate.ini
2008-11-25 19:20 . 2008-11-25 19:20 <DIR> d-------- c:\program files\Common Files\Scanner
2008-11-24 21:58 . 2008-11-24 21:58 0 --a------ c:\windows\nsreg.dat
2008-11-24 19:10 . 2008-11-27 08:58 <DIR> d-------- C:\Temp
2008-11-24 19:10 . 2008-11-27 08:58 132,880 --a------ c:\windows\system32\MSINET.OCX
2008-11-24 08:59 . 2008-11-29 19:38 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-11 17:16 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 17:16 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-06 22:54 . 2008-11-06 22:54 162,304 --a------ c:\documents and settings\Hien Em.HIENEM\lame_enc_en.dll
2008-11-06 22:54 . 2008-11-06 22:54 53,248 --a------ c:\documents and settings\Hien Em.HIENEM\lametritonus_en.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 17:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2008-11-30 17:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-30 03:38 --------- d-----w c:\program files\Java
2008-11-22 02:22 --------- d-----w c:\program files\HP
2008-11-19 03:49 --------- d-----w c:\program files\Free Music Zilla
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-20 04:59 --------- d-----w c:\program files\Common Files\Java
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-15 04:12 --------- d-----w c:\program files\kSolo
2008-10-12 06:03 --------- d-----w c:\program files\Final Codecs
2008-10-11 02:25 --------- d-----w c:\program files\Common Files\Adobe
2008-10-11 02:23 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\ALM
2008-10-11 01:57 --------- d-----w c:\program files\Bonjour
2008-10-11 01:53 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-10-03 02:54 --------- d-----w c:\program files\Common Files\Voyetra
2008-10-03 02:47 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-03 02:47 --------- d-----w c:\program files\Turtle Beach
2008-10-03 02:47 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-03 02:47 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\InstallShield
2008-10-02 23:34 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-10-02 23:34 --------- d-----w c:\program files\Common Files\Real
2008-10-02 23:34 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2008-10-02 23:23 --------- d-----w c:\program files\DivX
2008-10-02 20:24 --------- d-----w c:\program files\VIA
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-16 00:14 129,784 ------w c:\windows\system32\pxafs.dll
2008-09-16 00:14 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-09-16 00:14 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-09-16 00:12 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-16 00:12 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-16 00:12 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-16 00:12 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-16 00:12 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-16 00:12 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-16 00:12 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-09-16 00:11 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-09-16 00:11 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-16 00:11 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-01 17:12 75 --sh--r c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((( snapshot@2008-12-01_18.06.38.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-02 04:44:57 16,384 ----atw c:\windows\temp\Perflib_Perfdata_504.dat
+ 2008-12-02 04:44:47 16,384 ----atw c:\windows\temp\Perflib_Perfdata_5f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-12-01 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-29 136600]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
1-Click Answers.lnk - c:\program files\1-Click Answers\answers.exe [2008-09-02 806912]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=nxtgfm.dll lqobbu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
"msacm.l3codecp"= l3codecp.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Hien Em.HIENEM^Start Menu^Programs^Startup^Voobys.lnk]
path=c:\documents and settings\Hien Em.HIENEM\Start Menu\Programs\Startup\Voobys.lnk
backup=c:\windows\pss\Voobys.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-12-01 00:37 4670704 c:\program files\Yahoo!\Messenger\yahoomessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-01 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-01 20560]
R3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\DRIVERS\OmniTV.sys [2008-08-31 243584]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\DRIVERS\livecamv.sys [2008-09-01 31616]
S3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [2007-11-30 627840]
S3 V0410Afx;Creative Camera VF0410 Audio Effects Driver;c:\windows\system32\DRIVERS\V0410Afx.sys [2008-09-01 142656]
S3 V0410Aud;Creative Camera VF0410 Noise Cancellation APO;c:\windows\system32\DRIVERS\V0410Aud.sys [2008-09-01 94720]
S3 V0410Dev;Creative Camera VF0410 Driver;c:\windows\system32\DRIVERS\V0410Dev.sys [2008-09-01 244704]
S3 V0410Vfx;Creative Camera VF0410 Video VFX Driver;c:\windows\system32\DRIVERS\V0410Vfx.sys [2008-09-01 7168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-12-01 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe []

2008-12-01 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot []
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Hien Em.HIENEM\Application Data\Mozilla\Firefox\Profiles\gvlrluv9.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - c:\program files\Final Codecs\MozillaPlugins\nppl3260.dll
FF -: plugin - c:\program files\Final Codecs\MozillaPlugins\nprjplug.dll
FF -: plugin - c:\program files\Final Codecs\MozillaPlugins\nprpjplug.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\kSolo\npAVX.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 22:56:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-01 22:57:42
ComboFix-quarantined-files.txt 2008-12-02 06:57:36
ComboFix2.txt 2008-12-02 04:42:29
ComboFix3.txt 2008-12-02 04:29:57
ComboFix4.txt 2008-12-02 02:07:04

Pre-Run: 19,765,469,184 bytes free
Post-Run: 19,748,835,328 bytes free

201 --- E O F --- 2008-12-02 01:26:16

 

Hey kw200

Is your internet working now?

Please download the HijackThis zip file. Save it onto a convenient place in your computer, and then unzip the file.

Rename HijackThis(.exe) to scanner(.exe).

Next, run scanner(.exe). A window will pop up.

• Click on the button which says Main Menu, then Do a system scan and save a logfile.
• Please wait for the scan to be completed.
• After the scan has completed, a text window will pop up. Please post the contents of this window here.

This will also be located at hijackthis(.txt) in the same folder that HijackThis was originally saved.

NOTE:: Do not fix anything using HijackThis, as this may also damage legitimate components of your computer.

Best Regards

 

Thanhk you so much cdavfrew, here's the Hijackthis log!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:50, on 2008-12-02
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\1-Click Answers\answers.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\1-CLIC~1\agtserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Hien Em.HIENEM\Desktop\HiJackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 1-Click Answers.lnk = C:\Program Files\1-Click Answers\answers.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Answers... - file://C:\Program Files\1-Click Answers\Html\atiemenu.htm
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15105/CTPID.cab
O20 - AppInit_DLLs: nxtgfm.dll lqobbu.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5881 bytes

 

Hey kw200

Does your internet work yet?

Best Regards

 

yes, it is working fine now. the only problems i have is with the svchost.exe taking up 99% use of my pc.
can you show me the next step to compleyely remove all harmful items left in my system? i can't thank you enough for taking the time to help a newbie out.

 

Hey kw200

In the task manager, next to svchost.exe, is the user name System?

Please run HijackThis.

• Click on the button which says Main Menu, then Do a system scan only.
• Please wait for the scan to be completed.
• After the scan has completed, check the following entries.

Code:

O20 - AppInit_DLLs: nxtgfm.dll lqobbu.dll

Click on the button Fix checked

NOTE:: Close all browsers before fixing anything.

I'm gonna say that your logs show no harmful items.

Best Regards

 

cdavfrew,

I fixed that svchost.exe issue already. I downloaded process explorer http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx this helped me identify the program that was taking up all the cpu resources (it was the HP printer network update thingy) I uninstalled the whole thing and the system is running better than ever.

I ran Hijackthis and found this:
O20 - AppInit_DLLs: nxtgfm.dll lqobbu.dll,avgrsstx.dll
instead of:
O20 - AppInit_DLLs: nxtgfm.dll lqobbu.dll (which is how you had it)

is this to fix the svchost.exe problem? please advice!

thanks so much!

 

Hey kw200

Hmmm.... that changes things.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

Open Notepad and copy/paste the text in the code box below into it:

Code:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] 
"AppInit_DLLs"=avgrsstx.dll

• Save this as CFScript.txt in the same folder as ComboFix.
• Then drag the CFScript.txt into Combo-Fix.exe.
• This will start ComboFix again.

Do not click on the ComoboFix window, as it may cause it to stall.

This is to remove some traces of malware on your system. All is good now. Enjoy!

Best Regards

 

Ok I did what you said! it's running like a brand new comp now!

damn I thought I have to reformat my computer and then end up losing all my stuffs. But thanks to you I didn't have to do that! you're da man. GOd bless you!

ONe last question, I have AVG anti-virus running on my comp. Do you recommend running a second program just to be safer? if so what do you think is good? thanks bro!

 

also my clock seems to stuck in 24hrs format. because of combofix I believe. How can I fix it? thanks!

 

Hey kw200

Glad to hear that all is well!

Read here to fix your clock problem:
http://www.ehow.com/how_4483170_time-regular-time-windows-xp.html

Also, I would recommend Antivir instead of AVG, as Antivir is a better antivirus in terms of resource consumption and detection.

Always scan regularly with a antispyware product (Malwarebytes is fine), and surf safely!

Here are other products I would recommend:
Comodo Firewall
SpywareBlaster
Spybot's Immunization and SDHelper

Best Regards

 

perfect, thanks for everthing cdavfrew! hackers must hate you very much!

take care!