Win32:BHO-KD

Viruses and worms
21

Avast alerted on the Avenger quarantined file - no problem there. And Avenger has just i.e. yesterday updated to version 2

22

Hi, sorry about the Avenger, didn’t know the new version was out. Thanks essexboy. Right on the money CharleyO.

We’ll use combofix again and see if that file is there or just a stuck reg key. And we will remove the old AVG services as well.

Open HJT, run a system scan only, check mark these lines if present

[b]O2 - BHO: (no name) - {330052B8-D2DA-4002-A6B0-6ADED622BCE9} - C:\WINDOWS\system32\commdl.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)

[/b]

Close all other browsers/windows, click fix, close HJT.

Open a new notepad, Copy and paste the following bold text into it

sc stop Avg7UpdSvc
sc delete Avg7UpdSvc
sc stop Avg7Alrt
sc delete Avg7Alrt
exit

Click file, click save as. Set it to save in Desktop. Name the file (including the " " marks) “gone.bat”

Click save.

You should now have a file with an icon as shown below. Please double click it. Close the window if it stays. You can delete gone.bat after you have ran it.

Please follow all previous instructions regarding security programs.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\commdl.dll

Registry::
[-HKEY_LOCAL_MACHINE~\Browser Helper Objects{330052B8-D2DA-4002-A6B0-6ADED622BCE9}]

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

note when doing the combofix fix

A window may open with a warning. Type “1” (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Click File, click Exit and answer ‘Yes’ to save changes

You can attach the logs by using the additional options button on the reply page. You may have to scroll down a bit to see the browse button.

23

Hi oldman.
You wont believe this, but this is my 3rd attempt to reply!!
Sorry about the delay in getting back to you, I have only just read all of your reply!
I have done all you requested, the only thing is I didn’t save the HiJack This report, so I did another one after all the other things you asked to be done!
So the Hijack log is not the one I clicked the items one, if that makes any sense!I could not find the items beginning with 02/BHO … and 09\extra button…, but I seem to remember doing that one the very first time I ran that programme.
Thanks again you guys are brilliant!!!
So here are the logs (hopefully)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*h
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM..\Run: [SDTray] “C:\Program Files\Spyware Doctor\SDTrayApp.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-21-2000478354-1682526488-839522115-1004..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘Jim’)
O4 - HKUS\S-1-5-21-2000478354-1682526488-839522115-1005..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User ‘LaLa’)
O4 - HKUS\S-1-5-21-2000478354-1682526488-839522115-1006..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User ‘Mum’)
O4 - HKUS\S-1-5-21-2000478354-1682526488-839522115-500..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Administrator’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe


End of file - 5542 bytes

24

Hi again.
Didn’t go too ,much info, so here is the other log.
Mant thanks again.
JPS

ComboFix 08-02-25.3 - Owner 2008-03-05 15:15:34.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFscript.txt

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\commdl.dll
.

((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
.

2008-03-05 14:25 . 2008-03-05 14:25 d-------- C:\Documents and Settings\Owner\Application Data\MSN6
2008-03-03 16:15 . 2008-03-03 16:15 16 --a------ C:\WINDOWS\wininit.ini
2008-03-03 15:58 . 2008-03-03 15:58 d-------- C:\Program Files\C-Media
2008-03-03 15:58 . 2002-07-16 20:33 20,333 --------- C:\WINDOWS\cmaudio.ini
2008-02-29 15:51 . 2008-02-29 15:51 d—s---- C:\Documents and Settings\LaLa\UserData
2008-02-28 13:25 . 2008-02-28 13:25 d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-24 20:39 . 2008-02-24 20:39 d-------- C:\Documents and Settings\Jim\Application Data\Yahoo!
2008-02-20 17:29 . 2008-02-20 17:29 d–hs---- C:\found.000
2008-02-18 22:02 . 2008-02-18 22:02 d–h----- C:\WINDOWS\system32\GroupPolicy
2008-02-17 00:08 . 2008-02-17 00:08 32,648 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-02-14 23:39 . 2008-02-14 23:39 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-12 17:44 . 2008-02-12 17:44 d-------- C:\Program Files\Trend Micro
2008-02-10 16:53 . 2008-03-05 14:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-10 16:53 . 2008-03-03 15:58 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-05 14:52 --------- d-----w C:\Program Files\SpywareDetector
2008-03-05 14:14 --------- d—a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-03 14:12 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-29 15:55 --------- d-----w C:\Program Files\Google
2008-02-28 13:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-27 15:07 --------- d-----w C:\Program Files\Yahoo!
2008-02-17 17:55 --------- d-----w C:\Program Files\DivX
2008-01-30 11:03 6,144 ----a-w C:\WINDOWS\system32\SDEarlyDelete.exe
2008-01-28 20:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\DivX
2008-01-27 20:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-01-25 18:58 67,024 ----a-w C:\WINDOWS\system32\CloseAll.exe
2008-01-06 20:32 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-28 21:12 73,728 ----a-w C:\WINDOWS\system32\CavEmLSP.dll
2007-12-28 21:12 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-28 21:12 434,252 ----a-w C:\WINDOWS\system32\MSVCRTD.DLL
2007-12-28 21:12 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-28 21:12 216,576 ----a-w C:\WINDOWS\system32\monln.dll
2007-12-28 21:12 1,060,864 ----a-w C:\WINDOWS\system32\MFC71.dll
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:56 15360]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 16:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ezShieldProtector for Px”=“C:\WINDOWS\system32\ezSP_Px.exe” [2002-08-20 10:29 40960]
“SDTray”=“C:\Program Files\Spyware Doctor\SDTrayApp.exe” [2007-10-02 16:27 1065288]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 13:00 79224]
“SystemTraySD”=“C:\Program Files\SpywareDetector\SDSystemTray.exe” [2007-12-24 17:39 706000]
“SDAutoLiveupdate”=“C:\Program Files\SpywareDetector\LiveUpdateSD.exe” [2008-02-01 18:31 423376]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2005-01-11 05:25 77824]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll 2008-01-28 11:30 167936 C:\Program Files\SpywareDetector\SDNotify.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” /background
“SpybotSD TeaTimer”=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“EPSON Stylus C62 Series”=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 “EPSON Stylus C62 Series” /O6 “USB001” /M “Stylus C62”
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” -atboottime
“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
“SoundMan”=SOUNDMAN.EXE

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“C:\WINDOWS\system32\sessmgr.exe”=
“C:\Program Files\Messenger\msmsgs.exe”=

S2 Ca536av;4.1M MPEG4 DV Video Capture;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-07-09 10:49]
S3 USBCamera;4.1M MPEG4 DV Bulk Driver;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]

.
Contents of the ‘Scheduled Tasks’ folder
“2007-12-06 22:22:33 C:\WINDOWS\Tasks\System Restore.job”

  • C:\WINDOWS\system32\Restore\rstrui.exe
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 15:19:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-03-05 15:25:00
ComboFix-quarantined-files.txt 2008-03-05 15:24:54
ComboFix2.txt 2008-02-27 17:37:38
.
2008-03-02 17:32:47 — E O F —

25

Looks like you gave the critter the bum’s rush.

So, if no problems, you can clean up the tools we used. You can re-enable teatimer when you are done.

  • Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u

Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

  • Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

  • Remove old restore points
  • Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.
  • Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp by Steven Gould

http://www.stevengould.org/downloads/cleanup/

  • If you are using windows firewall, please note that it doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

or

http://forum.avast.com/index.php?topic=33530.0

Take care and keep safe.

26

:slight_smile: :slight_smile: :slight_smile: :slight_smile: :slight_smile: :slight_smile:
Hi oldman.
Done all you asked again, what can I say, absolutely brilliant!!!
I was so close to going through the reinstalling of XP and all the extra work that entails, until you guys did the business.
I am just going through looking at your links for firewall.
The only thing that I dont think I have been anle to do, is to re-enable tea timer, is this something important?
Apart from that GREAT!!!
Many many thanks!!
JPS

27

Here’s a link to what it does

http://www.safer-networking.org/en/faq/33.html

Open Spybot

Click mode
click Advanced mode
if you get a warning answer “yes”
click tools
click resident
check resident “teatimer”
click allow change
reboot

28

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:14, on 27/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AMD\RAIDXpert\jetty\extra\win32\Wrapper.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\AMD\RAIDXpert_jvm\bin\java.exe
C:\Program Files\eBoostr\EBstrSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\mshta.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.safyway.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.safyway.blogspot.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\VirusRemoval.vbs
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O4 - HKUS\S-1-5-18..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘Default user’)
O4 - S-1-5-18 Startup: StartupFaster (User ‘SYSTEM’)
O4 - .DEFAULT Startup: StartupFaster (User ‘Default user’)
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} (isInstalled Class) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200743143062
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{BFA6B5C1-BE89-4C6C-87A3-DAD2C381CEA1}: NameServer = 172.25.1.1,202.65.128.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AMD RAIDXpert (AMDRAIDXpert) - Unknown owner - C:\Program Files\AMD\RAIDXpert\jetty\extra\win32\Wrapper.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: eBoostr Service (EBOOSTRSVC) - Unknown owner - C:\Program Files\eBoostr\EBstrSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 1: (no name) - http://google.co.in/


End of file - 6392 bytes

29

Welcome to the forums, cupidarrow. :slight_smile:

Please post your HJT log in a new thread so as to not confuse the help given in this thread.