[slime]

Hi all & merry Xmas to you all,
but not me sadly.
AVG quarantined two Trojans, SHeur.AFRE & BHO.CVX, plus one virus named Obfustat.ACRV.
Thought nothing of this as PC was running okay. Shut down last night, booted up this morning,
problems straight away. Kept getting error message concerning r9qpii2o3706.exe.
Can't connect to web via IE or Mozilla Firefox. Mozilla Thunderbird has been closed down & I
can't turn on my Windows Firewall or AVG e-mail Scanner. Can't get messages or help using my own machine.
I'm posting this on my son's laptop.
Finally tried a System Restore but, all restore points have been removed so I'm feeling totally marooned.
Please help, I'm sure you will.
Many, many thanks,

Slime.

P.S. HJT log from a PC with no internet capabilities ???

[Elijah]

If I were you I'd just format your HDD and re-install your OS. I don't know much about removing viruses without re-installing the OS but that may be possible, however it's easier to just re-install your OS.
If you have some data on the HDD that you want to save? Try backing it up.

P.S. Wait for some more replies. They should be more helpful.

Elijah

[slime]

Just managed to get this,
hope it helps.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:29:33, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2DBB276B-036C-4C52-A8E2-31DC7E8C9597} - c:\windows\system32\diskcopyv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [r9qpjj2o3706] C:\WINDOWS\system32\r9qpjj2o3706.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [r9qpjj2o3706] C:\WINDOWS\system32\r9qpjj2o3706.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1154716096448
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: tmwtpqzo - C:\WINDOWS\SYSTEM32\diskcopyv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7027 bytes

Slime.

[Axegrinder]

O4 - HKLM\..\Run: [r9qpjj2o3706] C:\WINDOWS\system32\r9qpjj2o3706.exe

That looks somewhat suspicious, but let evilfantasy confirm that it is a threat or not,

[chrisleech11]

Hi Axegrinder, i had a very similar problem and did have BHO.CVX along with another trojan which with the help of Evilfantasy i managed to remove it and restore the computer to it's previous state.

I also had obfustat as well, good luck in resolving it.

[sophus]

I think this "pnkbstra.exe" is suspicious, but I had googled it and the following appeared at http://www.processlibrary.com.
pnkbstra.exe is a process. This is usually installed with latest games like Battlefield 2142 and America's Army. This is usually detected as malware but if removed will effect the games installed especially when online.
So, if you play these games all right though.
Looking up I saw this one:
O20 - Winlogon Notify: tmwtpqzo - C:\WINDOWS\SYSTEM32\diskcopyv.dll
Way strange, huh. Same thing, googled it and this time, at this site, they see it as a Spyware.
By the way, I don't know if by any chance you guys of the forum knew this site http://www.processlibrary.com/.
Very nice for these hijack this logs.
I agree with Axegrinder too, this key looks suspicious.

[slime]

Originally Posted by chrisleech11 Hi Axegrinder, i had a very similar problem and did have BHO.CVX along with another trojan which with the help of Evilfantasy i managed to remove it and restore the computer to it's previous state. I also had obfustat as well, good luck in resolving it.

Thanks for your help guys, but, who or what is Evilfantasy?

Slime.

[slime]

Hi all, maybe this may make things a little clearer, or maybe not!
Someone suggested I ran a couple of programmes which may help.
I ran SDFix.exe & then ComboFix.exe & finished up by getting another HJT log.
The results are as follows,


First I ran SDFix resulting in the following ;

SDFix: Version 1.119

Run by user on 12/25/2007 at 11:46

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-25 13:32:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\System]
"OODEFRAG04.00.00.01SERVER"="04905A12C227D91C25418 75DB953E5003ABD74DDC9D3A8F197D71DA12B5BEF61F6D40CA D01F34EF240E9B4CB6D3190B4741DF2A5C22E3A211BEC0C33B 7DE91F4C944C877B93242D0B0C6998A3F7E87B43FE84E76B6C 76F3BD9D85D67804C24B51933B523F8E2CE8B9A912D5913B30 472E85DEE3E832EC2EF687D88F579E282315FC97BD56B9D51A A03D6E76B6F5A84139D8D3E5A2801F3A03E920A0DBB79CC250 003C72A630D6A6AD5F648E67F13CAEF725DAAA1C87407E4B8A 3E1CC84F9E706BF3049AD566E80BCDF28FEBC9E127BECC74CF EBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEB C9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A9C6A ECB7A5D1407C038D530D6EB34528EDD5E5BE2F6E667A397033 782C4CAF138AB4ADC1A0FBC959CE187D516D9B552B44BDA5AA 71073099E55960719EA8C98CA889586E41C8725A1150879E54 0F9383DAAEC3D1CA0391FA9ACFD7A71CCA42C422745069F7B6 E3A1120B28D9DBF0505CDB1C51F970F03555CF74C72871430F 567CDA711CBD2187F86D5AB3FD89E296B735D86BE7ADEE6025 203BBE49A20B0928735307327008EF59D7EC04BFC56976FBB2 4F27267C5E2CFAB0FA95A2F868BEDF38B7189379240F27954D E88AC94E8ECB86CF0A046AD57BE8BD1946F8D8C8ACF8074A7C 6C6CF009F3F85985B55B9989102920FC641B5089F1A732457C 2AF5ACE85053131E13083F6983627BF235D055DB267FA74C8B 19D9A82919FD59D9C0C5561468D63D960654B347DE3C50846F 2A6E72E8ACD0E2623A9F33CF4C4B3B917A471B8E48B4440254 1C1E54D90BBF48898C51FB38C8A4F8B9C23F934105B1E52509 DCB01EAF865235178EE8757B79851AFF16694FA789AA91548C 292BB3213FCBFCCE64ED89617A7C8118B586439183DBE97236 B7A562A370B1D84E85A189A372F6CE2DE3F7DD25C484A222B9 7C38C9F6AE4EB9C7FE755CE48619FB317B0E787ADEC10E91D5 3C84E43E30E0F659DC2AF2C0D4530923427716C5AE8152EE4E 0571FC22EC80481DD7204A51F36524EBD09D3C62ED14F86DC0 4E94F2950F1DFA2F23C6675F899B3291E27D71779FCA732AB0 24C9451656D6ACE868A9ECFC692FB8B10D48D9C1ADB790B1DC 92E5192398A79ABDCDE2399BC74FD5E5D79A0A5B071387A8E1 6F9D1B0CCD82BCA0E5D565AE1BB1BB9615E450B57225F9BDEF 11CB23971AE199F7B2428DA8868B1D6E1A0A40C9BEE2BEC3FD 3B5212F4D1A681A4C543F94367C32AC06038801C4581C43DB7 58EAA187A3DA645D7137EBEB72211EA16A264EA44C6C18340F 48DFD1CE28F087121D95CF709172ED725CA1DD20DF4413DB88 3FD03CA10B924EF5B29DEA773B6FC3383557576B836DB81B62 94F9F06ABCF077DF1CB21905B3A7D7DB007594112C1E461F2C 8A2581BCE87C5F393C1A79C1BCA"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjou r"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Call of Duty Game of the Year Edition\\CoDUOMP.exe"="C:\\Program Files\\Call of Duty Game of the Year Edition\\CoDUOMP.exe:*:Enabled:CoDUOMP"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe:*:Enabled:Football Manager 2008"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS \\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS \\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------


Files with Hidden Attributes:

Wed 5 Dec 2007 6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Sun 3 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 17 Jul 2007 520,192 A.SH. --- "C:\Documents and Settings\user\My Documents\100CASIO\SIV3.tmp"
Tue 17 Jul 2007 520,192 A.SH. --- "C:\Documents and Settings\user\My Documents\DCIM 3\100CASIO\SIV3.tmp"
Tue 17 Jul 2007 520,192 A.SH. --- "C:\Documents and Settings\user\My Documents\Italy 2007\DCIM\100CASIO\SIV3.tmp"

Finished!


Then I ran ComboFix with the following results ;

ComboFix 07-12-21.4 - user 2007-12-26 0:42:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.554 [GMT 0:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\diskcopyv.dll
C:\WINDOWS\Tasks.\At1.job

.
((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.

2007-12-25 11:46 . 2007-12-25 11:46 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-24 15:29 . 2007-12-24 15:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-22 17:07 . 2007-12-22 17:07 120,576 --a------ C:\WINDOWS\system32\dzwindti.dat
2007-12-22 16:59 . 2007-12-26 00:43 84,480 --------- C:\WINDOWS\system32\diskcopyv.dll
2007-12-22 16:59 . 2004-12-10 10:01 16,384 --a------ C:\WINDOWS\system32\r9qpjj2o3706.exe
2007-12-02 18:41 . 2007-12-02 18:41 <DIR> d-------- C:\Program Files\Activision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-24 13:14 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-12-24 11:23 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-12-24 11:23 --------- d-----w C:\Program Files\Call of Duty Game of the Year Edition
2007-12-24 11:00 --------- d-----w C:\Documents and Settings\user\Application Data\AVG7
2007-12-23 23:57 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-23 23:57 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-23 08:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-22 17:01 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-12-21 21:56 --------- d-----w C:\Documents and Settings\user\Application Data\OpenOffice.org2
2007-12-05 23:13 --------- d-----w C:\Program Files\Picasa2
2007-12-02 18:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-24 18:29 --------- d-----w C:\Documents and Settings\user\Application Data\Skype
2007-11-24 18:06 22,328 ----a-w C:\Documents and Settings\user\Application Data\PnkBstrK.sys
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:07 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-27 23:07 --------- d--h--w C:\Program Files\Zero G Registry
2007-10-27 23:07 --------- d--h--r C:\Documents and Settings\user\Application Data\SecuROM
2007-10-27 23:07 --------- d-----w C:\Documents and Settings\user\Application Data\Sports Interactive
2007-10-27 23:04 --------- d-----w C:\Program Files\Sports Interactive
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-07-25 15:43 4,651,254 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2006-08-14 22:08 11,940,766 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_08_14_23_04_54_full.dmp. zip
2006-08-14 22:07 70,176 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_08_14_23_05_16_small.dmp.zip
2006-08-14 22:07 70,130 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_08_14_23_04_57_small.dmp.zip
2006-08-14 22:07 69,597 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_08_14_23_04_52_small.dmp.zip
2006-08-14 22:07 66,262 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_08_14_23_04_55_small.dmp.zip
2006-08-14 22:07 44,298 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_08_14_23_04_48_small.dmp.zip
2006-08-14 22:07 42,698 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_08_14_23_05_13_small.dmp.zip
2006-08-14 22:07 11,938,447 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_08_14_23_04_50_full.dmp. zip
2006-08-14 22:07 11,930,963 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_08_14_23_04_27_full.dmp. zip
2006-08-14 22:04 65,969 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_08_14_23_03_59_small.dmp.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DBB276B-036C-4C52-A8E2-31DC7E8C9597}]
2007-12-26 00:43 84480 --------- c:\windows\system32\diskcopyv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-10 15:09]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
"r9qpjj2o3706"="C:\WINDOWS\system32\r9qpjj2o3706.e xe" [2004-12-10 10:01]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc. exe" [2007-12-20 19:27]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 10:12]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86 \3\hpztsb04.exe" [2001-12-10 18:49]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-08 23:02]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 17:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-18 21:29]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe " [2003-07-13 02:49]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 11:45]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"r9qpjj2o3706"="C:\WINDOWS\system32\r9qpjj2o3706.e xe" [2004-12-10 10:01]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw. exe" [2007-10-25 21:03]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 21:18]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-06-21 21:56:14]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 04:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tmwtpqzo]
diskcopyv.dll 2007-12-26 00:43 84480 C:\WINDOWS\system32\diskcopyv.dll

R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\vias raid.sys [2003-10-31 03:22]
R2 xypaoajv;PnP ISA/EISA Bus Helper;C:\WINDOWS\System32\svchost.exe -k netsvcs []
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-01-24 14:38]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-01-24 14:38]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-01-24 14:38]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xypaoajv

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{6fea2b73-23e9-11db-95d5-000c76bab2d2}]
\Shell\AutoRun\command - H:\TrueCrypt\TrueCrypt.exe /q /a /lX /e /m rm /v "data"
\Shell\dismount\command - H:\TrueCrypt\TrueCrypt.exe /q /d
\Shell\mount\command - H:\TrueCrypt\TrueCrypt.exe /q /a /lX /e /m rm /v "data"
\Shell\open\command - H:\TrueCrypt\TrueCrypt.exe /lX /e /m rm /v "data"

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-12 09:37:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-12 22:34:01 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUS E~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registr ation_7.4.30.2.sxt _RegistrationOffer@16
"2007-12-25 13:34:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
************************************************** ************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 00:43:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\diskcopyv.dll
.
Completion time: 2007-12-26 0:44:15
.
2007-12-21 21:55:23 --- E O F ---

and finally my HJT log after doing the above ;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:52:55, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2DBB276B-036C-4C52-A8E2-31DC7E8C9597} - c:\windows\system32\diskcopyv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [r9qpjj2o3706] C:\WINDOWS\system32\r9qpjj2o3706.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [r9qpjj2o3706] C:\WINDOWS\system32\r9qpjj2o3706.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154716096448
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: tmwtpqzo - C:\WINDOWS\SYSTEM32\diskcopyv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6862 bytes

Awaiting further instructions & not using my PC until you tell me to.
Yours with many thanks,
Slime.

[sophus]

Slime,
Evilfantasy is who not what. TCF moderator and author of many epic deeds in computer security here in this forum. If you didn't, take a look at some of his articles:
http://www.thecomputerforums.co.uk/f...-posting-7476/
http://www.thecomputerforums.co.uk/f...safe-web-7949/

[slime]

Originally Posted by sophus Slime, Evilfantasy is who not what. TCF moderator and author of many epic deeds in computer security here in this forum. If you didn't, take a look at some of his articles: http://www.thecomputerforums.co.uk/f...-posting-7476/ http://www.thecomputerforums.co.uk/f...safe-web-7949/

WOW!
Dude seems to know his onions okay.
How do I get him to look at my problem, or is it just a matter of waiting & being lucky?
I know it's Xmas & shouldn't expect quick responses so I'm trying to be patient!
All the best,
Slime.