.tt3.tmp.vbs.............................virus please help

Hi Everyone,
It seems i picked up a virus on my PC. AVG alerted me to a trojen and then dealt with it, or so i thought. Now it seems i have lost some of my display properties and screen saver etc. I have run 2 full AVG scan and it says i'm clean, but when i reboot i get the file missing warning .tt3.tmp.vbs My custom wallpaper is missing and it seems they have loaded a screen saver which looks like a fatal error blue screen which appears to be re-booting my PC, but its not, because if i hit the ESC it goes and i get a desktop again.

I searched the internet and found the previous thread which has dealt with this very same problem. I have been instructed to start a new thread for help. I have run the HJT and the log is below. I couldn't run the other recommended applications as i use a wireless KB so can't hit F8 for safe mode. I will be purchasing a wired KB today, to try some of the other remedies when i get home from work.

Please can someone guide me through the correct way to remove this problem.

Log file:-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:06 AM, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\ABIT\ABIT vGuru\OCGuru\OCGuru.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lphcpcfj0ev93.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ABIT\ABITEQ\ABITEQ.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\CFG32R.DLL (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VGA OCGuru] "C:\Program Files\ABIT\ABIT vGuru\OCGuru\OCGuru.exe" -M
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [lphcpcfj0ev93] C:\WINDOWS\system32\lphcpcfj0ev93.exe
O4 - HKLM\..\Run: [SMrhctcfj0ev93] C:\Program Files\rhctcfj0ev93\rhctcfj0ev93.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ABIT Hardware Monitor] C:\Program Files\ABIT\ABITEQ\\ABITEQ.exe -s
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.doveplus.com (HKLM)
O15 - Trusted Zone: stg.portalapp.teleflora.com (HKLM)
O15 - Trusted Zone: tfokdevweb.dev.teleflora.org (HKLM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.0.5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat,avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11629 bytes

 

Hi nfrost,

Sorry for kicking you out of the other thread but I was already working so many logs that when I scratched my Butt, I didn’t know if it was mine or not.

This way, you will get the help you need for your problem. It looks like you have collected quite a bit of malware.

Don’t worry about trying to use the Safe Mode, just run the following programs in the Normal Mode.

(1.) Please download ATF Cleaner by Atribune & save it to your desktop.

Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.

• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• Click Exit on the Main menu to close the program.


(2.) Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Please post contents of that file in your next reply.


(3.) Download ComboFix from Here to your Desktop.

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.


(4.) Please post back with the MBAM Log, the ComboFix Log and a fresh HijackThis Log.


Thanks,

2OG

 

Hi 2OG,

Hey you can boot me where you like as long as i fix the PC along the way

I'm at work now, so will do all you have instructed later.
By the way i have a wired KB now, so is it better that i am in safe mode or not?

If i can also pick your brains along the way, i have 2 PC's on a network at work. Both have AVG installed and are connected with a netgear 10/100m switch. Seeing as how i do all my business through these, the last thing i want is to infect these.
With regard to all the programs you have recommended in the previous post, what would you recomend i install to try keep the nasties out.

I know a lot is personal preference, but you are obviously the expert here, so your rec's are going to be the words of god.

One other thing, i have noted in a previous post that someone rec's using a router to give a hardware firewall, does my 10/100m switch constitute the same thing or does it have to be a router?

All help gratefully accepted,

Neil

 

With the programs that I gave you to run, it doesn’t make that much difference. They will take care of their selves..

The reason that Safe Mode is used is: when you try to delete a program that is in use by another program you will get the error message that it cannot be deleted because it is in use.

Safe Mode gets around this error because:

Safe Mode uses a minimal set of device drivers and services to start Windows.
Safe Mode does not run the autoexec.bat or config.sys files.
Safe Mode does not load or run any programs listed in win.ini.

With the target not being used by anything else, it can be deleted easily. Some programs like HijackThis use “delete on reboot” to get around this problem.

We are not talking network here we are talking mechanical firewall. I’ve never seen a 10/100m switch for under 300 bucks. Use a home type, 30-50 buck router with SPI (Stateful Packet Inspection) as a mechanical Firewall. SPI is a stack that the router keeps up with and if your computer did not request a packet, it will not accept it. That way you will not receive “drive-by downloads” just by dragging your mouse over an advertisement or hot spot on a web page.

Before we are done I will give you my Plan and recommendations on how to block malware from getting into your computer.. I think my recommendations hold water because I haven’t had a Virus, Trojan, Rogue. Etc., etc., etc., in the past 9 years….. And, I don’t have to watch where I go on the web. If I try to go to a bad site my computer will not allow me to go there.
Life is so boring without the malware that I come to this forum and help the poor malware collectors clean up their computers…. LOL

Just a thought…….. If I were to post my malware free plan and it caught on, I’d have nothing to do..



2OG

 

Hi 2OG,
I got home early so i could try get this sorted.

1 ATF done ok.
2 Antimal done ok, it required a reboot to finish.
3 Combofix done.
4 Logs as requested:-

Malwarebytes' Anti-Malware 1.24
Database version: 1042
Windows 5.1.2600 Service Pack 2

4:33:17 PM 8/11/2008
mbam-log-8-11-2008 (16-33-17).txt

Scan type: Full Scan (C:\|E:\|F:\|G:\|H:\|)
Objects scanned: 147085
Time elapsed: 47 minute(s), 20 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 24

Memory Processes Infected:
C:\WINDOWS\system32\lphcpcfj0ev93.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\blphcpcfj0ev93.scr (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhctcfj0ev93 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhctcfj0ev93 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Think-Adz Search Assistant (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Enhanced Ads by Think-Adz (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\core (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\zAbstract (Adware.Scaggy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8ca5ed52-f3fb-4414-a105-2e3491156990} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8ca5ed52-f3fb-4414-a105-2e3491156990} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcpcfj0ev93 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhctcfj0ev93 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\rhctcfj0ev93 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Main\My Documents\MY DOWNLOADS\NERO\Nero Reloaded 6.6\Key Gen Nero 6.6.0.3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
G:\DISKS\UTILS\NERO\Nero Reloaded 6.6\Key Gen Nero 6.6.0.3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
H:\DISKS\NERO\Nero Reloaded 6.6\Key Gen Nero 6.6.0.3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\rhctcfj0ev93\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhctcfj0ev93\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhctcfj0ev93\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhctcfj0ev93\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhctcfj0ev93\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhctcfj0ev93\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhctcfj0ev93\rhctcfj0ev93.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhctcfj0ev93\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxdnt3d.cfg. (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msnav32.ax (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcpcfj0ev93.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcpcfj0ev93.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dlh9jkd1q8.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Main\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.


ComboFix 08-08-10.05 - Main 2008-08-11 16:42:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.591 [GMT -4:00]
Running from: C:\Documents and Settings\Main\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Main\Application Data\.rdr.ini
C:\Documents and Settings\Main\Application Data\macromedia\Flash Player\#SharedObjects\DSK6BC5G\interclick.com
C:\Documents and Settings\Main\Application Data\macromedia\Flash Player\#SharedObjects\DSK6BC5G\interclick.com\ud.sol
C:\Documents and Settings\Main\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Main\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\winpfz32.sys

.
((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.

2008-08-11 15:36 . 2008-08-11 15:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-11 15:36 . 2008-08-11 15:36 <DIR> d-------- C:\Documents and Settings\Main\Application Data\Malwarebytes
2008-08-11 15:36 . 2008-08-11 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-11 15:36 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-11 15:36 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-10 21:45 . 2008-08-10 21:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-10 21:45 . 2008-08-10 21:45 <DIR> d-------- C:\Documents and Settings\Main\Application Data\SUPERAntiSpyware.com
2008-08-10 21:45 . 2008-08-10 21:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-10 21:44 . 2008-08-10 21:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-10 21:17 . 2008-08-10 21:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-31 20:39 . 2008-07-31 20:39 <DIR> d-------- C:\Program Files\Teleflora
2008-07-24 18:24 . 2008-07-24 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TomTom
2008-07-13 18:44 . 2008-07-13 18:44 <DIR> d-------- C:\Documents and Settings\Main\Application Data\TomTom
2008-07-13 18:43 . 2008-07-13 18:43 <DIR> d-------- C:\Program Files\TomTom HOME 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 22:32 --------- d-----w C:\Program Files\Java
2008-08-06 16:15 --------- d-----w C:\Documents and Settings\Main\Application Data\AdobeUM
2008-07-13 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-13 22:40 --------- d-----w C:\Program Files\TomTom HOME
2008-07-07 00:02 --------- d-----w C:\Program Files\V CAST Music with Rhapsody
2008-07-06 23:59 --------- d-----w C:\Program Files\Common Files\Real
2008-07-06 23:58 --------- d-----w C:\Program Files\Real
2008-07-06 23:50 --------- d-----w C:\Documents and Settings\Guest\Application Data\AVGTOOLBAR
2008-07-03 22:38 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2007-01-05 01:50 82,960 ----a-w C:\Documents and Settings\Main\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2006-07-12 16:22 57344]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2005-10-12 17:08 1622016]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 14:23 102400]
"EPSON Stylus Photo R220 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 00:00 98304]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 20:56 15360]
"ABIT Hardware Monitor"="C:\Program Files\ABIT\ABITEQ\\ABITEQ.exe" [2005-01-17 11:51 430080]
"mount.exe"="C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-11 16:17 374272]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 04:42 202088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 04:51 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 04:50 204800]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-10 23:19 69632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AS00_Gear311T"="C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe" [2004-11-11 15:29 475136]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-23 17:06 1398272]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 12:10 57344]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-10 21:00 90112]
"EPSON Stylus Photo R220 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 00:00 98304]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"VGA OCGuru"="C:\Program Files\ABIT\ABIT vGuru\OCGuru\OCGuru.exe" [2005-06-09 17:47 3178581]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-03 18:39 1232152]
"SoundMan"="SOUNDMAN.EXE" [2005-09-22 12:42 90112 C:\WINDOWS\soundman.exe]
"P17Helper"="P17.dll" [2005-05-02 23:38 64512 C:\WINDOWS\system32\P17.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 20:56 15360]

C:\Documents and Settings\Main\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-29 16:11:28 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-14 20:19:50 217193]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-29 16:11:28 113664]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2005-05-12 01:49:24 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 21:41:30 972064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"C:\\Program Files\\U-ABIT\\FlashMenu\\flashmenu.exe"=
"C:\\Program Files\\Peaqe\\Peaqe\\DSR.exe"=
"C:\\Program Files\\iWin Games\\iWinGames.exe"=
"C:\\Program Files\\iWin Games\\WebUpdater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 ABIT-IO;ABIT-IO;C:\WINDOWS\system32\Drivers\ABIT-IO.sys [2004-09-10 17:15]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-03 18:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-03 18:39]
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 17:36]
R2 sw848b;sw848b;C:\WINDOWS\system32\drivers\sw848b.sys [1999-12-30 16:13]
R2 sw878b;sw878b;C:\WINDOWS\system32\drivers\sw878b.sys [2000-09-29 20:46]
R3 atidgllk;atidgllk;C:\Program Files\ABIT\ABIT vGuru\OCGuru\atidgllk.sys [2004-06-16 14:34]
R3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\system32\AWINDIS5.SYS [2002-04-11 13:43]
R3 cg300;cg300VidCap;C:\WINDOWS\system32\DRIVERS\cg300vc.sys [2002-03-21 01:33]
R3 cg300Au;cg300 Audio Capture;C:\WINDOWS\system32\DRIVERS\cg300au.sys [2002-03-21 01:33]
S3 Memctl;Memctl;C:\Program Files\ABIT\FlashMenu\Memctl.sys [2001-11-29 14:49]
S3 NETGEAR_WG311T_SERVICE;NETGEAR WG311T Wireless Adapter Service;C:\WINDOWS\system32\DRIVERS\wg311tn5.sys [2004-08-13 12:37]
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 08:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33f12463-5874-11dd-b795-00508d753c1b}]
\Shell\AutoRun\command - J:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a28a91b3-8199-11db-a361-00508d753c1b}]
\Shell\AutoRun\command - I:\InstallTomTomHOME.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Nero PhotoShow Media Manager - C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
HKCU-Run-PhotoShow Deluxe Media Manager - C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
HKCU-Run-ATI Launchpad - (no file)
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 -: Trusted Zone: www.doveplus.com
O15 -: Trusted Zone: stg.portalapp.teleflora.com
O15 -: Trusted Zone: tfokdevweb.dev.teleflora.org


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 16:46:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\EPSON\ESM2\eEBSvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ABIT\ABITEQ\ABITEQ.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2008-08-11 16:50:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-11 20:50:10

Pre-Run: 34,335,838,208 bytes free
Post-Run: 34,382,356,480 bytes free

180 --- E O F --- 2008-07-09 11:27:17


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:49 PM, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\ABIT\ABIT vGuru\OCGuru\OCGuru.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ABIT\ABITEQ\ABITEQ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VGA OCGuru] "C:\Program Files\ABIT\ABIT vGuru\OCGuru\OCGuru.exe" -M
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ABIT Hardware Monitor] C:\Program Files\ABIT\ABITEQ\\ABITEQ.exe -s
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.doveplus.com (HKLM)
O15 - Trusted Zone: stg.portalapp.teleflora.com (HKLM)
O15 - Trusted Zone: tfokdevweb.dev.teleflora.org (HKLM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.0.5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10931 bytes

 

2OG,

I'm glad you know what all that stuff means as it beats me.

I have done a complete reboot from cold and i now do not get the file missing message at startup. Also all my display properties seem to be back, i have added my custom wallpaper and re-enabled screen saver etc.

I hope thats it..........awaiting your further instruction.

Oh and a big thank you, it must be hard looking at all these line of info all the time.

 

OK, Neil, good job..

Please do this final and then we’re done. Unless you have anything else..

It may be a couple of days before I can get the list of programs for you, some are in this post but there is a specific list that I use. Just stay tied to this thread and I’ll get it to you.

Congratulations your log looks CLEAN


There are a few things you must do once you are completely clean:

1. Time for some housekeeping

Please download the OTMoveIt2 by OldTimer

• Save it to your desktop.
• Run the tool by clicking on the icon.
• Click the Cleanup button.

• The tools that we used as well as this one will be removed from your system.


2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.

• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

• Click Exit on the Main menu to close the program.



3. Now Set a New Restore Point to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".

• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then go to Start > Run and type: Cleanmgr
• Click "OK"
Select the drive you want to clean usually C:
Click OK
When it completes the scan:
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


4. Defragment your Hard Drive

1.Open My Computer.
2.Right-click the local disk volume that you want to defragment, and then click Properties.
3.On the Tools tab, click Defragment Now.
4.Click Defragment.




And here are some tips to reduce the potential for spyware infection in the future:

Download and install Spywareblaster <= SpywareBlaster will prevent Bad ActiveX and spyware from being installed.

In order to prevent the installation of Trojans and Malware on your machine:
Download and install: Comodo BOClean

This little jewel is an AntiMalware/AntiTrojan program that is very non-invasive. It doesn’t scan for malware that has been installed, it just sits in the tray and captures malware BEFORE it is installed.. It has about 60,000 definitions in the data base and updates 2 or 3 times a week. Install this and you may never get another Trojan…..


Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.


And also see TonyKlein's good advice
So how did I get infected in the first place?




Enjoy your clean computer. Any questions?


2OG

 

Sir 2OG,

You are the best.

Thanks for all you help.

I will stay attached to the thread, so if you have time for the recomendations that would be great.

 

@ nfrost,

Sorry for the delay : (

I am putting together a full explanation of the following but just haven’t had the time lately to finish it.

I’ll attempt to cover what I can but can’t go into much detail.

I use and recommend a layered protection plan that BLOCKS malware BEFORE it enters your computer.

Layer 1 - a Firewall - this can be a router with SPI (stateful packet inspection) or a 3rd party software firewall – comodo pro for the geeks and ZoneAlarm Free for the novice.

Layer 2 – a HOST file - This is the most important layer it blocks Bad Sites from being able to get into your computer – MVPS Host file only, for the novice and a combination of MVPS and HP Hosts with HostXpert.exe to manage them for the geeks.

Layer 3 – an AntiVirus – Avira AntiVir for everyone – the free version has Nag screens but can be stopped by googling avira antivir nag disable – I like it better than any AV I’ve tried Free or Paid.

Layer 4 – an Anti malware – Comodo BOClean for everyone – for the paranoid I suggest adding a weekly scan with MalwareBytes’ AntiMalware or SUPERAnitSpyware or BOTH but If you have this full plan in place you won’t need them.

Layer 5 – a HIPS – Host Intrusion Prevention Software – WinPatrol or if you’re using Comodo Pro Firewall you probably don’t need it.



For a backup system use and recommend Acronis True Image Home.



2OG

 

Hey 2OG,

Thanks for getting back to me.

I had already gleaned from some of your previous posts, most of what you have told me.

I now have both Comodo products running ok and i have kept with AVG.

The only one i'm not sure about is the Host file, this may be getting just a little complicated for me.

Anyway i have more in place than before i found you, so hopefully i will be safe.

Its comforting to know that if a do get anything else, you and people like you are here to help.

Again, thanks for all your help.

Regards,

Neil