Virus problem, please help !! =(

I have a virus that keeps opening a new windows with advertisement by "outerinfo" plz help, here is a log of my HJT

Logfile of HijackThis v1.98.2
Scan saved at 11:04:53 PM, on 12/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\QWxsZW4\command.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1162448142\ee\aolsoftware.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\?icrosoft\n?tepad.exe
C:\PROGRA~1\COMMON~1\PPATCH~1\wuaclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Videos\HijackThis.exe

R3 - URLSearchHook: (no name) - {B9C8FA0E-3599-313A-EA5D-3E76664B57E6} - C:\WINDOWS\System32\ccnrovlg.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvilx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B9C8FA0E-3599-313A-EA5D-3E76664B57E6} - C:\WINDOWS\System32\ccnrovlg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1162448142\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\COMMON~1\PPATCH~1\wuaclt.exe" -vt ndrv
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/029dd85f6a86f981b306/netzip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164696868140
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

Any and all help would be grateful

 

Hi mysticanzn and welcome.

Please download [bold]ComboFix.exe[/bold] to the desktop from here
Open [bold]ComboFix.exe[/bold] and follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply along with a new HijackThis log.

[bold]Note[/bold]:
Do not mouseclick ComboFix's window while it's running, it may cause it to stall.

 

thanks a lot niobis, the following are the logs from HJT and combo:
HJT

Logfile of HijackThis v1.98.2
Scan saved at 11:48:21 PM, on 12/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\1162448142\ee\aolsoftware.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\program files\common files\aol\1162448142\ee\aim6.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\durvilx.exe
D:\Videos\HijackThis.exe

R3 - URLSearchHook: (no name) - {B9C8FA0E-3599-313A-EA5D-3E76664B57E6} - C:\WINDOWS\System32\ccnrovlg.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvilx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B9C8FA0E-3599-313A-EA5D-3E76664B57E6} - C:\WINDOWS\System32\ccnrovlg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1162448142\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\COMMON~1\PPATCH~1\wuaclt.exe" -vt ndrv
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/029dd85f6a86f981b306/netzip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164696868140
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

Combo

Allen - 06-12-06 23:43:28.53 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Allen\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\tsuninst.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Cowabanga
C:\Program Files\Inetget2
C:\Program Files\Ipwins
C:\Program Files\Common Files\{687277CA-0746-1033-0928-050506220001}
C:\Program Files\network monitor
C:\WINDOWS\QWxsZW4

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Allen\My Documents\MCROSO~1.NET
C:\QooBox\Purity\Program Files\Common Files\PPATCH~1
C:\QooBox\Purity\Program Files\Common Files\PPATCH~1\PPATCH~1
C:\QooBox\Purity\Program Files\Common Files\PPATCH~1\wuaclt.exe
C:\QooBox\Purity\WINDOWS\ICROSO~1
C:\QooBox\Purity\WINDOWS\ICROSO~1\n?tepad.exe
C:\QooBox\Purity\WINDOWS\system32\CURITY~1


((((((((((((((((((((((((((((((( Files Created from 2006-11-06 to 2006-12-06 ))))))))))))))))))))))))))))))))))


2006-12-03 22:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2006-12-03 22:12 <DIR> d-------- C:\Program Files\Adobe
2006-12-03 22:07 <DIR> d-------- C:\Program Files\Common Files\Adobe
2006-12-03 22:07 <DIR> d-------- C:\Documents and Settings\Allen\Application Data\Adobe
2006-12-03 08:47 58,880 --a------ C:\WINDOWS\system32\ccnrovlg.dll
2006-12-03 08:16 <DIR> d-------- C:\WINDOWS\rroq
2006-12-03 08:16 <DIR> d-------- C:\Program Files\Common Files\rroq
2006-12-02 20:33 2 --a------ C:\WINDOWS\system32\wnstssv.exe
2006-12-02 20:33 131 --a-s---- C:\WINDOWS\test.bat
2006-11-28 10:53 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-11-28 01:58 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-11-28 01:58 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2006-11-28 01:58 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2006-11-28 01:57 <DIR> d-------- C:\WINDOWS\system32\bits
2006-11-27 09:41 96,256 --a-s---- C:\WINDOWS\system32\druid_redux.exe
2006-11-27 09:41 45,056 --a------ C:\WINDOWS\system32\regapi.exe
2006-11-27 09:37 96,256 --a-s---- C:\WINDOWS\system32\druid_cchoice.exe
2006-11-27 09:37 96,256 --a------ C:\WINDOWS\system32\durvilx.exe
2006-11-27 09:37 151,552 --a------ C:\WINDOWS\system32\durvilx.dll
2006-11-24 00:17 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-11-24 00:17 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-11-24 00:17 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-11-24 00:17 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-11-24 00:17 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-11-24 00:17 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-11-17 22:41 <DIR> d-------- C:\Documents and Settings\Allen\Contacts
2006-11-17 22:40 <DIR> d-------- C:\Program Files\MSN Messenger
2006-11-16 13:26 <DIR> d-------- C:\Program Files\Google
2006-11-16 13:26 <DIR> d-------- C:\Documents and Settings\Allen\Application Data\Google
2006-11-16 13:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google
2006-11-15 23:34 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2006-11-15 23:34 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2006-11-15 23:34 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2006-11-15 23:34 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-11-15 23:34 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
2006-11-15 22:32 208,896 --a------ C:\WINDOWS\system32\wmpns.dll
2006-11-15 16:59 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2006-11-15 16:55 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-11-15 16:55 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-11-15 16:55 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-11-15 16:55 173,536 --a------ C:\WINDOWS\system32\wuweb.dll
2006-11-15 16:55 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-11-15 16:55 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-11-15 16:55 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2006-11-12 18:52 <DIR> d-------- C:\WINDOWS\Sun
2006-11-12 18:52 <DIR> d-------- C:\Documents and Settings\Allen\Application Data\Sun
2006-11-12 18:51 <DIR> d-------- C:\Program Files\Java
2006-11-12 18:49 <DIR> d-------- C:\Program Files\Common Files\Java
2006-11-12 02:12 <DIR> d-------- C:\Program Files\WinRAR
2006-11-12 01:38 98,816 --a------ C:\WINDOWS\system32\dmstyle.dll
2006-11-12 01:38 974,848 --a------ C:\WINDOWS\system32\dxdiag.exe
2006-11-12 01:38 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2006-11-12 01:38 80,896 --a------ C:\WINDOWS\system32\dpvsetup.exe
2006-11-12 01:38 8,192 --a------ C:\WINDOWS\system32\d3d8thk.dll
2006-11-12 01:38 797,184 --a------ C:\WINDOWS\system32\d3dim700.dll
2006-11-12 01:38 79,360 --a------ C:\WINDOWS\system32\dpwsockx.dll
2006-11-12 01:38 77,824 --a------ C:\WINDOWS\system32\dpmodemx.dll
2006-11-12 01:38 76,800 --a------ C:\WINDOWS\system32\dmscript.dll
2006-11-12 01:38 733,184 --a------ C:\WINDOWS\system32\qedwipes.dll
2006-11-12 01:38 723,968 --a------ C:\WINDOWS\system32\dpnet.dll
2006-11-12 01:38 7,424 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2006-11-12 01:38 68,096 --a------ C:\WINDOWS\system32\dpnhupnp.dll
2006-11-12 01:38 64,512 --a------ C:\WINDOWS\system32\amstream.dll
2006-11-12 01:38 602,624 --a------ C:\WINDOWS\system32\dx7vb.dll
2006-11-12 01:38 58,368 --a------ C:\WINDOWS\system32\dmcompos.dll
2006-11-12 01:38 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2006-11-12 01:38 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2006-11-12 01:38 5,248 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2006-11-12 01:38 491,520 --a------ C:\WINDOWS\system32\dsdmoprp.dll
2006-11-12 01:38 48,512 --a------ C:\WINDOWS\system32\drivers\stream.sys
2006-11-12 01:38 470,528 --a------ C:\WINDOWS\system32\qdvd.dll
2006-11-12 01:38 47,104 --a------ C:\WINDOWS\system32\wstdecod.dll
2006-11-12 01:38 46,592 --a------ C:\WINDOWS\system32\dxdllreg.exe
2006-11-12 01:38 4,608 --a------ C:\WINDOWS\system32\drivers\mspqm.sys
2006-11-12 01:38 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-11-12 01:38 4,096 --a------ C:\WINDOWS\system32\drivers\swenum.sys
2006-11-12 01:38 381,952 --a------ C:\WINDOWS\system32\dsound.dll
2006-11-12 01:38 381,952 --a------ C:\WINDOWS\system32\dpvoice.dll
2006-11-12 01:38 354,816 --a------ C:\WINDOWS\system32\psisdecd.dll
2006-11-12 01:38 34,304 --a------ C:\WINDOWS\system32\mciqtz32.dll
2006-11-12 01:38 33,280 --a------ C:\WINDOWS\system32\dmloader.dll
2006-11-12 01:38 324,096 --a------ C:\WINDOWS\system32\mswebdvd.dll
2006-11-12 01:38 32,768 --a------ C:\WINDOWS\system32\dpnhpast.dll
2006-11-12 01:38 316,928 --a------ C:\WINDOWS\system32\qdv.dll
2006-11-12 01:38 3,072 --a------ C:\WINDOWS\system32\dpnlobby.dll
2006-11-12 01:38 3,072 --a------ C:\WINDOWS\system32\dpnaddr.dll
2006-11-12 01:38 292,864 --a------ C:\WINDOWS\system32\ddraw.dll
2006-11-12 01:38 28,160 --a------ C:\WINDOWS\system32\dplaysvr.exe
2006-11-12 01:38 27,136 --a------ C:\WINDOWS\system32\dmband.dll
2006-11-12 01:38 257,024 --a------ C:\WINDOWS\system32\qcap.dll
2006-11-12 01:38 24,064 --a------ C:\WINDOWS\system32\ddrawex.dll
2006-11-12 01:38 230,400 --a------ C:\WINDOWS\system32\dplayx.dll
2006-11-12 01:38 19,968 --a------ C:\WINDOWS\system32\dpvacm.dll
2006-11-12 01:38 186,880 --a------ C:\WINDOWS\system32\dsdmo.dll
2006-11-12 01:38 181,248 --a------ C:\WINDOWS\system32\dmime.dll
2006-11-12 01:38 18,944 --a------ C:\WINDOWS\system32\encapi.dll
2006-11-12 01:38 18,688 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2006-11-12 01:38 18,432 --a------ C:\WINDOWS\system32\dswave.dll
2006-11-12 01:38 16,896 --a------ C:\WINDOWS\system32\msyuv.dll
2006-11-12 01:38 16,896 --a------ C:\WINDOWS\system32\dpnsvr.exe
2006-11-12 01:38 16,384 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2006-11-12 01:38 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2006-11-12 01:38 14,976 --a------ C:\WINDOWS\system32\drivers\streamip.sys
2006-11-12 01:38 132,608 --a------ C:\WINDOWS\system32\devenum.dll
2006-11-12 01:38 130,304 --a------ C:\WINDOWS\system32\drivers\ks.sys
2006-11-12 01:38 13,312 --a------ C:\WINDOWS\system32\msdmo.dll
2006-11-12 01:38 122,880 --a------ C:\WINDOWS\system32\dmusic.dll
2006-11-12 01:38 112,128 --a------ C:\WINDOWS\system32\dpvvox.dll
2006-11-12 01:38 11,392 --a------ C:\WINDOWS\system32\drivers\bdasup.sys
2006-11-12 01:38 100,864 --a------ C:\WINDOWS\system32\dmsynth.dll
2006-11-12 01:38 10,880 --a------ C:\WINDOWS\system32\drivers\slip.sys
2006-11-12 01:38 10,112 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2006-11-12 01:38 1,962,496 --a------ C:\WINDOWS\system32\quartz.dll
2006-11-12 01:38 1,798,144 --a------ C:\WINDOWS\system32\qedit.dll
2006-11-12 01:38 1,769,472 --a------ C:\WINDOWS\system32\dxdiagn.dll
2006-11-12 01:38 1,703,936 --a------ C:\WINDOWS\system32\d3d9.dll
2006-11-12 01:38 1,294,336 --a------ C:\WINDOWS\system32\dsound3d.dll
2006-11-12 01:38 1,230,336 --a------ C:\WINDOWS\system32\msvidctl.dll
2006-11-12 01:38 1,201,152 --a------ C:\WINDOWS\system32\d3d8.dll
2006-11-12 01:38 1,189,888 --a------ C:\WINDOWS\system32\dx8vb.dll
2006-11-12 01:28 <DIR> d--hs---- C:\WINDOWS\ftpcache
2006-11-12 00:34 611,064 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-11-09 16:17 <DIR> d-------- C:\Program Files\iTunes
2006-11-09 16:16 <DIR> d-------- C:\Program Files\QuickTime


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-06 23:44 -------- d-------- C:\Program Files\Common Files
2006-12-03 22:12 0 --a------ C:\Documents and Settings\Allen\Application Data\dm.ini
2006-12-03 14:11 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-03 14:01 -------- d---s---- C:\Documents and Settings\Allen\Application Data\Microsoft
2006-11-17 22:40 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-15 16:55 -------- d--h----- C:\Program Files\WindowsUpdate
2006-11-15 16:55 -------- d-------- C:\Program Files\Windows Media Player
2006-11-12 02:13 -------- d-------- C:\Program Files\WinZip
2006-11-12 01:42 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-11-09 16:17 -------- d-------- C:\Program Files\iPod
2006-11-03 14:11 -------- d-------- C:\Documents and Settings\Allen\Application Data\DivX
2006-11-03 12:25 -------- d-------- C:\Program Files\DivX
2006-11-02 17:51 -------- d-------- C:\Program Files\Symantec
2006-11-02 17:51 -------- d-------- C:\Program Files\NavNT
2006-11-02 17:51 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-02 17:34 2829 --a------ C:\WINDOWS\War3Unin.pif
2006-11-02 17:34 139264 --a------ C:\WINDOWS\War3Unin.exe
2006-11-02 10:19 -------- d-------- C:\Program Files\Apple Software Update
2006-11-02 10:16 -------- d-------- C:\Documents and Settings\Allen\Application Data\Apple Computer
2006-11-02 10:12 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-11-02 10:04 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-11-02 10:04 -------- d-------- C:\Program Files\Common Files\Designer
2006-11-02 10:03 -------- d-------- C:\Program Files\Microsoft Office
2006-11-02 02:02 0 -rahs---- C:\MSDOS.SYS
2006-11-02 02:02 0 -rahs---- C:\IO.SYS
2006-11-02 02:02 0 --a------ C:\CONFIG.SYS
2006-11-02 02:02 0 --a------ C:\AUTOEXEC.BAT
2006-11-02 01:26 -------- d-------- C:\Program Files\Viewpoint
2006-11-02 01:17 -------- d-------- C:\Documents and Settings\Allen\Application Data\acccore
2006-11-02 01:16 -------- d-------- C:\Program Files\SigmaTel
2006-11-02 01:16 -------- d-------- C:\Program Files\AOL
2006-11-02 01:15 -------- d-------- C:\Program Files\Common Files\Nullsoft
2006-11-02 01:15 -------- d-------- C:\Program Files\Common Files\aolshare
2006-11-02 01:15 -------- d-------- C:\Program Files\Common Files\AOL
2006-11-02 01:15 -------- d-------- C:\Program Files\AOD
2006-11-02 01:12 -------- d-------- C:\Documents and Settings\Allen\Application Data\Real
2006-11-02 01:11 -------- d-------- C:\Program Files\Common Files\xing shared
2006-11-02 01:11 -------- d-------- C:\Program Files\Common Files\Real
2006-11-02 01:10 -------- d-------- C:\Program Files\Real
2006-11-02 01:07 -------- d-------- C:\Documents and Settings\Allen\Application Data\Macromedia
2006-11-02 01:01 -------- d-------- C:\Program Files\ATI Technologies
2006-11-02 00:51 21419 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2006-11-02 00:51 -------- d-------- C:\Documents and Settings\Allen\Application Data\Intel
2006-11-02 00:50 -------- d-------- C:\Program Files\Intel
2006-11-02 00:47 -------- d--h----- C:\Program Files\Uninstall Information
2006-11-02 00:47 -------- d-------- C:\Documents and Settings\Allen\Application Data\Identities
2006-11-02 00:33 -------- d-------- C:\Program Files\xerox
2006-11-02 00:33 -------- d-------- C:\Program Files\microsoft frontpage
2006-11-02 00:29 -------- d-------- C:\Program Files\Internet Explorer
2006-11-02 00:28 -------- d-------- C:\Program Files\Movie Maker
2006-11-02 00:27 -------- d-------- C:\Program Files\Outlook Express
2006-11-02 00:27 -------- d-------- C:\Program Files\NetMeeting
2006-11-02 00:27 -------- d-------- C:\Program Files\Common Files\System
2006-11-02 00:27 -------- d-------- C:\Program Files\Common Files\Services
2006-11-02 00:27 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-11-02 00:26 -------- d-------- C:\Program Files\Windows NT
2006-11-02 00:26 -------- d-------- C:\Program Files\Online Services
2006-11-02 00:26 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-11-02 00:26 -------- d-------- C:\Program Files\MSN
2006-11-02 00:26 -------- d-------- C:\Program Files\Messenger
2006-11-02 00:26 -------- d-------- C:\Program Files\ComPlus Applications
2006-11-01 19:17 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-11-01 19:17 -------- d-------- C:\Program Files\Common Files\ODBC
2006-11-01 19:16 62 --ahs---- C:\Documents and Settings\Allen\Application Data\desktop.ini
2006-10-02 14:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-02 14:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-02 14:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-02 14:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-19 15:43 109360 --a------ C:\WINDOWS\system32\GEARAspi.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Ncao"="\"C:\\PROGRA~1\\COMMON~1\\PPATCH~1\\wuaclt.exe\" -vt ndrv"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1162448142\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061205-220245-687
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
backup-20061205-215510-798
O4 - HKCU\..\Run: [Wswczl] C:\WINDOWS\?icrosoft\n?tepad.exe
backup-20061205-215510-549
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\Allen\MYDOCU~1\WNSXS~1\javaw.exe" -vt tzt
backup-20061205-215509-810
O4 - HKCU\..\Run: [rroq] C:\PROGRA~1\COMMON~1\rroq\rroqm.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-12-06 23:45:21.87
C:\ComboFix.txt ... 06-12-06 23:45

 

Hi mysticazn, my apologies for the delay. Got caught by a snow storm and no computer.


Go to Add/Remove Programs and uninstall:
Viewpoint Manager (if you didn't install)

Then, press Ctrl+Alt+Del and click the Processes tab.
End this process:
durvilx.exe

Close Task Manager and open HijackThis.
Run a scan only and check these(if there):

R3 - URLSearchHook: (no name) - {B9C8FA0E-3599-313A-EA5D-3E76664B57E6} - C:\WINDOWS\System32\ccnrovlg.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvilx.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\COMMON~1\PPATCH~1\wuaclt.exe" -vt ndrv

Close all windows except HijackThis then click Fix checked.


Then, go here to download the trial version of [bold]AVG Anti-spyware[/bold].

Install and open AVGAS.
Click "[bold]Update[/bold]" then click "[bold]Start update[/bold]".
After updating, close AVGAS.
[bold]Note[/bold]: Print or copy these instructions to Notepad and save them. You will be in safe mode and can't access the internet.
Restart your computer in safe mode(press [bold]F8[/bold] upon boot, select "[bold]Safe Mode[/bold]" from menu and press [bold]Enter[/bold]).
Open AVGAS and click "[bold]Scanner[/bold]".
Click "[bold]Complete System Scan[/bold]".
When it finishes scanning, set all items to "[bold]Quarantine[/bold]".
Click "[bold]Apply All Actions[/bold]".
Click "[bold]Save Report[/bold]" and save it to the desktop.

Restart in normal mode.

Go here to run [bold]Kaspersky Online Scanner[/bold].
After downloading, click "[bold]My Computer[/bold]" to scan.
After scanning, click "[bold]Save report as[/bold]".
Save as a text file on the desktop.

Post back with the Kaspersky log and a new HijackThis log.

 

wow... I didn't know I had so much crap on my computer, thanks for helping me, is there a way to remove virus completely? here are the logs:

Kaspersky Log:
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: false

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 28995
Number of viruses found: 12
Number of infected objects: 30 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:24:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01C00000.VBN Infected: Exploit.HTML.IESlice.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F880000.VBN Infected: Trojan-Downloader.Win32.Agent.baf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F9C0000.VBN Infected: Trojan-Downloader.Win32.Agent.baf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FA40000.VBN Infected: Trojan-Downloader.Win32.Agent.baf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FA40001.VBN Infected: Trojan-Downloader.Win32.Agent.baf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FA80000.VBN Infected: Exploit.HTML.IESlice.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FAC0000.VBN Infected: Trojan-Downloader.Win32.Agent.baf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FAC0001.VBN Infected: Trojan-Downloader.Win32.Agent.baf skipped
C:\Documents and Settings\Allen\Application Data\Real\RealPlayer\skins\data\normal\imgcache.dat Object is locked skipped
C:\Documents and Settings\Allen\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\AOL\UserProfiles\1162448142\darkmastrmage\cls\common.cls Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\AOL\UserProfiles\1162448142\guardianforce725\cls\common.cls Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Messenger\mysticasian@msn.com\SharingMetadata\Logs\Dfsr.log Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Messenger\mysticasian@msn.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Messenger\mysticasian@msn.com\SharingMetadata\Working\database_BC68_72BF_6872_77CA\dfsr.db Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Messenger\mysticasian@msn.com\SharingMetadata\Working\database_BC68_72BF_6872_77CA\fsr.log Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Messenger\mysticasian@msn.com\SharingMetadata\Working\database_BC68_72BF_6872_77CA\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Messenger\mysticasian@msn.com\SharingMetadata\Working\database_BC68_72BF_6872_77CA\tmp.edb Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Windows Live Contacts\mysticasian@msn.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Windows Live Contacts\mysticasian@msn.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\History\History.IE5\MSHist012006120920061210\index.dat Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Temp\~DF78BA.tmp Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Temp\~DF7924.tmp Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Temp\~DF888.tmp Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Temp\~DF893.tmp Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Temporary Internet Files\Content.IE5\C9G9IVGX\popup[1].htm Infected: Trojan-Clicker.HTML.Agent.a skipped
C:\Documents and Settings\Allen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Temporary Internet Files\Content.IE5\YR6Z6TQR\avgas-setup-7.5.0.50[1].exe/stream/data0292 Infected: Trojan-Downloader.Win32.Agent.bcw skipped
C:\Documents and Settings\Allen\Local Settings\Temporary Internet Files\Content.IE5\YR6Z6TQR\avgas-setup-7.5.0.50[1].exe/stream Infected: Trojan-Downloader.Win32.Agent.bcw skipped
C:\Documents and Settings\Allen\Local Settings\Temporary Internet Files\Content.IE5\YR6Z6TQR\avgas-setup-7.5.0.50[1].exe NSIS: infected - 2 skipped
C:\Documents and Settings\Allen\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Allen\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Agent.bcw skipped
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe/stream Infected: Trojan-Downloader.Win32.Agent.bcw skipped
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{AED36962-2D12-4777-84E6-BAAFC19A1543}\RP39\A0002668.exe/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\System Volume Information\_restore{AED36962-2D12-4777-84E6-BAAFC19A1543}\RP39\A0002668.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{AED36962-2D12-4777-84E6-BAAFC19A1543}\RP43\A0003073.dll Infected: Trojan.Win32.Kolweb.b skipped
C:\System Volume Information\_restore{AED36962-2D12-4777-84E6-BAAFC19A1543}\RP43\A0003079.exe Infected: Trojan.Win32.Kolweb.j skipped
C:\System Volume Information\_restore{AED36962-2D12-4777-84E6-BAAFC19A1543}\RP43\A0003080.exe Infected: Trojan.Win32.Kolweb.j skipped
C:\System Volume Information\_restore{AED36962-2D12-4777-84E6-BAAFC19A1543}\RP43\A0003081.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{AED36962-2D12-4777-84E6-BAAFC19A1543}\RP43\A0003082.exe Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\System Volume Information\_restore{AED36962-2D12-4777-84E6-BAAFC19A1543}\RP43\A0003083.exe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\System Volume Information\_restore{AED36962-2D12-4777-84E6-BAAFC19A1543}\RP43\A0003084.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{AED36962-2D12-4777-84E6-BAAFC19A1543}\RP43\A0003086.dll Infected: Trojan.Win32.Kolweb.b skipped
C:\System Volume Information\_restore{AED36962-2D12-4777-84E6-BAAFC19A1543}\RP43\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E3EAC768-2FBE-4FDD-8F53-65A2D77065F3}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\druid_cchoice.exe Infected: Trojan.Win32.Kolweb.j skipped
C:\WINDOWS\system32\druid_redux.exe Infected: Trojan.Win32.Kolweb.j skipped
C:\WINDOWS\system32\durvilx.exe Infected: Trojan.Win32.Kolweb.j skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\regapi.exe Infected: Trojan-Downloader.Win32.Agent.axh skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{AED36962-2D12-4777-84E6-BAAFC19A1543}\RP43\change.log Object is locked skipped
D:\Videos\backups\backup-20061208-235740-862.dll Infected: Trojan.Win32.Kolweb.b skipped

Scan process completed.

HJT Log:

Logfile of HijackThis v1.98.2
Scan saved at 1:23:41 AM, on 12/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1162448142\ee\AOLSoftware.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1162448142\ee\aim6.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Videos\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B9C8FA0E-3599-313A-EA5D-3E76664B57E6} - C:\WINDOWS\System32\ccnrovlg.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1162448142\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/029dd85f6a86f981b306/netzip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164696868140
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

 

There's something strange about this. It looks as if Agent.bcw has infected AVGAS's files. You'll need to uninstall it to remove the infection.

First, go here and download [bold]CCleaner[/bold].
[bold]Note[/bold]: If you do not want [bold]Yahoo! Toolbar[/bold] uncheck the option when installing.
Do not run yet, we will later.

Then, go to Add/Remove Programs and uninstall AVG Anti-spyware.

Run a scan only with HijackThis to fix this. Be sure to close all other windows before clicking Fix checked.
O2 - BHO: (no name) - {B9C8FA0E-3599-313A-EA5D-3E76664B57E6} - C:\WINDOWS\System32\ccnrovlg.dll (file missing)
Exit HijackThis.

Open [bold]CCleaner[/bold].
Click [bold]Options[/bold] > [bold]Advance[/bold] > uncheck "Only delete files in Windows Temp folders older than 48 hours".
Close all windows.
Click Cleaner > [bold]Run Cleaner[/bold].

After cleaning, click "[bold]Issues[/bold]".
Click "[bold]Scan for Issues[/bold]".
After scanning, click "[bold]Fix selected issues...[/bold]".
When prompted to backup registry, click "[bold]Yes[/bold]"
Exit CCleaner.

[bold]Note[/bold]: Print or copy these instructions to Notepad and save them. You will be in safe mode and can't access the internet.

Restart in safe mode.

Show hidden files and folders.
Start > Control Panel > Folder Options > View tab > check "Show hidden files and folders".
Click Apply, then OK.

Locate and delete these:
C:\WINDOWS\system32\druid_cchoice.exe <--file
C:\WINDOWS\system32\druid_redux.exe <--file
C:\WINDOWS\system32\durvilx.exe] <--file
C:\WINDOWS\system32\regapi.exe <--file
D:\Videos\backups <--backup folder

Empty the Recycle Bin and restart in normal mode.

Empty Notron's quarantine.

Turn off [bold]System Restore[/bold].
Right click [bold]My Computer[/bold] > [bold]Properties[/bold] > [bold]System Restore tab[/bold] > check "[bold]Turn off System Restore[/bold]".
Click [bold]Apply[/bold], then [bold]OK[/bold].
Restart and turn System Restore back on.


Then, go here to run [bold]ActiveScan[/bold].
Click "[bold]Panda ActiveScan[/bold].
Fill in the form with your information.
After downloading, click [bold]My Computer[/bold] to scan.
When it finishes, click "[bold]See Report[/bold]".
Click "[bold]Save report[/bold]" and save it to the desktop.

Post back with the ActiveScan log and a new HijackThis log.

We will wait to see if ActiveScan finds anything before reinstalling AVGAS.

 

Incident Status Location

Adware:adware/commad Not disinfected Windows Registry
Adware:adware/sqwire Not disinfected Windows Registry
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Allen\Cookies\allen@ads.pointroll[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Allen\Cookies\allen@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Allen\Cookies\allen@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Allen\Cookies\allen@doubleclick[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Allen\Cookies\allen@serving-sys[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Allen\Cookies\allen@tribalfusion[1].txt
Possible Virus. Not disinfected C:\QooBox\Purity\Program Files\Common Files\PPATCH~1\wuaclt.exe
Logfile of HijackThis v1.98.2
Scan saved at 4:36:05 PM, on 12/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1162448142\ee\AOLSoftware.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\program files\common files\aol\1162448142\ee\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Videos\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1162448142\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/029dd85f6a86f981b306/netzip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164696868140
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

 

Download [bold]Ad-Aware SE Personal 1.06[/bold].

[bold]Install Ad-Aware SE Personal[/bold]:
Follow the default settings for installation.
After installing uncheck the following:
* "[bold]Perform a full system scan now[/bold]"
* "[bold]Update definition file now[/bold]"
* "[bold]Open the help file now[/bold]"

[bold]Update Ad-Aware SE Personal[/bold]:
Open [bold]Ad-Aware[/bold].
Click "[bold]Check for updates now[/bold]" then click "[bold]Connect[/bold]".
If any are found click "[bold]OK[/bold]" to download and install the updates. Once it has finished click "[bold]Finish[/bold]".

[bold]Configure Ad-Aware SE Personal[/bold]:
Click the Gear button at the top of the window.

Click "[bold]General[/bold]" on the left hand side. Make sure these items have a green check next to them.
If they do not, click once on the circle next to them to put a green checkmark.
* "[bold]Automatically save logfile[/bold]"
* "[bold]Automatically quarantine objects prior to removal[/bold]"
* "[bold]Safe Mode (always request confirmation)[/bold]"
* "[bold]Prompt to update outdated definitions[/bold]" - change to 7 days from the default 14.

Click "[bold]Scanning[/bold]" on the left hand side. Make sure these items have a green check next to them.
* "[bold]Scan within archives[/bold]"
* "[bold]Select drives & folders to scan[/bold]" - select your hard drive(s).
* "[bold]Scan active processes[/bold]"
* "[bold]Scan registry[/bold]"
* "[bold]Deep-scan registry[/bold]"
* "[bold]Scan my IE favorites for banned URLs[/bold]"
* "[bold]Scan my Hosts file[/bold]"

Click "[bold]Advanced[/bold]" on the left hand side. Make sure these items have a green check next to them.
* "[bold]Move deleted files to Recycle Bin[/bold]"
* "[bold]Include additional object information[/bold]"
* "[bold]Include negligible objects information[/bold]"
* "[bold]Include environment information[/bold]"

Click "[bold]Tweak[/bold]" on the left hand side to display the Tweak Settings box.
Click the + (plus) sign next to the [bold]Scanning Engine[/bold] section. Make sure these items have a green check next to them.
* "[bold]Unload recognized processes & modules during scan[/bold]"
* "[bold]Scan registry for all users instead of current user only[/bold]"
* "[bold]Obtain command line of scanned processes[/bold]"

Click the + (plus) sign next to the [bold]Cleaning Engine[/bold] section. Make sure these items have a green check next to them.
* "[bold]Always try to unload modules before deletion[/bold]"
* "[bold]During removal, unload Explorer and IE if necessary[/bold]"
* "[bold]Let Windows remove files in use at next reboot[/bold]"
* "[bold]Delete quarantined objects after restoring[/bold]"
Once you are done with these settings, click "[bold]Proceed[/bold]" to save them. This will take you back to the main screen.

[bold]Run Ad-Aware SE Personal[/bold]:
* Click the "[bold]Start[/bold]" button.
* Uncheck the "[bold]Search for negligible risk entries[/bold]" entry.
* Choose the "[bold]Use custom scanning options[/bold]" scan mode.
* Click the "[bold]Next[/bold]" button.
* When it finishes, right-click on any entry in the list and click "[bold]Select All[/bold]" to select the whole list.
* Click "[bold]Next[/bold]" and choose "[bold]OK[/bold]" at the prompt to quarantine and remove the objects.


After finishing with Ad-Aware delete this quarantine folder:
C:\QooBox

Run CCleaner to clean the cookies.

Java is out of date.
Go here and download [bold]Java Runtime Environment 5.0 Update 10[/bold].
Uninstall all previous version and updates of JRE via [bold]Add/Remove Programs[/bold].
Restart and install [bold]Update 10[/bold].

Should be fine after that. Any problems?

 

hmm... should I run HJT again and post it? or are you 100% sure its good? Oh yea, can I delete some of these programs, like kapersky and panda online scan and ccleaner? thanks for your help by the way

 

I'm sure you're clean, but it would be good if you do post a new HijackThis log. Just in case. Did you ask because you're having problems or symptoms?

Yes, you may delete ComboFix and the online scanners. Uninstall the online scanners via Add/Remove Programs.

I recommend you keep AVGAS at least until the trial expires. Then, after it expires, the only things taken away are: automatic updates, real-time protection and a few definition extensions. But you can update manually and scan regularly.

I also recommend you keep CCleaner. It's free and it's a wonderful cleaning tool. It will clean cookies and temp files, which will save you a lot of time cleaning them manually.

Ad-Aware is your choice, but I do recommend you keep it too. It's also free(there is also a pay version) and is a great adware remover.


Edit: I almost forgot. Please read here about your newly updated Java. I know you just installed a new update, but today, only one month after releasing Update 10, Sun released version 6.0.

 

yea, I noticed the 6.0 version and downloaded that instead and thanks for your help, here's the HJT log

Logfile of HijackThis v1.98.2
Scan saved at 1:45:23 AM, on 12/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\AOL\1162448142\ee\aolsoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\program files\common files\aol\1162448142\ee\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Videos\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1162448142\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/029dd85f6a86f981b306/netzip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164696868140
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

 

Fix this with HiajckThis:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/029dd85f6a86...ip/RdxIE601.cab


Be clean after that.

You're welcome and good luck!