Solve : Msn Virus...?

1.	Solve : Msn Virus...?
Answer» Done scans with my anti virus. Done scans with malwarebytes Done scans with spybot All programs detected something , which ive either quarantined or deleted. Its the usual symptoms MSN freezes up and my mouse cursor stops completely until i Ctrl Alt and delete , and kill msn from my process's. Got a log here. Just checking to see if theres anything in the log ive missed. Logfile of HijackThis v1.99.1 Scan saved at 23:43:27, on 26/02/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Xfire\Xfire.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Documents and Settings\Tony\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tiscali.co.uk/broadband R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.22\RivaTuner.exe" /S O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Windows UDP Control Center] fxstaller.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Tony\Application Data\cogad\cogad.exe" 61A847B5BBF72810359A3E466188719AB689201 522886B092CBD44BD8689220221DD3257 O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{6AEF9B5E-31C0-4AC1-ACA7-15915E2A8642}: NameServer = 212.139.132.9 212.139.132.8 O17 - HKLM\System\CS1\Services\Tcpip\..\{6AEF9B5E-31C0-4AC1-ACA7-15915E2A8642}: NameServer = 212.139.132.9 212.139.132.8 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe There was a program evilfantasy TOLD another member about , it use's Cmd to remove virus's , can someone help with find that Thanks. Please looks at my log =)You still have some bad stuff on the computer. Disable Spybot's TeaTimer While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until you are clean. 1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident 2. Run Spybot S&D 3. Go to the Mode menu, and make sure Advanced Mode is selected. 4. On the left hand side, choose Tools > Resident uncheck Resident TeaTimer and OK any prompt and Restart your computer. Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it. If TeaTimer will not turn off then uninstall Spybot until we are done cleaning. ---------- Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there) - O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE - O4 - HKLM\..\Run: [Windows UDP Control Center] fxstaller.exe - O4 - HKCU\..\Run: [cogad] \"C:\Documents and Settings\Tony\Application Data\cogad\cogad.exe\" 61A847B5BBF72810359A3E466188719AB689201 522886B092CBD44BD8689220221DD3257 Important: Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis. ---------- Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system Go to Start > Run and type notepad.exe then click OK Copy and paste the below into Notepad and save as fixme.reg to Your Desktop Code: [Select]REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run] "Alcmtr"=- "Windows UDP Control Center"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "cogad"=- Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry. Make sure that you tell me if you RECEIVE a success message about adding the above to the registry. If you do not get a success message, it did not work. Delete the fixme.reg from the Desktop. ---------- Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before PERFORMING a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important:** Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.The reg entry was a success , i wasn't to sure about ending anti virus programs due to getting trojan warnings every 5 minutes. Im not sure if it worked or not .... ComboFix 09-02-01.01 - Tony 2009-02-27 0:10:54.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1645 [GMT 0:00] Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe AV: Avira AntiVir PersonalEdition On-access scanning disabled (Updated) * Created a new restore point . - REDUCED FUNCTIONALITY MODE - . ((((((((((((((((((((((((( Files Created from 2009-01-27 to 2009-02-27 ))))))))))))))))))))))))))))))) . 2009-02-26 23:24 . 2009-02-26 23:24d--------c:\program files\Malwarebytes' Anti-Malware 2009-02-26 23:24 . 2009-02-26 23:24d--------c:\documents and settings\Tony\Application Data\Malwarebytes 2009-02-26 23:24 . 2009-02-26 23:24d--------c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-26 23:24 . 2009-01-14 16:1138,496--a------c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-26 23:24 . 2009-01-14 16:1115,504--a------c:\windows\system32\drivers\mbam.sys 2009-02-26 22:56 . 2009-02-26 22:57d--------c:\program files\Spybot - Search & Destroy 2009-02-26 22:56 . 2009-02-26 23:16d--------c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-02-26 22:50 . 2009-02-26 22:50d--------C:\VundoFix Backups 2009-02-26 22:37 . 2009-02-26 22:37d--------c:\program files\Avira 2009-02-26 22:37 . 2009-02-26 22:37d--------c:\documents and settings\All Users\Application Data\Avira 2009-02-26 22:28 . 2009-02-26 22:284,096--a------C:\sinh.exe 2009-02-26 10:48 . 2009-02-26 10:48d--------c:\windows\Sun 2009-02-25 10:26 . 2009-02-25 10:26d--------c:\program files\LimeWire 2009-02-25 10:26 . 2009-02-25 22:04d--------c:\documents and settings\Tony\Application Data\LimeWire 2009-02-25 10:21 . 2009-02-25 10:21d--------c:\program files\iMesh Applications 2009-02-25 10:21 . 2009-02-25 10:23d--------c:\documents and settings\Tony\Application Data\iMesh 2009-02-25 10:21 . 2005-10-07 12:50483,328--a------c:\windows\system32\actskn45.ocx 2009-02-25 05:44 . 2009-02-25 05:45d--------c:\program files\Yahoo! 2009-02-25 05:44 . 2009-02-25 05:45d--------c:\documents and settings\All Users\Application Data\Yahoo! 2009-02-25 05:26 . 2009-02-25 05:26d--------c:\program files\Common Files\Adobe AIR 2009-02-25 05:26 . 2009-02-25 05:26d--------c:\program files\Common Files\Adobe 2009-02-25 03:09 . 2009-02-25 03:09d--------C:\CFLog 2009-02-25 03:08 . 2003-07-17 09:175,174--a------c:\windows\system32\nppt9x.vxd 2009-02-25 03:08 . 2005-01-01 00:434,682--a------c:\windows\system32\npptNT2.sys 2009-02-25 03:07 . 2009-02-25 03:07d--------c:\program files\Common Files\INCA Shared 2009-02-25 03:05 . 2009-02-25 03:05d--------c:\program files\G4box 2009-02-24 08:42 . 2009-02-24 08:42d--------C:\Games 2009-02-22 05:09 . 2009-02-22 05:13d--------c:\windows\system32\Adobe 2009-02-22 05:09 . 2009-01-16 18:34499,712--a------c:\windows\system32\msvcp71.dll 2009-02-22 05:09 . 2009-01-16 18:34348,160---------c:\windows\system32\msvcr71.dll 2009-02-22 04:50 . 2009-02-22 04:50410,984--a------c:\windows\system32\deploytk.dll 2009-02-03 05:46 . 2009-02-03 06:00d--------c:\windows\system32\CatRoot_bak 2009-02-03 05:42 . 2008-08-14 10:002,180,352-----c---c:\windows\system32\dllcache\ntoskrnl.exe 2009-02-03 05:42 . 2008-08-14 09:582,136,064-----c---c:\windows\system32\dllcache\ntkrnlmp.exe 2009-02-03 05:42 . 2008-08-14 09:222,057,728-----c---c:\windows\system32\dllcache\ntkrnlpa.exe 2009-02-03 05:42 . 2008-08-14 09:222,015,744-----c---c:\windows\system32\dllcache\ntkrpamp.exe 2009-02-03 05:41 . 2008-10-24 11:10453,632-----c---c:\windows\system32\dllcache\mrxsmb.sys 2009-02-03 05:41 . 2008-06-13 13:10272,128---------c:\windows\system32\drivers\bthport.sys 2009-02-03 05:41 . 2008-06-13 13:10272,128-----c---c:\windows\system32\dllcache\bthport.sys 2009-02-03 05:33 . 2009-02-03 06:09d--h-----c:\windows\$hf_mig$ 2009-02-03 00:24 . 2009-02-03 00:24d--------c:\documents and settings\Tony\Application Data\vlc 2009-02-03 00:23 . 2009-02-03 00:23d--------c:\program files\VideoLAN 2009-02-02 17:27 . 2004-08-03 23:0826,496--a--c---c:\windows\system32\dllcache\usbstor.sys 2009-02-02 17:18 . 2009-02-02 17:18d--------c:\program files\uTorrent 2009-02-02 17:18 . 2009-02-26 06:28d--------c:\documents and settings\Tony\Application Data\uTorrent 2009-02-02 16:11 . 2009-02-22 04:49d--------c:\program files\Java 2009-02-02 16:11 . 2009-02-22 04:5073,728--a------c:\windows\system32\javacpl.cpl 2009-02-02 16:10 . 2009-02-02 16:10d--------c:\program files\Common Files\Java 2009-02-02 16:00 . 2009-02-02 16:0022,328--a------c:\documents and settings\Tony\Application Data\PnkBstrK.sys 2009-02-02 15:59 . 2009-02-02 15:59d--------c:\windows\system32\LogFiles 2009-02-02 15:59 . 2009-02-26 21:40188,848--a------c:\windows\system32\PnkBstrB.exe 2009-02-02 15:59 . 2009-02-02 16:2870,968--a------c:\windows\system32\PnkBstrA.exe 2009-02-02 05:32 . 2009-02-24 04:23d--------C:\World of Warcraft 2009-02-02 05:31 . 2009-02-02 05:31d--------c:\documents and settings\All Users\Application Data\Blizzard 2009-02-02 05:25 . 2009-02-02 10:46d--------c:\program files\Common Files\Blizzard Entertainment 2009-02-02 05:20 . 2009-02-02 05:20d--------c:\program files\RivaTuner v2.22 2009-02-02 05:19 . 2009-02-02 05:19d--------c:\documents and settings\Tony\Application Data\Apple Computer 2009-02-02 05:19 . 2008-04-17 13:12107,368--a------c:\windows\system32\GEARAspi.dll 2009-02-02 05:19 . 2008-04-17 13:1215,464--a------c:\windows\system32\drivers\GEARAspiWDM.sys 2009-02-02 05:18 . 2009-02-02 05:18d--------c:\program files\QuickTime 2009-02-02 05:18 . 2009-02-02 05:19d--------c:\program files\iTunes 2009-02-02 05:18 . 2009-02-02 05:18d--------c:\program files\iPod 2009-02-02 05:18 . 2009-02-02 05:18d--------c:\program files\Bonjour 2009-02-02 05:18 . 2009-02-02 05:18d--------c:\program files\Apple Software Update 2009-02-02 05:18 . 2009-02-02 05:18d--------c:\documents and settings\All Users\Application Data\Apple Computer 2009-02-02 05:18 . 2009-02-02 05:19d--------c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2009-02-02 05:17 . 2009-02-02 05:17d--------c:\program files\Common Files\Apple 2009-02-02 05:17 . 2009-02-02 05:17d---s----c:\documents and settings\Tony\UserData 2009-02-02 05:17 . 2009-02-02 05:17d--------c:\documents and settings\All Users\Application Data\Apple 2009-02-02 05:15 . 2009-02-02 05:15d--------c:\windows\system32\Lang 2009-02-02 05:15 . 2009-02-02 05:15940,794--a------c:\windows\system32\LoopyMusic.wav 2009-02-02 05:15 . 2009-02-02 05:15146,650--a------c:\windows\system32\BuzzingBee.wav 2009-02-02 05:15 . 2004-08-03 23:1582,944--a------c:\windows\system32\drivers\wdmaud.sys 2009-02-02 05:15 . 2004-08-03 23:1582,944--a--c---c:\windows\system32\dllcache\wdmaud.sys 2009-02-02 05:15 . 2004-08-03 23:0752,864--a------c:\windows\system32\drivers\DMusic.sys 2009-02-02 05:15 . 2004-08-03 23:0752,864--a--c---c:\windows\system32\dllcache\dmusic.sys 2009-02-02 05:15 . 2004-08-03 23:076,400--a------c:\windows\system32\drivers\splitter.sys 2009-02-02 05:15 . 2004-08-03 23:076,400--a--c---c:\windows\system32\dllcache\splitter.sys 2009-02-02 05:13 . 2004-08-04 00:56130,048--a------c:\windows\system32\ksproxy.ax 2009-02-02 05:13 . 2004-08-04 00:56130,048--a--c---c:\windows\system32\dllcache\ksproxy.ax 2009-02-02 05:13 . 2004-08-03 23:0860,288--a------c:\windows\system32\drivers\drmk.sys 2009-02-02 05:13 . 2004-08-03 23:0860,288--a--c---c:\windows\system32\dllcache\drmk.sys 2009-02-02 05:13 . 2004-08-04 00:564,096--a------c:\windows\system32\ksuser.dll 2009-02-02 05:13 . 2004-08-04 00:564,096--a--c---c:\windows\system32\dllcache\ksuser.dll 2009-02-02 05:12 . 2009-02-02 05:12d--------c:\program files\Realtek 2009-02-02 05:11 . 2009-01-22 16:53d--------c:\documents and settings\Tony\HD_Audio 2009-02-02 05:10 . 2009-02-02 05:10d--------c:\documents and settings\Tony\Contacts 2009-02-02 05:00 . 2009-02-02 05:19d----c---c:\windows\system32\DRVSTORE 2009-02-02 05:00 . 2009-02-02 05:00d--------c:\program files\Intel 2009-02-02 05:00 . 2009-02-02 05:00d--------C:\Intel 2009-02-02 05:00 . 2009-02-02 05:00d--------c:\documents and settings\Tony\INFUpdate 2009-02-02 05:00 . 2007-07-26 16:1553,248--a------c:\windows\system32\CSVer.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-26 21:40138,064----a-wc:\windows\system32\drivers\PnkBstrK.sys 2009-02-26 01:36---------d-----wc:\documents and settings\Tony\Application Data\Xfire 2009-02-23 23:38---------d-----wc:\program files\Xfire 2009-02-02 17:12---------d--h--wc:\program files\InstallShield Installation Information 2009-02-02 15:50---------d-----wc:\program files\Activision 2009-02-02 05:12319,488----a-wc:\windows\HideWin.exe 2009-02-02 04:53---------d-----wc:\program files\Lavalys 2009-02-02 04:46---------d-----wc:\documents and settings\LocalService\Application Data\Xfire 2009-02-02 04:44---------d-----wc:\program files\Realtek AC97 2009-02-02 04:44---------d-----wc:\program files\Common Files\InstallShield 2009-02-02 04:36---------d-----wc:\program files\Common Files\Wise Installation Wizard 2009-02-02 04:36---------d-----wc:\program files\AGEIA Technologies 2009-02-02 04:20---------d-----wc:\documents and settings\NetworkService\Application Data\Xfire 2009-02-02 04:18---------d-----wc:\program files\Thomson 2009-02-02 04:12---------d-----wc:\program files\microsoft frontpage 2009-01-23 01:1742,320----a-wc:\windows\system32\xfcodec.dll 2009-01-07 11:28453,152----a-wc:\windows\system32\NVUNINST.EXE 2008-12-10 09:4570,936----a-wc:\windows\system32\PhysXLoader.dll 2008-12-04 09:2824,344----a-wc:\windows\system32\PhysXDevice.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-28 4363504] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2007-06-11 901120] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] "RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.22\RivaTuner.exe" [2008-12-29 2732032] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-22 136600] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497] "nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe] "RTHDCPL"="RTHDCPL.EXE" [2008-10-09 c:\windows\RTHDCPL.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\Tony\Start Menu\Programs\Startup\ Xfire.lnk - c:\program files\Xfire\Xfire.exe [2009-01-23 2993488] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Xfire\\Xfire.exe"= "c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\World of Warcraft\\WoW-3.0.1-to-3.0.2-enGB-Win-Update-downloader.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 . - - - - ORPHANS REMOVED - - - - HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.tiscali.co.uk/broadband uInternet Connection Wizard,ShellNext = hxxp://www.tiscali.co.uk/broadband TCP: {6AEF9B5E-31C0-4AC1-ACA7-15915E2A8642} = 212.139.132.9 212.139.132.8 FF - ProfilePath - c:\documents and settings\Tony\Application Data\Mozilla\Firefox\Profiles\jv3zbyde.default\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-27 00:11:07 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . Completion time: 2009-02-27 0:12:00 ComboFix-quarantined-files.txt 2009-02-27 00:11:58 Pre-Run: 83,605,630,976 bytes free Post-Run: 97,640,075,264 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 202--- E O F ---2009-02-03 06:09:39 Quote i wasn't to sure about ending anti virus programs due to getting trojan warnings every 5 minutes. They aren't doing much good if the malware is already on the system And with TeaTimer running it is sometimes impossible to remove a virus since it resets the registry in many instances. You should always turn off TeaTimer when scanning for or removing malware. Scan Suspicious File(s)** Please go to VirusTotal.com (If more than one file needs scanned they must be done separately and logs posted for each one) 1. Copy the file path in the below Code box: Code: [Select]C:\sinh.exe 2. At the upload site, click once inside the window next to Browse. 3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window. 4. Next click Send File Your file will possibly be entered into a queue which normally takes less than a minute to clear. This will perform a scan across multiple different virus scanning engines. Important: Wait for all of the scanning engines to complete. 5. Copy and then Paste the link to the results in the next reply. Here we go: File sinh.exe received on 02.02.2009 01:24:36 (CET) Current status: Loading ... QUEUED waiting scanning finished NOT FOUND STOPPED Result: 0/39 (0%) Loading server information... Your file is queued in position: ___. Estimated start time is between ___ and ___ . Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Compact Print results Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared4.0.0.932009.02.01- AhnLab-V35.0.0.22009.02.01- AntiVir7.9.0.702009.02.01- Authentium5.1.0.42009.02.01- Avast4.8.1281.02009.02.01- AVG8.0.0.2292009.02.01- BitDefender7.22009.02.02- CAT-QuickHeal10.002009.01.31- ClamAV0.94.12009.02.02- Comodo9572009.02.01- DrWeb4.44.0.091702009.02.02- eSafe7.0.17.02009.02.01- eTrust-Vet31.6.63352009.01.29- F-Prot4.4.4.562009.02.01- F-Secure8.0.14470.02009.02.02- Fortinet3.117.0.02009.02.01- GData192009.02.02- IkarusT3.1.1.45.02009.02.01- K7AntiVirus7.10.6122009.01.31- Kaspersky7.0.0.1252009.02.02- McAfee55132009.02.01- McAfee+Artemis55132009.02.01- Microsoft1.43062009.02.02- NOD3238162009.02.01- Norman6.00.022009.01.31- nProtect2009.1.8.02009.01.30- Panda9.5.1.22009.02.01- PCTools4.4.2.02009.02.01- Prevx1V22009.02.02- Rising21.14.61.002009.02.01- SecureWeb-Gateway6.7.62009.02.01- Sophos4.38.02009.02.01- Sunbelt3.2.1835.22009.01.16- Symantec102009.02.02- TheHacker6.3.1.5.2432009.02.01- TrendMicro8.700.0.10042009.01.30- VBA323.12.8.122009.02.01- ViRobot2009.1.31.15832009.01.31- VirusBuster4.5.11.02009.02.01- If thats not what you wanted ^^ Please tell me what information you did want. Tony:) Btw thanks for helping. Webwasher-Gateway - - BlockReason.0 : / I looked on another page , and there was that....That's what I needed. How is the computer running now?I will reinstall msn , and take a look. I had no issue with it slowing down , as soon as i clicked the link , i only relised it was a exe until it said , Image will not load... Then i thought ah **..... My mate sent it , so i assumed it was a trust worthy source , but turns out shes infected beyond belief ... I caught it all in time i hope. I will post back in 5 minutes.Ok well all seems ok now ^^ Thats 4 hours i wont be getting back lol..... I will full scan with all the anti virus i have tonight , just to be on the safe side... Thanks for all the help , and by the way. What did the reg entry do? Just curious , and the items i delete in hijackthis , what sort of infections where they You might have your friend run these tools on their computer. Or have them come here and do the malware removal guide. http://downloads.malwareremoval.com/MsnVirRem.exe http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip Quote Just curious , and the items i delete in hijackthis , what sort of infections where they Alcmtr was just bloatware that slows down many computers. Windows UDP Control Center/fxstaller.exe A variant of the IRCBot family of worms and IRC backdoor Trojans http://www.bleepingcomputer.com/startups/Windows_UDP_Control_Center-24046.html cogad.exe Added by the Troj/Dloadr-CEP downloading Trojan http://www.bleepingcomputer.com/startups/cogad.exe-24485.html ---------- Cleanup steps. Download OTCleanIt.exe and save it to your Desktop. Double-click OTCleanIt.exe. Click the CleanUp! button. Select Yes when the "Begin cleanup Process?" prompt appears. If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes, if not delete it yourself. . ---------- Set a New Restore Point to prevent possible reinfection from an old one Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed. Go to Start > Programs > Accessories > System Tools and click System Restore Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create. The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Next go to Start > Run and type Cleanmgr Click OK Click the More Options Tab. Click Clean Up** in the System Restore section to remove all previous restore points except the newly created clean one. You can find instructions on how to enable and re-enable system restore here: Windows XP System Restore Guide or Windows Vista System Restore Guide

Answer»

Done scans with my anti virus.
Done scans with malwarebytes
Done scans with spybot

All programs detected something , which ive either quarantined or deleted.

Its the usual symptoms MSN freezes up and my mouse cursor stops completely until i Ctrl Alt and delete , and kill msn from my process's.

Got a log here. Just checking to see if theres anything in the log ive missed.

Logfile of HijackThis v1.99.1
Scan saved at 23:43:27, on 26/02/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Tony\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tiscali.co.uk/broadband
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.22\RivaTuner.exe" /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows UDP Control Center] fxstaller.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Tony\Application Data\cogad\cogad.exe" 61A847B5BBF72810359A3E466188719AB689201 522886B092CBD44BD8689220221DD3257
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AEF9B5E-31C0-4AC1-ACA7-15915E2A8642}: NameServer = 212.139.132.9 212.139.132.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{6AEF9B5E-31C0-4AC1-ACA7-15915E2A8642}: NameServer = 212.139.132.9 212.139.132.8
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

There was a program evilfantasy TOLD another member about , it use's Cmd to remove virus's , can someone help with find that

Thanks.

Please looks at my log =)You still have some bad stuff on the computer.

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
- O4 - HKLM\..\Run: [Windows UDP Control Center] fxstaller.exe
- O4 - HKCU\..\Run: [cogad] \"C:\Documents and Settings\Tony\Application Data\cogad\cogad.exe\" 61A847B5BBF72810359A3E466188719AB689201 522886B092CBD44BD8689220221DD3257

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Alcmtr"=-
"Windows UDP Control Center"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"cogad"=-
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you RECEIVE a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before PERFORMING a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.The reg entry was a success , i wasn't to sure about ending anti virus programs due to getting trojan warnings every 5 minutes. Im not sure if it worked or not ....

ComboFix 09-02-01.01 - Tony 2009-02-27 0:10:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1645 [GMT 0:00]
Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-01-27 to 2009-02-27 )))))))))))))))))))))))))))))))
.

2009-02-26 23:24 . 2009-02-26 23:24d--------c:\program files\Malwarebytes' Anti-Malware
2009-02-26 23:24 . 2009-02-26 23:24d--------c:\documents and settings\Tony\Application Data\Malwarebytes
2009-02-26 23:24 . 2009-02-26 23:24d--------c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-26 23:24 . 2009-01-14 16:1138,496--a------c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-26 23:24 . 2009-01-14 16:1115,504--a------c:\windows\system32\drivers\mbam.sys
2009-02-26 22:56 . 2009-02-26 22:57d--------c:\program files\Spybot - Search & Destroy
2009-02-26 22:56 . 2009-02-26 23:16d--------c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-26 22:50 . 2009-02-26 22:50d--------C:\VundoFix Backups
2009-02-26 22:37 . 2009-02-26 22:37d--------c:\program files\Avira
2009-02-26 22:37 . 2009-02-26 22:37d--------c:\documents and settings\All Users\Application Data\Avira
2009-02-26 22:28 . 2009-02-26 22:284,096--a------C:\sinh.exe
2009-02-26 10:48 . 2009-02-26 10:48d--------c:\windows\Sun
2009-02-25 10:26 . 2009-02-25 10:26d--------c:\program files\LimeWire
2009-02-25 10:26 . 2009-02-25 22:04d--------c:\documents and settings\Tony\Application Data\LimeWire
2009-02-25 10:21 . 2009-02-25 10:21d--------c:\program files\iMesh Applications
2009-02-25 10:21 . 2009-02-25 10:23d--------c:\documents and settings\Tony\Application Data\iMesh
2009-02-25 10:21 . 2005-10-07 12:50483,328--a------c:\windows\system32\actskn45.ocx
2009-02-25 05:44 . 2009-02-25 05:45d--------c:\program files\Yahoo!
2009-02-25 05:44 . 2009-02-25 05:45d--------c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-25 05:26 . 2009-02-25 05:26d--------c:\program files\Common Files\Adobe AIR
2009-02-25 05:26 . 2009-02-25 05:26d--------c:\program files\Common Files\Adobe
2009-02-25 03:09 . 2009-02-25 03:09d--------C:\CFLog
2009-02-25 03:08 . 2003-07-17 09:175,174--a------c:\windows\system32\nppt9x.vxd
2009-02-25 03:08 . 2005-01-01 00:434,682--a------c:\windows\system32\npptNT2.sys
2009-02-25 03:07 . 2009-02-25 03:07d--------c:\program files\Common Files\INCA Shared
2009-02-25 03:05 . 2009-02-25 03:05d--------c:\program files\G4box
2009-02-24 08:42 . 2009-02-24 08:42d--------C:\Games
2009-02-22 05:09 . 2009-02-22 05:13d--------c:\windows\system32\Adobe
2009-02-22 05:09 . 2009-01-16 18:34499,712--a------c:\windows\system32\msvcp71.dll
2009-02-22 05:09 . 2009-01-16 18:34348,160---------c:\windows\system32\msvcr71.dll
2009-02-22 04:50 . 2009-02-22 04:50410,984--a------c:\windows\system32\deploytk.dll
2009-02-03 05:46 . 2009-02-03 06:00d--------c:\windows\system32\CatRoot_bak
2009-02-03 05:42 . 2008-08-14 10:002,180,352-----c---c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-03 05:42 . 2008-08-14 09:582,136,064-----c---c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-03 05:42 . 2008-08-14 09:222,057,728-----c---c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-03 05:42 . 2008-08-14 09:222,015,744-----c---c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 05:41 . 2008-10-24 11:10453,632-----c---c:\windows\system32\dllcache\mrxsmb.sys
2009-02-03 05:41 . 2008-06-13 13:10272,128---------c:\windows\system32\drivers\bthport.sys
2009-02-03 05:41 . 2008-06-13 13:10272,128-----c---c:\windows\system32\dllcache\bthport.sys
2009-02-03 05:33 . 2009-02-03 06:09d--h-----c:\windows\$hf_mig$
2009-02-03 00:24 . 2009-02-03 00:24d--------c:\documents and settings\Tony\Application Data\vlc
2009-02-03 00:23 . 2009-02-03 00:23d--------c:\program files\VideoLAN
2009-02-02 17:27 . 2004-08-03 23:0826,496--a--c---c:\windows\system32\dllcache\usbstor.sys
2009-02-02 17:18 . 2009-02-02 17:18d--------c:\program files\uTorrent
2009-02-02 17:18 . 2009-02-26 06:28d--------c:\documents and settings\Tony\Application Data\uTorrent
2009-02-02 16:11 . 2009-02-22 04:49d--------c:\program files\Java
2009-02-02 16:11 . 2009-02-22 04:5073,728--a------c:\windows\system32\javacpl.cpl
2009-02-02 16:10 . 2009-02-02 16:10d--------c:\program files\Common Files\Java
2009-02-02 16:00 . 2009-02-02 16:0022,328--a------c:\documents and settings\Tony\Application Data\PnkBstrK.sys
2009-02-02 15:59 . 2009-02-02 15:59d--------c:\windows\system32\LogFiles
2009-02-02 15:59 . 2009-02-26 21:40188,848--a------c:\windows\system32\PnkBstrB.exe
2009-02-02 15:59 . 2009-02-02 16:2870,968--a------c:\windows\system32\PnkBstrA.exe
2009-02-02 05:32 . 2009-02-24 04:23d--------C:\World of Warcraft
2009-02-02 05:31 . 2009-02-02 05:31d--------c:\documents and settings\All Users\Application Data\Blizzard
2009-02-02 05:25 . 2009-02-02 10:46d--------c:\program files\Common Files\Blizzard Entertainment
2009-02-02 05:20 . 2009-02-02 05:20d--------c:\program files\RivaTuner v2.22
2009-02-02 05:19 . 2009-02-02 05:19d--------c:\documents and settings\Tony\Application Data\Apple Computer
2009-02-02 05:19 . 2008-04-17 13:12107,368--a------c:\windows\system32\GEARAspi.dll
2009-02-02 05:19 . 2008-04-17 13:1215,464--a------c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-02 05:18 . 2009-02-02 05:18d--------c:\program files\QuickTime
2009-02-02 05:18 . 2009-02-02 05:19d--------c:\program files\iTunes
2009-02-02 05:18 . 2009-02-02 05:18d--------c:\program files\iPod
2009-02-02 05:18 . 2009-02-02 05:18d--------c:\program files\Bonjour
2009-02-02 05:18 . 2009-02-02 05:18d--------c:\program files\Apple Software Update
2009-02-02 05:18 . 2009-02-02 05:18d--------c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-02 05:18 . 2009-02-02 05:19d--------c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-02 05:17 . 2009-02-02 05:17d--------c:\program files\Common Files\Apple
2009-02-02 05:17 . 2009-02-02 05:17d---s----c:\documents and settings\Tony\UserData
2009-02-02 05:17 . 2009-02-02 05:17d--------c:\documents and settings\All Users\Application Data\Apple
2009-02-02 05:15 . 2009-02-02 05:15d--------c:\windows\system32\Lang
2009-02-02 05:15 . 2009-02-02 05:15940,794--a------c:\windows\system32\LoopyMusic.wav
2009-02-02 05:15 . 2009-02-02 05:15146,650--a------c:\windows\system32\BuzzingBee.wav
2009-02-02 05:15 . 2004-08-03 23:1582,944--a------c:\windows\system32\drivers\wdmaud.sys
2009-02-02 05:15 . 2004-08-03 23:1582,944--a--c---c:\windows\system32\dllcache\wdmaud.sys
2009-02-02 05:15 . 2004-08-03 23:0752,864--a------c:\windows\system32\drivers\DMusic.sys
2009-02-02 05:15 . 2004-08-03 23:0752,864--a--c---c:\windows\system32\dllcache\dmusic.sys
2009-02-02 05:15 . 2004-08-03 23:076,400--a------c:\windows\system32\drivers\splitter.sys
2009-02-02 05:15 . 2004-08-03 23:076,400--a--c---c:\windows\system32\dllcache\splitter.sys
2009-02-02 05:13 . 2004-08-04 00:56130,048--a------c:\windows\system32\ksproxy.ax
2009-02-02 05:13 . 2004-08-04 00:56130,048--a--c---c:\windows\system32\dllcache\ksproxy.ax
2009-02-02 05:13 . 2004-08-03 23:0860,288--a------c:\windows\system32\drivers\drmk.sys
2009-02-02 05:13 . 2004-08-03 23:0860,288--a--c---c:\windows\system32\dllcache\drmk.sys
2009-02-02 05:13 . 2004-08-04 00:564,096--a------c:\windows\system32\ksuser.dll
2009-02-02 05:13 . 2004-08-04 00:564,096--a--c---c:\windows\system32\dllcache\ksuser.dll
2009-02-02 05:12 . 2009-02-02 05:12d--------c:\program files\Realtek
2009-02-02 05:11 . 2009-01-22 16:53d--------c:\documents and settings\Tony\HD_Audio
2009-02-02 05:10 . 2009-02-02 05:10d--------c:\documents and settings\Tony\Contacts
2009-02-02 05:00 . 2009-02-02 05:19d----c---c:\windows\system32\DRVSTORE
2009-02-02 05:00 . 2009-02-02 05:00d--------c:\program files\Intel
2009-02-02 05:00 . 2009-02-02 05:00d--------C:\Intel
2009-02-02 05:00 . 2009-02-02 05:00d--------c:\documents and settings\Tony\INFUpdate
2009-02-02 05:00 . 2007-07-26 16:1553,248--a------c:\windows\system32\CSVer.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 21:40138,064----a-wc:\windows\system32\drivers\PnkBstrK.sys
2009-02-26 01:36---------d-----wc:\documents and settings\Tony\Application Data\Xfire
2009-02-23 23:38---------d-----wc:\program files\Xfire
2009-02-02 17:12---------d--h--wc:\program files\InstallShield Installation Information
2009-02-02 15:50---------d-----wc:\program files\Activision
2009-02-02 05:12319,488----a-wc:\windows\HideWin.exe
2009-02-02 04:53---------d-----wc:\program files\Lavalys
2009-02-02 04:46---------d-----wc:\documents and settings\LocalService\Application Data\Xfire
2009-02-02 04:44---------d-----wc:\program files\Realtek AC97
2009-02-02 04:44---------d-----wc:\program files\Common Files\InstallShield
2009-02-02 04:36---------d-----wc:\program files\Common Files\Wise Installation Wizard
2009-02-02 04:36---------d-----wc:\program files\AGEIA Technologies
2009-02-02 04:20---------d-----wc:\documents and settings\NetworkService\Application Data\Xfire
2009-02-02 04:18---------d-----wc:\program files\Thomson
2009-02-02 04:12---------d-----wc:\program files\microsoft frontpage
2009-01-23 01:1742,320----a-wc:\windows\system32\xfcodec.dll
2009-01-07 11:28453,152----a-wc:\windows\system32\NVUNINST.EXE
2008-12-10 09:4570,936----a-wc:\windows\system32\PhysXLoader.dll
2008-12-04 09:2824,344----a-wc:\windows\system32\PhysXDevice.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-28 4363504]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2007-06-11 901120]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.22\RivaTuner.exe" [2008-12-29 2732032]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-22 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-09 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Tony\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2009-01-23 2993488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\World of Warcraft\\WoW-3.0.1-to-3.0.2-enGB-Win-Update-downloader.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tiscali.co.uk/broadband
uInternet Connection Wizard,ShellNext = hxxp://www.tiscali.co.uk/broadband
TCP: {6AEF9B5E-31C0-4AC1-ACA7-15915E2A8642} = 212.139.132.9 212.139.132.8
FF - ProfilePath - c:\documents and settings\Tony\Application Data\Mozilla\Firefox\Profiles\jv3zbyde.default\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-27 00:11:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-27 0:12:00
ComboFix-quarantined-files.txt 2009-02-27 00:11:58

Pre-Run: 83,605,630,976 bytes free
Post-Run: 97,640,075,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

202--- E O F ---2009-02-03 06:09:39
Quote

i wasn't to sure about ending anti virus programs due to getting trojan warnings every 5 minutes.

They aren't doing much good if the malware is already on the system And with TeaTimer running it is sometimes impossible to remove a virus since it resets the registry in many instances. You should always turn off TeaTimer when scanning for or removing malware.

Scan Suspicious File(s)

Please go to VirusTotal.com
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy the file path in the below Code box:
Code: [Select]C:\sinh.exe
2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Next click Send File
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
This will perform a scan across multiple different virus scanning engines.
Important: Wait for all of the scanning engines to complete.
5. Copy and then Paste the link to the results in the next reply.
Here we go:

File sinh.exe received on 02.02.2009 01:24:36 (CET)
Current status: Loading ... QUEUED waiting scanning finished NOT FOUND STOPPED
Result: 0/39 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared4.0.0.932009.02.01-
AhnLab-V35.0.0.22009.02.01-
AntiVir7.9.0.702009.02.01-
Authentium5.1.0.42009.02.01-
Avast4.8.1281.02009.02.01-
AVG8.0.0.2292009.02.01-
BitDefender7.22009.02.02-
CAT-QuickHeal10.002009.01.31-
ClamAV0.94.12009.02.02-
Comodo9572009.02.01-
DrWeb4.44.0.091702009.02.02-
eSafe7.0.17.02009.02.01-
eTrust-Vet31.6.63352009.01.29-
F-Prot4.4.4.562009.02.01-
F-Secure8.0.14470.02009.02.02-
Fortinet3.117.0.02009.02.01-
GData192009.02.02-
IkarusT3.1.1.45.02009.02.01-
K7AntiVirus7.10.6122009.01.31-
Kaspersky7.0.0.1252009.02.02-
McAfee55132009.02.01-
McAfee+Artemis55132009.02.01-
Microsoft1.43062009.02.02-
NOD3238162009.02.01-
Norman6.00.022009.01.31-
nProtect2009.1.8.02009.01.30-
Panda9.5.1.22009.02.01-
PCTools4.4.2.02009.02.01-
Prevx1V22009.02.02-
Rising21.14.61.002009.02.01-
SecureWeb-Gateway6.7.62009.02.01-
Sophos4.38.02009.02.01-
Sunbelt3.2.1835.22009.01.16-
Symantec102009.02.02-
TheHacker6.3.1.5.2432009.02.01-
TrendMicro8.700.0.10042009.01.30-
VBA323.12.8.122009.02.01-
ViRobot2009.1.31.15832009.01.31-
VirusBuster4.5.11.02009.02.01-

If thats not what you wanted ^^ Please tell me what information you did want.

Tony:)

Btw thanks for helping.

Webwasher-Gateway - - BlockReason.0

: /

I looked on another page , and there was that....That's what I needed. How is the computer running now?I will reinstall msn , and take a look.

I had no issue with it slowing down , as soon as i clicked the link , i only relised it was a exe until it said , Image will not load...

Then i thought ah ****.....

My mate sent it , so i assumed it was a trust worthy source , but turns out shes infected beyond belief ...

I caught it all in time i hope.

I will post back in 5 minutes.Ok well all seems ok now ^^

Thats 4 hours i wont be getting back lol.....

I will full scan with all the anti virus i have tonight , just to be on the safe side...

Thanks for all the help , and by the way. What did the reg entry do?

Just curious , and the items i delete in hijackthis , what sort of infections where they You might have your friend run these tools on their computer. Or have them come here and do the malware removal guide.

http://downloads.malwareremoval.com/MsnVirRem.exe
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip

Quote

Just curious , and the items i delete in hijackthis , what sort of infections where they

Alcmtr was just bloatware that slows down many computers.
Windows UDP Control Center/fxstaller.exe A variant of the IRCBot family of worms and IRC backdoor Trojans http://www.bleepingcomputer.com/startups/Windows_UDP_Control_Center-24046.html
cogad.exe Added by the Troj/Dloadr-CEP downloading Trojan http://www.bleepingcomputer.com/startups/cogad.exe-24485.html

----------

Cleanup steps.

Download OTCleanIt.exe and save it to your Desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it yourself.

.
----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide

Solve : Msn Virus...?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment