MSN Virus

[Striper]

Oh you betcha. Definitely done more scan logs in this procedure than the rest of my life combined!

So here is the Combofix log:

ComboFix 08-02.05.3 - Derek 2008-02-15 17:58:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.429 [GMT 0:00]
Running from: C:\Documents and Settings\Derek\My Documents\My Downloads\ComboFix.exe
Command switches used :: C:\Documents and Settings\Derek\Desktop\CFScript
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\wkssvc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\wkssvc.exe

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
hxxp://au.download.windowsupdateõj+|�C�ü¤Ì›v÷+È@™JŸ:®½‰NêGD_©½ ºD˜QÄ{¶ÀzÎtç�Ò»ÌHžG†.�XóÆs*#oœ4MšŒÜkgWU Client Download


S-1-5-18`
€HT4?

?
 



6ÚVwoQZC¬¬D¢HÿóM
XC:\WINDOWS\SoftwareDistribution\D ownload\393bb6d5cf2f8ddce679d2cc37627398\XLVIEWSP3.CAB‚
.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-13 21:58 . 2008-02-13 21:58 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller _Critical.Wdf
2008-02-13 21:58 . 2008-02-13 21:58 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2008-02-12 02:38 . 2008-02-12 02:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-12 02:38 . 2008-02-12 02:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 03:20 . 2008-02-10 03:20 <DIR> d-------- C:\Deckard
2008-02-09 01:32 . 2008-02-09 01:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-09 01:31 . 2008-02-09 01:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-09 01:31 . 2008-02-09 01:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-09 01:10 . 2008-02-09 01:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-08 22:44 . 2008-02-08 22:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-08 22:44 . 2008-02-08 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-07 23:03 . 2008-02-07 23:03 <DIR> d-------- C:\Program Files\MSECache
2008-02-07 20:41 . 2008-02-07 20:41 <DIR> d-------- C:\WINDOWS\Application Data
2008-01-28 19:06 . 2008-01-28 19:06 <DIR> d-------- C:\Documents and Settings\Derek\Application Data\AutoTransfer
2008-01-27 03:15 . 2008-02-07 23:05 96,216 --a------ C:\Documents and Settings\Derek\Application Data\GDIPFONTCACHEV1.DAT
2008-01-24 01:03 . 2008-01-24 01:03 <DIR> d-------- C:\Documents and Settings\Derek\Application Data\LGSync
2008-01-24 01:02 . 2008-01-24 01:02 <DIR> d-------- C:\Program Files\LG Electronics
2008-01-24 01:01 . 2005-05-25 19:12 929,844 --a------ C:\WINDOWS\system32\MFC42D.DLL
2008-01-24 01:01 . 2006-04-05 17:45 798,773 --a------ C:\WINDOWS\system32\MFCO42D.DLL
2008-01-24 01:01 . 2006-01-02 21:29 434,252 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2008-01-24 01:01 . 2005-09-26 22:55 419,240 --a------ C:\WINDOWS\system32\Vsflex7L.ocx
2008-01-24 01:01 . 2002-10-17 05:19 291,840 --a------ C:\WINDOWS\system32\msvcirtd.dll
2008-01-24 01:01 . 2000-05-22 00:00 244,416 --a------ C:\WINDOWS\system32\Msflxgrd.ocx
2008-01-24 01:01 . 2005-10-04 10:39 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-01-24 01:01 . 2005-06-28 22:12 36,864 --a------ C:\WINDOWS\system32\CSDLGE1LIB.dll
2008-01-24 01:00 . 2008-01-24 01:01 <DIR> d-------- C:\Program Files\LGE GSM PC Sync

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 01:06 22,360 ----a-w C:\Documents and Settings\Derek\Application Data\wklnhst.dat
2008-02-09 01:10 --------- d-----w C:\Documents and Settings\Derek\Application Data\Lavasoft
2008-01-24 01:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 01:51 --------- d-----w C:\Documents and Settings\Derek\Application Data\dvdcss
2008-01-05 02:47 --------- d-----w C:\Documents and Settings\Derek\Application Data\ZoomBrowser EX
2008-01-05 02:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-12-29 21:45 --------- d-----w C:\Program Files\mIRC
2007-12-26 03:10 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-25 23:23 --------- d-----w C:\Program Files\vanBasco's Karaoke Player
2007-12-25 01:42 --------- d-----w C:\Program Files\iTunes
2007-12-25 01:41 --------- d-----w C:\Program Files\iPod
2007-12-25 01:39 --------- d-----w C:\Program Files\QuickTime
2007-12-25 01:37 --------- d-----w C:\Program Files\Apple Software Update
2007-12-25 01:36 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-25 01:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-12-22 02:31 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-22 02:31 --------- d--h--r C:\Documents and Settings\Derek\Application Data\SecuROM
2007-12-21 01:06 --------- d-----w C:\Documents and Settings\Derek\Application Data\Screenshot Sender
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"EPSON Stylus DX8400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICE E.exe" [2007-04-12 06:00 182272]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 09:37 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 12:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP. exe" [2004-08-04 12:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP. exe" [2004-08-04 12:00 455168]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 18:40 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 18:38 688218]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-22 18:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-22 18:31 126976]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-11-05 12:52 233534]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 12:24 290816]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"hpWirelessAssistant"="C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-01-21 12:40 790528]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11 49152]
"HalfMoonAutoStart"="C:\Program Files\Lithic\HalfMoon\halfmoon.exe" [2004-06-28 18:37 548864]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 17:20 866584]
"AIMWDInstallFilename"="C:\PROGRA~1\AIM\AIMWDI~1.EXE" [2004-01-12 20:29 102400]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-20 18:17 185632]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersio n\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig 20.exe" [2005-04-25 12:45 36040]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2004-11-04 18:28:24 258048]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

S3 NTPASp50;NTPASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\NTPASp50.sys [2006-01-18 13:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\ explorer\mountpoints2\{207a94dc-cdd4-11dc-b06f-00c09fdf6af8}]
\Shell\AutoRun\command - E:\AutoTransfer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\ explorer\mountpoints2\{a653162e-1fdd-11dc-af3d-00c09fdf6af8}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 17:13:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-15 17:12:45 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
************************************************************ **************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 18:03:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????1?1?6?9??????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************************ **************
.
Completion time: 2008-02-15 18:03:56
ComboFix-quarantined-files.txt 2008-02-15 18:03:35
ComboFix2.txt 2008-02-11 04:48:22
.
2008-02-13 02:27:50 --- E O F ---


------------------------------------------------------------------------------------


And here is the Bitdefender log:

BitDefender Online Scanner



Scan report generated at: Fri, Feb 15, 2008 - 19:39:46





Scan path: C:\;D:\;F:\;







Statistics

Time
01:29:04

Files
365373

Folders
7441

Boot Sectors
4

Archives
2467

Packed Files
13905




Results

Identified Viruses
5

Infected Files
15

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
15




Engines Info

Virus Definitions
981154

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
16

Archive plugins
41

Unpack plugins
7

E-mail plugins
6

System plugins
5




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ERH4.js=>(gzip)
Infected with: Trojan.Clicker.CM

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ERH4.js=>(gzip)
Disinfection failed

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ERH4.js=>(gzip)
Deleted

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ERH4.js
Updated

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ERI8.js=>(gzip)
Infected with: Trojan.Clicker.CM

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ERI8.js=>(gzip)
Disinfection failed

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ERI8.js=>(gzip)
Deleted

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ERI8.js
Updated

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ERIR.js=>(gzip)
Infected with: Trojan.Clicker.CM

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ERIR.js=>(gzip)
Disinfection failed

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ERIR.js=>(gzip)
Deleted

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ERIR.js
Updated

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ERKF.js=>(gzip)
Infected with: Trojan.Clicker.CM

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ERKF.js=>(gzip)
Disinfection failed

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ERKF.js=>(gzip)
Deleted

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ERKF.js
Updated

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ES5T.js=>(gzip)
Infected with: Trojan.Clicker.CM

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ES5T.js=>(gzip)
Disinfection failed

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ES5T.js=>(gzip)
Deleted

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ES5T.js
Updated

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ES5X.js=>(gzip)
Infected with: Trojan.Clicker.CM

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ES5X.js=>(gzip)
Disinfection failed

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ES5X.js=>(gzip)
Deleted

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ES5X.js
Updated

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ES69.js=>(gzip)
Infected with: Trojan.Clicker.CM

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ES69.js=>(gzip)
Disinfection failed

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ES69.js=>(gzip)
Deleted

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ES69.js
Updated

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ES6R.js=>(gzip)
Infected with: Trojan.Clicker.CM

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ES6R.js=>(gzip)
Disinfection failed

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ES6R.js=>(gzip)
Deleted

C:\Documents and Settings\Derek\Application Data\Opera\Opera\profile\cache4\opr0ES6R.js
Updated

C:\Program Files\HPQ\Default Settings\CpqsetVer.exe
Infected with: Backdoor.Agent.AHJ

C:\Program Files\HPQ\Default Settings\CpqsetVer.exe
Deleted

C:\QooBox\Quarantine\C\WINDOWS\wkssvc.exe.vir
Infected with: Worm.Anker.X

C:\QooBox\Quarantine\C\WINDOWS\wkssvc.exe.vir
Deleted

C:\System Volume Information\_restore{10256FD1-69C1-43B1-8D7C-07EDE9F86A47}\RP373\A0035481.exe
Infected with: Worm.Anker.X

C:\System Volume Information\_restore{10256FD1-69C1-43B1-8D7C-07EDE9F86A47}\RP373\A0035481.exe
Deleted

C:\System Volume Information\_restore{10256FD1-69C1-43B1-8D7C-07EDE9F86A47}\RP381\A0036197.exe
Infected with: Worm.Anker.X

C:\System Volume Information\_restore{10256FD1-69C1-43B1-8D7C-07EDE9F86A47}\RP381\A0036197.exe
Deleted

C:\System Volume Information\_restore{10256FD1-69C1-43B1-8D7C-07EDE9F86A47}\RP381\A0036233.exe
Infected with: Backdoor.Agent.AHJ

C:\System Volume Information\_restore{10256FD1-69C1-43B1-8D7C-07EDE9F86A47}\RP381\A0036233.exe
Deleted

C:\WINDOWS\system32\drivers\etc\hosts.20080209-225447.backup
Infected with: Generic.Qhost.AD5E848D

C:\WINDOWS\system32\drivers\etc\hosts.20080209-225447.backup
Disinfection failed

C:\WINDOWS\system32\drivers\etc\hosts.20080209-225447.backup
Deleted

C:\WINDOWS\system32\drivers\etc\hosts.20080209-225542.backup
Infected with: Generic.Qhost.D04E5D79

C:\WINDOWS\system32\drivers\etc\hosts.20080209-225542.backup
Disinfection failed

C:\WINDOWS\system32\drivers\etc\hosts.20080209-225542.backup
Deleted



Seems like things are going well so I would imagine it's almost, if not completely clear now. Hopefully anyway. :/

[Jintan]

Looks good there, except BitDefender appears to still be set for a false positive (a good file mistakenly identified as malware) on an HP file you have. Had, as BitDefender's online scan deletes without a quarantine option. Other than I need to let BitDefender staff know to correct for that, I see in other requests where this occurred the system would not have a file backup on it (CpqsetVer.exe), and I believe there is a location it can be downloaded from. I'll check and get back to you here after.

[Jintan]

BitDefender hasn't contacted me back yet, but I downloaded and extracted a copy from HP and see no issues with it. A web search indicates this file has had an on and off issue with being picked up at different times as that same infection name, but each time appears to be a false positive.

Although it may not be the same version as the one the scan removed, I will upload a zipped (compressed) copy of it for you to return to the following folder there:

C:\Program Files\HPQ\Default Settings <--- that folder

Unzip the attached file and place the CpqsetVer.exe copy from that in that hilighted folder. Then reboot, and run and post back new ComboFix and HijackThis logs please, and let me know if any new issues occur as a result of the file exchange please.

[Striper]

Ok so sorry about the long hiatus. I have been really busy this past week. Last couple of weeks of this college term and so much to do. Here is the HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:42:35, on 23/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AIM\AIMWDI~1.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus DX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE /FU "C:\WINDOWS\TEMP\E_S54C.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11971 bytes


Hope we got 'em all

[Jintan]

Looks good - did that file return that software back to normal (were you able to tell)? A mention - your system has quite a few toolbars and browser helper objects there - most of these make their own independent server connections each time your browser is opened, and often do some transfer of info they call "updating". If you find opening browsers very slow, you should consider uninstalling some of these through Add/Remove Programs. Before we do a cleanup of what we added here, are there any problems at this time?

[Striper]

Sorry about the late reply again. Busy with assignment deadlines and exams. :/

Well, I did unzip and put back that file you attached and I'm not entirely sure if it really did anything, but my perception is that it made my laptop run faster than without it. Can't really say for certain if that was what caused it though.

As for the toolbars, I really only use Opera and occasionally IE in case there's something that only runs in that browser so I normally wouldn't have any problems with the toolbars but I uninstalled them now since I don't use them anyway.

As for any other problems, nothing else seems to be out of the ordinary here. It all seems fairly normal to me. Hopefully everything's fixed up now.

[Jintan]

Sounds good. For cleanup of our work, You can uninstall BitDefender through IE - Tools - click Uninstall BitDefender Online Scanner v8.


The autoplay functions there were blocked as part of the procedures we did here. You can return those to the Windows default settings at this time by doing the following step, if you wish. This will allow autoplay for all drives such as CD-ROM and external drives.

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveAutoRun"=dword:0000000
"NoDriveTypeAutoRun"=dword:00000095

Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it autofix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

-----------------------------------


Then download OTMoveIt2 and save the file to your desktop.

Please double-click OTMoveIt.exe to run it and click on Cleanup. When you do this list of malware removal programs will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has downloaded, you'll be asked if you want to begin cleanup process? Select Yes.

OTMoveIt will search for and delete/uninstall all the tools that we have used to fix your problems and all their backup folders (with the exception of <blank>) and then delete itself when you next reboot.

----------------------

And a last measure is to reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.

In addition, I like to recommend reviewing the information Here to make sure you stay malware free.

[Striper]

Ok so I've done eveyrthing you've outlined there. Things seem to be good and not noticing anything suspicious. Is that everything sorted now?

[Jintan]

You should be good to go now.

[Striper]

Great news! Thanks for all your help mate. Greatly appreciated. ^^