Solve : stubbern trojan?

Answer»

Im having trouble ridding my computer of a trojan. It causes IE to crash occaisionally, has caused trouble with warcraft and causes my comp to run slow.

Here are the logs of the scans you reccamended I do:

any advice would be helpful, thanksSUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/12/2008 at 04:05 PM

Application Version : 3.9.1008

Core Rules Database Version : 3400
Trace Rules Database Version: 1392

Scan type : Complete Scan
Total Scan Time : 00:35:35

Memory items scanned : 357
Memory threats detected : 2
Registry items scanned : 3379
Registry threats detected : 50
File items scanned : 29938
File threats detected : 28

Adware.AboutBlankChanger
C:\WINDOWS\TEMP\IEOBJ.DLL
C:\WINDOWS\TEMP\IEOBJ.DLL
HKLM\Software\Classes\CLSID\{489C5DDD-AB4C-48EC-B397-505BABF9B4BD}
HKCR\CLSID\{489C5DDD-AB4C-48EC-B397-505BABF9B4BD}
HKCR\CLSID\{489C5DDD-AB4C-48EC-B397-505BABF9B4BD}
HKCR\CLSID\{489C5DDD-AB4C-48EC-B397-505BABF9B4BD}\InprocServer32
HKCR\CLSID\{489C5DDD-AB4C-48EC-B397-505BABF9B4BD}\InprocServer32#ThreadingModel
HKCR\CLSID\{489C5DDD-AB4C-48EC-B397-505BABF9B4BD}\ProgID
HKCR\CLSID\{489C5DDD-AB4C-48EC-B397-505BABF9B4BD}\Programmable
HKCR\CLSID\{489C5DDD-AB4C-48EC-B397-505BABF9B4BD}\TypeLib
HKCR\CLSID\{489C5DDD-AB4C-48EC-B397-505BABF9B4BD}\VersionIndependentProgID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{489C5DDD-AB4C-48EC-B397-505BABF9B4BD}

Adware.E404 Helper/Variant
C:\PROGRAM FILES\HELPER\1202682892.DLL
C:\PROGRAM FILES\HELPER\1202682892.DLL
C:\PROGRAM FILES\HELPER\1202682810.DLL
C:\PROGRAM FILES\HELPER\1202682811.DLL
C:\PROGRAM FILES\HELPER\1202682847.DLL
C:\PROGRAM FILES\HELPER\1202682851.DLL

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\InprocServer32
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\InprocServer32#ThreadingModel
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\ProgID
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\Programmable
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\TypeLib
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\VersionIndependentProgID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}

Rootkit.RunTime3/FutureGen
HKLM\System\ControlSet001\Services\Bjr75
C:\WINDOWS\SYSTEM32\DRIVERS\BJR75.SYS
HKLM\System\ControlSet003\Services\Bjr75
HKLM\System\CurrentControlSet\Services\Bjr75
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP292\A0036570.SYS

Trojan.DNSChanger-Codec
HKCR\CLSID\E404.e404mgr
HKCR\CLSID\E404.e404mgr#UserId
HKCR\ChristmasPorn
HKCR\ChristmasPorn\CLSID
HKU\.DEFAULT\Software\ChristmasPorn
HKU\S-1-5-18\Software\ChristmasPorn
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ChristmasPorn
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ChristmasPorn#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ChristmasPorn#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ChristmasPorn#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ChristmasPorn#DisplayIcon
C:\Program Files\ChristmasPorn\Uninstall.exe
C:\Program Files\ChristmasPorn
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\G3F9VRPQ\TURBOCODEC1315[1].EXE
C:\WINDOWS\TEMP\TURBOCODEC4531.EXE

Adware.E404 Helper/Hij
HKCR\E404.e404mgr
HKCR\E404.e404mgr\CLSID
HKCR\E404.e404mgr\CurVer
HKCR\E404.e404mgr.1
HKCR\E404.e404mgr.1\CLSID
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0\win32
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\FLAGS
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\HELPDIR
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid32
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib#Version

Rootkit.Unclassified/KR_Done
C:\WINDOWS\system32\kr_done1

Adware.Tracking Cookie
C:\Documents and Settings\LocalService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\LocalService\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\SAM\LOCAL SETTINGS\TEMP\XLOADER10296.EXE~

Trojan.Unclassifed/K-Series
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP292\A0033488.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP292\A0035534.EXE
C:\WINDOWS\TEMP\KDEZC.REN
C:\WINDOWS\TEMP\KDGEN.REN

Trojan.LoadAdv-Gen
C:\WINDOWS\PREFETCH\LOADADV535.EXE-0DA65DC9.PF

Adware.E404 Helper/Variant-A
C:\XKUJGMD.EXE
C:\WINDOWS\Prefetch\XKUJGMD.EXE-07347033.pf
csrcli32.dll;c:\windows\system32;Trojan.PWS.GoldSpy;Deleted.;
gtdownlr_134.ocx;c:\windows\system32;Adware.Gdown;;
logcrypt.dll;c:\windows\system32;Trojan.DownLoader.46414;Deleted.;
msdfmap.dll;c:\windows\system32;Trojan.PWS.GoldSpy;Deleted.;
msftp.dll;C:\Documents and Settings\LocalService;Trojan.DownLoader.44897;Deleted.;
msftp.dll;C:\Documents and Settings\Sam;Trojan.DownLoader.44897;Deleted.;
1202549854.exe;C:\Documents and Settings\Sam\Local Settings\Temp;Trojan.Click.16987;Deleted.;
A0036630.dll;C:\System Volume Information\_restore{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP293;Adware.Nopage;;
A0036631.dll;C:\System Volume Information\_restore{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP293;Adware.Nopage;;
A0036632.dll;C:\System Volume Information\_restore{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP293;Adware.Nopage;;
A0036633.dll;C:\System Volume Information\_restore{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP293;Adware.Nopage;;
A0036634.dll;C:\System Volume Information\_restore{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP293;Adware.Nopage;;
A0037634.dll;C:\System Volume Information\_restore{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP293;Trojan.DownLoader.46414;Deleted.;
A0037641.dll;C:\System Volume Information\_restore{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP293;Trojan.DownLoader.44897;Deleted.;
A0037642.dll;C:\System Volume Information\_restore{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP293;Trojan.DownLoader.44897;Deleted.;
A0037650.dll;C:\System Volume Information\_restore{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP293;Trojan.DownLoader.44897;Deleted.;
A0038640.dll;C:\System Volume Information\_restore{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP293;Trojan.DownLoader.44897;Deleted.;
A0038648.dll;C:\System Volume Information\_restore{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP293;Trojan.PWS.GoldSpy;Deleted.;
A0038649.dll;C:\System Volume Information\_restore{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP293;Trojan.DownLoader.46414;Deleted.;
A0038650.dll;C:\System Volume Information\_restore{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP293;Trojan.PWS.GoldSpy;Deleted.;
A0038651.dll;C:\System Volume Information\_restore{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP293;Trojan.DownLoader.44897;Deleted.;
A0038652.dll;C:\System Volume Information\_restore{3D3CE40B-77A8-434D-B2A6-65D3C6785DA8}\RP293;Trojan.DownLoader.44897;Deleted.;
gtdownlr_134.ocx;C:\WINDOWS\system32;Adware.Gdown;;
msftp.dll;C:\WINDOWS\system32;Trojan.DownLoader.44897;Deleted.;
202.exe;C:\WINDOWS\Temp;Trojan.Packed.147;Deleted.;
4531.exe;C:\WINDOWS\Temp;Trojan.DownLoader.44983;Deleted.;
Copy of pinch2-99-orig.exe;C:\WINDOWS\Temp;Trojan.PWS.LDPinch.1941;Deleted.;
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2870 (20080212)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=3f62cc0fb59be3478aa7aea25fbd058f
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-02-12 10:55:18
# local_time=2008-02-12 05:55:18 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=87477
# found=11
# scan_time=686
C:\Documents and Settings\LocalService\msftp.dllWin32/TrojanDownloader.Agent.NVF trojan (unable to clean - deleted)00000000000000000000000000000000
C:\Documents and Settings\Sam\msftp.dllWin32/TrojanDownloader.Agent.NVF trojan (unable to clean - deleted)00000000000000000000000000000000
C:\Documents and Settings\Sam\Local Settings\Temp\xdihwvxa.exe~Win32/TrojanDownloader.FakeAlert.G trojan (unable to clean - deleted)00000000000000000000000000000000
C:\WINDOWS\system32\msftp.dllWin32/TrojanDownloader.Agent.NVF trojan (unable to clean - deleted)00000000000000000000000000000000
C:\WINDOWS\Temp\52FE.tmpmultiple infiltrations (deleted)00000000000000000000000000000000
C:\WINDOWS\Temp\52FE.tmp »NSIS »4531.exeprobably a variant of Win32/TrojanDownloader.Banload.BJY trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a PART of the deleted object)00000000000000000000000000000000
C:\WINDOWS\Temp\52FE.tmp »NSIS »dropper1005.exeWin32/Adware.SpyKillerPro application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)00000000000000000000000000000000
C:\WINDOWS\Temp\srsvc.exeWin32/Adware.SpyKillerPro application (deleted)00000000000000000000000000000000
C:\WINDOWS\Temp\srsvc.exe »NSIS »SpyKillerPro.exeWin32/Adware.SpyKillerPro application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)00000000000000000000000000000000
C:\WINDOWS\Temp\srsvc.exe »NSIS »SpyKillerProUpdate.exeWin32/Adware.SpyKillerPro application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)00000000000000000000000000000000
C:\WINDOWS\Temp\srsvc.exe »NSIS »helper.sysWin32/Adware.SpyKillerPro application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object)00000000000000000000000000000000
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:23 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\spool.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\spool.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
G:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Sam\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\Sam\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\Sam\Local Settings\Application Data\cftmon.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Sam\Local Settings\Application Data\cftmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thottbot.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Attractive Clock] G:\Program Files\Attractive Clock\Attractive Clock.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Windows Console] wkssvc.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] G:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Sam\Local Settings\Application Data\cftmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spool.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spool.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184605009656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184606985140
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A10A1F2-DF85-4176-BFE4-AC0AED0A9830}: NameServer = 85.255.115.83,85.255.112.205
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DB29E7A-E423-4A1C-A035-55A083D20E9B}: NameServer = 85.255.115.83,85.255.112.205
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E8410DB-0FA6-4944-9771-4791FAE9D2A4}: NameServer = 85.255.115.83,85.255.112.205
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.83 85.255.112.205
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A10A1F2-DF85-4176-BFE4-AC0AED0A9830}: NameServer = 85.255.115.83,85.255.112.205
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.83 85.255.112.205
O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urikon.dll
O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urikon.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows INSTALLER Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - C:\WINDOWS\TEMP\~~install.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spool.exe
O23 - Service: Windows Image Acquisition (WIA) stisvcSchedule (stisvcSchedule) - Unknown owner - C:\WINDOWS\system32\advapi32v.exe

--
End of file - 7925 bytes
Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
Finally add the contents of the Report.txt in your next post.

.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

Important! Combofix.exe MUST be saved to and ran from the Desktop.

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
- Click this link to see a list of security programs that should be disabled and how to disable them.
- If yours is not listed and you don't know how to disable it, please ask.
Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
Double click combofix.exe & follow the prompts.
- From the keyboard select 1 and press Enter[/COLOR]
- When finished, it will produce a log for you.
- Post that log in your next reply.
Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall
- If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
- Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.
.
----------

Next post please add
SDFix log
Combofix log

I tried several times to get combofix to work, but couldnt get it to load.

here is the SDFix log, however...

SDFix: Version 1.141

Run by Sam on Tue 02/12/2008 at 08:28 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
4fdw
runtime

Path:
\??\C:\WINDOWS\system32\4fdw.dll
\??\C:\WINDOWS\System32\drivers\runtime.sys

4fdw - Deleted
runtime - Deleted

Patched user32.dll detected!

Note: SDFix Does Not Repair This File!

"C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\user32.dll" 577024 03/02/2005 01:09 PM
"C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll" 577024 03/02/2005 01:19 PM
"C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll" 578048 03/08/2007 10:48 AM
"C:\WINDOWS\$NtServicePackUninstall$\user32.dll" 561152 03/02/2005 01:20 PM
"C:\WINDOWS\$NtUninstallKB890859$\user32.dll" 577024 08/04/2004 02:56 AM
"C:\WINDOWS\$NtUninstallKB890859_0$\user32.dll" 560128 03/31/2003 07:00 AM
"C:\WINDOWS\$NtUninstallKB925902$\user32.dll" 577024 03/02/2005 01:09 PM
"C:\WINDOWS\ServicePackFiles\i386\user32.dll" 577024 08/04/2004 02:56 AM
"C:\WINDOWS\system32\user32.dll" 577536 03/08/2007 10:36 AM
"C:\WINDOWS\system32\dllcache\user32.dll" 577536 03/08/2007 10:36 AM

Download the below update to restore original files:

http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Schedule Service Path

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\4fdw.dll - Deleted
C:\WINDOWS\system32\drivers\spool.exe - Deleted

Folder C:\Program Files\Helper - Removed

Removing Temp Files...

ADS CHECK:

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 20:38:20
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

C:\WINDOWS\system32\.9c3322f5\9c3322f5.exe [492] 0x89076788

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\9c3322f5]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\9c3322f5]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_9C3322F5]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9c3322f5]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"C:\WINDOWS\system32\.9c3322f5\9c3322f5.exe"
"DisplayName"="Microsoft DDE+ server"
"ObjectName"="LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\9c3322f5]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\9c3322f5]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_9C3322F5]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\9c3322f5]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"C:\WINDOWS\system32\.9c3322f5\9c3322f5.exe"
"DisplayName"="Microsoft DDE+ server"
"ObjectName"="LocalSystem"

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\.9c3322f5
C:\WINDOWS\system32\.9c3322f5\9c3322f5.Aff.config 224 bytes
C:\WINDOWS\system32\.9c3322f5\9c3322f5.core.dll 162816 bytes executable
C:\WINDOWS\system32\.9c3322f5\9c3322f5.exe 51712 bytes executable
C:\WINDOWS\system32\.9c3322f5\9c3322f5.GR.config 190 bytes
C:\WINDOWS\system32\.9c3322f5\9c3322f5.ServerPlugin.config 45 bytes

scan completed successfully
hidden processes: 1
hidden services: 1
hidden files: 6

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"G:\\Program Files\\iTunes\\iTunes.exe"="G:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 9 Feb 2008 784,896 A.SHR --- "C:\WINDOWS\wkssvc.exe~"
Sun 10 Feb 2008 38,400 ..SHR --- "C:\WINDOWS\system32\advapi32v.exe"
Sun 10 Feb 2008 41,427 ..SH. --- "C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe"
Sun 10 Feb 2008 38,761 ..SH. --- "C:\Documents and Settings\Sam\Local Settings\Application Data\cftmon.exe"

Finished!

First:

Go to www.windowsupdate.microsoft.com and get all critical updates.

----------

Second:

Download and install AVG Anti-Spyware Free to your desktop.

* Once you have downloaded AVG Anti-Spyware Free , locate the icon on the desktop and double-click it to launch the set up program.
* Once the setup is complete you will need run AVG and update the definition files
* On the main screen select the icon Update then select the Update now link.
* Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
* Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
* Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this
* Under Reports
* Select Automatically generate report after every scan
* Un-Select Only if threats were found
* Under "What to scan"? "Select Scan every file".
* Close AVG Anti-Spyware Free <-- Do not run the scan yet.

Copy and paste the rest of the AVG instructions into notepad and save them to the Desktop or print them out so you can read them from safe mode.

Boot your computer into Safe mode

* Go to Start > Shut Off your Computer > Restart
* As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
* This will bring up a menu.
* Use the Up and Down Arrow Keys to scroll up to Safemode
* Then press the Enter on your Keyboard

* Launch AVG Anti-Spyware Free by double-clicking the icon on your desktop.
* Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan
* AVG will now begin the scanning process, be patient this may take a little time.
* Once the scan is complete do the following:
* If you have any infections you will prompted, then select Apply all actions <--be sure qaurantine is selected
* Next select the Reports icon at the top.
* Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
* Make sure to remember where you saved that file, this is important (usually the desktop)
* Close AVG Anti-Spyware Free

IMPORTANT:[/b] Do not open any other windows or programs while AVG is scanning, it may INTERFERE with the scanning process:

* Add the AVG scan report in the next post.

----------

Third:

Please run the F-Secure Online Scanner

Note: This Scanner works with Internet Explorer Only!

Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
Allow the Active X control to be installed on your computer, then click the Accept button
Click Full System Scan and allow the components to download and the scan to complete.
If malware is found, check Submit samples to F-Secure then select Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

If Automatic cleaning with Submit samples hangs, click

Cancel, then New Scan[/list]

When the cleaning option is presented, Uncheck Submit samples to F-Secure
Click Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post.

If needed go to Start > Run > type Notepad.exe then press OK.
Paste the log into Notepad and save it to the desktop so it can easily be posted later.

This scan can take quite some time, so please be patient

Be sure to restart the computer.
.
----------

Fourth:

After all of the above is complete and the computer restarted, run a NEW Hijackthis scan and post the log.

----------

Next post add
AVG scan log
F-Secure scan log
New Hijackthis log
ok, did all those....heres the logs:
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:2:16:47 PM 2/13/2008

+ Scan result:

C:\ftxybq.exe -> Backdoor.Agobot.app : CLEANED with backup (quarantined).
C:\pngdmrl.exe -> Backdoor.Agobot.app : Cleaned with backup (quarantined).
C:\WINDOWS\system32\advapi32v.exe -> Backdoor.IRCBot.bga : Cleaned with backup (quarantined).
C:\d.exe -> Backdoor.IRCBot.bga : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\ip6fw.sys -> Rootkit.Agent.pr : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Cookies\[emailprotected][2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][1].txt -> TrackingCookie.Clickbank : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\[emailprotected][1].txt -> TrackingCookie.Intelli-direct : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Sam\Cookies\[emailprotected][2].txt -> TrackingCookie.Zedo : Cleaned.

::Report end

canning Report
Wednesday, February 13, 2008 15:37:19 - 16:43:26
Computer name: HOUSE1
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ G:\

--------------------------------------------------------------------------------

Result: 22 malware found
Adware.Agent (spyware)
System (Disinfected)
Backdoor.Win32.Agent.eks (virus)
C:\DOCUMENTS AND SETTINGS\SAM\LOCAL SETTINGS\TEMP\KJJ.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\SAM\LOCAL SETTINGS\APPLICATION DATA\CFTMON.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\CFTMON.EXE (Renamed & Submitted)
SpyKillerPro (spyware)
System (Disinfected)
Stealth_application (hidden item)
C:\WINDOWS\SYSTEM32\.9C3322F5\9C3322F5.EXE (Submitted)
Stealth_file (hidden item)
C:\WINDOWS\SYSTEM32\.9C3322F5\9C3322F5.CORE.DLL
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
Trojan-Downloader.Win32.Diehard.ef (virus)
C:\WINDOWS\TEMP\LOAD.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.hwc (virus)
C:\WINDOWS\SYSTEM32\MSFTP.DLL (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\SAM\MSFTP.DLL (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\MSFTP.DLL (Renamed & Submitted)
Trojan.Win32.DNSChanger.apn (virus)
C:\WINDOWS\SYSTEM32\KDKGG.EXE (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 22986
System: 3400
Not scanned: 3
Actions:
Disinfected: 3
Renamed: 8
Deleted: 0
None: 11
Submitted: 9 Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:48:47 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
G:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
G:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
G:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thottbot.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Attractive Clock] G:\Program Files\Attractive Clock\Attractive Clock.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] G:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184605009656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184606985140
O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urikon.dll
O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urikon.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Image Acquisition (WIA) stisvcSchedule (stisvcSchedule) - Unknown owner - C:\WINDOWS\system32\advapi32v.exe (file missing)
O23 - Service: Automatic Updates wuauservdmadmin (wuauservdmadmin) - Unknown owner - C:\WINDOWS\system32\1_exceptionv.exe

--
End of file - 6195 bytes
If combofix is still on the desktop download a new copy and try to run it again.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

Important! Combofix.exe MUST be saved to and ran from the Desktop.

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
- Click this link to see a list of security programs that should be disabled and how to disable them.
- If yours is not listed and you don't know how to disable it, please ask.
Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
Double click combofix.exe & follow the prompts.
- From the keyboard select 1 and press Enter[/COLOR]
- When finished, it will produce a log for you.
- Post that log in your next reply.
Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall
- If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
- Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.
----------

Next post
Combofix log

Solve : stubbern trojan?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment