[evilfantasy]

Still a few left to deal with. Please download Combofix by sUBs from one of the below links. (Try all three if necessary)

• Link #1
• Link #2
• Link #3

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
• Double click combofix.exe & follow the prompts.
  • Choose Yes to accept the Disclaimers.[
• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

If needed, see this Combofix tutorial with screenshots that will detail the downloading and running of combofix more thoroughly. Still be sure to rename combofix as detailed above. ---------- Next post add Combofix log

[lawt555]

hi evilfantasy..

you seem to have fixed the problem for me...... i can now use google search without the problems..

thanks so much.

do you still requie the malware and SDFix scan results?

is there any software you would recommend putting on my PC that will stop any similar problems in the future?

kind regards
kevin

[evilfantasy]

See my above post. There are still a few left to deal with.

[lawt555]

yeah. sorry about that. sent my last message before reading your previous. just done the combofix. see below results.

just as a side, it's probably a silly question but could any of this data information from my computer be used my third parties for malicious purposes??????????

ComboFix 08-03-29.1 - abc 2008-03-30 2:15:24.1 - NTFSx86
Running from: C:\Documents and Settings\abc\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
hxxp://assist.talktalk.net
.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.
2008-03-29 22:20 . 2008-03-29 22:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-29 22:20 . 2008-03-29 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-29 22:20 . 2008-03-29 22:20 <DIR> d-------- C:\Documents and Settings\abc\Application Data\Malwarebytes
2008-03-29 21:35 . 2008-03-29 21:35 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-29 21:23 . 2008-03-30 02:04 <DIR> d-------- C:\SDFix
2008-03-29 20:43 . 2008-03-29 20:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-29 15:01 . 2008-03-29 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC425
2008-03-29 15:01 . 2007-11-26 11:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2008-03-29 15:01 . 2007-05-08 18:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2008-03-29 15:01 . 2004-08-04 02:07 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-03-29 15:01 . 2008-03-30 02:14 10,632 --a------ C:\WINDOWS\BOC425.INI
2008-03-25 23:27 . 2008-03-25 23:27 26,624 --a------ C:\Documents and Settings\abc\file.exe
2008-03-20 23:46 . 2008-03-20 23:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-17 01:01 . 2008-03-17 01:01 268 --ah----- C:\sqmdata04.sqm
2008-03-17 01:01 . 2008-03-17 01:01 244 --ah----- C:\sqmnoopt04.sqm
2008-03-16 23:35 . 2008-03-29 15:51 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-16 23:35 . 2008-03-29 15:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 12:47 . 2008-03-16 12:47 268 --ah----- C:\sqmdata03.sqm
2008-03-16 12:47 . 2008-03-16 12:47 244 --ah----- C:\sqmnoopt03.sqm
2008-03-16 02:29 . 2008-03-16 02:32 144 --ahs---- C:\WINDOWS\system32\3230873064.dat
2008-03-15 18:49 . 2008-03-15 18:49 268 --ah----- C:\sqmdata02.sqm
2008-03-15 18:49 . 2008-03-15 18:49 244 --ah----- C:\sqmnoopt02.sqm
2008-02-28 00:58 . 2008-02-28 00:58 57,344 --a------ C:\o7sx70.exe
2008-02-26 21:33 . 2008-03-30 01:39 4 --a------ C:\WINDOWS\system32\GVTunner.ref
2008-02-17 23:18 . 2008-02-17 23:18 <DIR> d-------- C:\Documents and Settings\abc\Application Data\Leadertech
2008-02-13 00:12 . 2004-08-04 01:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-02-13 00:12 . 2001-08-17 23:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-03-30 00:39 24,944 ----a-w C:\WINDOWS\system32\drivers\GVTDrv.sys
2008-03-29 14:13 --------- d-----w C:\Documents and Settings\abc\Application Data\AVG7
2008-03-29 14:01 --------- d-----w C:\Program Files\Comodo
2008-03-28 19:55 --------- d-----w C:\Documents and Settings\abc\Application Data\LimeWire
2008-03-20 22:46 --------- d-----w C:\Program Files\Lavasoft
2008-03-20 22:44 --------- d-----w C:\Documents and Settings\abc\Application Data\Lavasoft
2008-03-20 22:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-17 23:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-17 23:06 --------- d-----w C:\Program Files\Google
2008-02-25 22:11 32,336 ----a-w C:\Documents and Settings\abc\Application Data\GDIPFONTCACHEV1.DAT
2008-02-17 22:22 --------- d-----w C:\Documents and Settings\abc\Application Data\Nokia Multimedia Player
2008-02-13 20:46 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2008-03-18 00:06 171448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 10:50 155648]
"EasyTuneVPro"="C:\Program Files\Gigabyte\ET5Pro\ETcall.exe" [2007-07-26 15:05 20480]
"NWEReboot"="" []
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 02:12 2658304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-07 02:43 185632]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 12:38 866816]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 20:24 579072]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 02:07 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\cfp.exe" [2007-11-22 21:05 1481984]
"TalkTalk"="C:\Program Files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 10:33 202016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-11-26 11:38 342272]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:07 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-09 02:13 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-06 02:07:30 61440]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-12-20 01:18:02 1167360]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr .exe"=
"C:\\Program Files\\TalkTalk\\bin\\sprtsvc.exe"=
"C:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-11-22 21:05]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-11-22 21:05]
R2 ETDrv;ETDrv;C:\WINDOWS\system32\drivers\ETDrv.sys [2003-11-12 15:46]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);"C:\Program Files\TalkTalk\bin\sprtsvc.exe" /service /p TalkTalk []
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);"C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe" /p TalkTalk []
R3 GVTDrv;GVTDrv;C:\WINDOWS\system32\Drivers\GVTDrv.s ys [2008-03-30 01:39]
R3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\ET5Pro\markfun.w32 [2007-08-21 11:49]
R4 atidgllk;atidgllk;C:\Program Files\Gigabyte\ET5Pro\atidgllk.sys [2006-07-19 12:25]
S3 Cap7134;VideoMate TV Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys []
S3 PhTVTune;VideoMate TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys []
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc2.sys [2003-05-07 16:54]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2007-06-15 11:49]
S3 SupportSoft RemoteAssist;SupportSoft RemoteAssist;C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe [2007-08-02 15:42]
*Newly Created Service* - MARKFUN_NT
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 02:17:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\M arkFun_NT]
"ImagePath"="\??\C:\Program Files\Gigabyte\ET5Pro\markfun.w32"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll
PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-03-30 2:17:39
ComboFix-quarantined-files.txt 2008-03-30 01:17:29
Pre-Run: 68,993,384,448 bytes free
Post-Run: 68,981,104,640 bytes free

[lawt555]

combofix info sent with post reply.

[evilfantasy]

No the only information that can be had is what kind of computer you have and what is installed. You name may be found but it wouldn't be of much use. You could be in any part of the world for all anybody knows. There is just enough information for me to know what tolls to use to rid the malware. If I ever do see anything that may be used by a third party (IP Address or Email) then I will edit it out. But that has only happened a few times. Looking at the log now. Be right back.

[evilfantasy]

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::
 
File::
C:\Documents and Settings\abc\file.exe
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\WINDOWS\system32\3230873064.dat
C:\sqmdata02.sqm
C:\sqmnoopt02.sqm
C:\Documents and Settings\abc\Local Settings\Application Data\spool.exe
C:\WINDOWS\system32\drivers\ctfmon.exe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

----------

Scan Suspicious File(s)

Please visit one of the following:
(Multiple sites are given in case one is not working)
(If more than one file needs scanned they must be done separately and logs posted for each one)

• Virustotal
• Jotti's malware scan
• VirSCAN.org

Copy the file path in the code box below.

Code:

C:\o7sx70.exe

• At the upload site, click once inside the window next to Browse.
• Press Ctrl+V on the keyboard (both at the same time) to paste the file path in the window.
• Next click Send File/Submit/Upload (depending on the site)
  • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Please wait for all of the scanning engines to complete.
• Copy and then Paste the results in the next reply.

----------

Next post
Combofix log
Results of file scan

[lawt555]

hi eveilfantasy

i missed your last few posts yesterday. the clocks went forward last night and it was around 2am when i finally logged off..!

here are the results of the combofix after the drag and drop.

ComboFix 08-03-29.1 - abc 2008-03-30 12:45:11.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.675 [GMT 1:00]
Running from: C:\Documents and Settings\abc\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\abc\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\abc\file.exe
C:\Documents and Settings\abc\Local Settings\Application Data\spool.exe
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\WINDOWS\system32\3230873064.dat
C:\WINDOWS\system32\drivers\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\abc\file.exe
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\WINDOWS\system32\3230873064.dat
.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.
2008-03-29 22:20 . 2008-03-29 22:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-29 22:20 . 2008-03-29 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-29 22:20 . 2008-03-29 22:20 <DIR> d-------- C:\Documents and Settings\abc\Application Data\Malwarebytes
2008-03-29 21:35 . 2008-03-29 21:35 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-29 21:23 . 2008-03-30 02:04 <DIR> d-------- C:\SDFix
2008-03-29 20:43 . 2008-03-29 20:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-29 15:01 . 2008-03-29 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC425
2008-03-29 15:01 . 2007-11-26 11:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2008-03-29 15:01 . 2007-05-08 18:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2008-03-29 15:01 . 2004-08-04 02:07 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-03-29 15:01 . 2008-03-30 12:48 10,636 --a------ C:\WINDOWS\BOC425.INI
2008-03-20 23:46 . 2008-03-20 23:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-16 23:35 . 2008-03-29 15:51 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-16 23:35 . 2008-03-29 15:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 00:58 . 2008-02-28 00:58 57,344 --a------ C:\o7sx70.exe
2008-02-26 21:33 . 2008-03-30 12:21 4 --a------ C:\WINDOWS\system32\GVTunner.ref
2008-02-17 23:18 . 2008-02-17 23:18 <DIR> d-------- C:\Documents and Settings\abc\Application Data\Leadertech
2008-02-13 00:12 . 2004-08-04 01:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-02-13 00:12 . 2001-08-17 23:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-03-30 11:36 --------- d-----w C:\Documents and Settings\abc\Application Data\LimeWire
2008-03-30 11:21 24,944 ----a-w C:\WINDOWS\system32\drivers\GVTDrv.sys
2008-03-29 14:13 --------- d-----w C:\Documents and Settings\abc\Application Data\AVG7
2008-03-29 14:01 --------- d-----w C:\Program Files\Comodo
2008-03-20 22:46 --------- d-----w C:\Program Files\Lavasoft
2008-03-20 22:44 --------- d-----w C:\Documents and Settings\abc\Application Data\Lavasoft
2008-03-20 22:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-17 23:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-17 23:06 --------- d-----w C:\Program Files\Google
2008-02-25 22:11 32,336 ----a-w C:\Documents and Settings\abc\Application Data\GDIPFONTCACHEV1.DAT
2008-02-17 22:22 --------- d-----w C:\Documents and Settings\abc\Application Data\Nokia Multimedia Player
2008-02-13 20:46 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.
((((((((((((((((((((((((((((( snapshot@2008-03-30_ 2.17.21.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-17 23:07:50 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-30 11:24:12 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-17 23:07:50 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-30 11:24:12 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2008-03-18 00:06 171448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 10:50 155648]
"EasyTuneVPro"="C:\Program Files\Gigabyte\ET5Pro\ETcall.exe" [2007-07-26 15:05 20480]
"NWEReboot"="" []
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 02:12 2658304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-07 02:43 185632]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 12:38 866816]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 20:24 579072]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 02:07 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\cfp.exe" [2007-11-22 21:05 1481984]
"TalkTalk"="C:\Program Files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 10:33 202016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-11-26 11:38 342272]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:07 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-09 02:13 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-06 02:07:30 61440]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-12-20 01:18:02 1167360]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr .exe"=
"C:\\Program Files\\TalkTalk\\bin\\sprtsvc.exe"=
"C:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-11-22 21:05]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-11-22 21:05]
R2 ETDrv;ETDrv;C:\WINDOWS\system32\drivers\ETDrv.sys [2003-11-12 15:46]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);"C:\Program Files\TalkTalk\bin\sprtsvc.exe" /service /p TalkTalk []
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);"C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe" /p TalkTalk []
S3 Cap7134;VideoMate TV Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys []
S3 GVTDrv;GVTDrv;C:\WINDOWS\system32\Drivers\GVTDrv.s ys [2008-03-30 12:21]
S3 PhTVTune;VideoMate TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys []
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc2.sys [2003-05-07 16:54]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2007-06-15 11:49]
S3 SupportSoft RemoteAssist;SupportSoft RemoteAssist;C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe [2007-08-02 15:42]
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 12:48:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
.
************************************************** ************************
.
Completion time: 2008-03-30 12:50:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-30 11:50:33
ComboFix2.txt 2008-03-30 01:40:06
ComboFix3.txt 2008-03-30 01:17:40
Pre-Run: 69,013,872,640 bytes free
Post-Run: 69,020,889,088 bytes free

[lawt555]

results of virustotal scan as follows:

AntivirusVersionLast UpdateResultAhnLab-V3---AntiVir--TR/Crypt.XPACK.GenAuthentium--Possibly a new variant of W32/CrazyCrunch-based!MaximusAvast---AVG---BitDefender---CAT-QuickHeal---ClamAV---DrWeb---eSafe---eTrust-Vet---Ewido---FileAdvisor---Fortinet---F-Prot---F-Secure---Ikarus---Kaspersky---McAfee---Microsoft---NOD32v2---Norman---Panda---Prevx1---Rising---Sophos---Sunbelt---Symantec---TheHacker---VBA32---VirusBuster---Webwasher-Gateway--Trojan.Crypt.XPACK.GenAdditional informationMD5: f65c6e342af108247bab4bca8a0e2f1bSHA1: 185b5a7c9a6b40f40adcb3cf09c0db81fc6a9721SHA256: f87819949149e5210d47945fbec0e2c7ae1a318e26b9417aff 2cb8e0ec6084faSHA512: 9909cdf8e0cc0b061ef182f02feb6d3295c1b0f74410f68e5b 2ae6c6893b3b0f f8852b2f87e317b31f4cde32edad278999a065815d6dba53ee c8c943a83624bf

[evilfantasy]

Download and install CleanUp!.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

• Click Options...
• Move the arrow to Standard CleanUp!
• Uncheck the following: (if checked)
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
• Click OK

Click the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!
If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

----------

Now post a new Hijackthis log and tell me how things are now.

Do you know what the C:\o7sx70.exe file is?