I think I have a virus problem...

Question

Droicut 0 Newbie Poster

16 Years Ago

I think it all started with a MSN virus my brother gotten lately... but in that process I found more things that just didn't really seem to make any sense. I downloaded AVG and it showed some files to be Trojan Backdoor.agent something. Can't really remember... (my bad... :sad: )

Searched up that string of letters and found this place and thought it might help. Here's a ComboFix and HijackThis log.

ComboFix 07-12-21.4 - NICHOLAS CHEW 2007-12-21 17:46:09.1 - NTFSx86
Running from: C:\Documents and Settings\NICHOLAS CHEW\desktop\ComboFix.exe
Command switches used :: /KillAll
* Created a new restore point
.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\WINDOWS\autorun.inf
C:\WINDOWS\system32\9_exception.nls
C:\WINDOWS\SYSTEM32\bmehgltd.ini
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\dtlghemb.dll
C:\WINDOWS\SYSTEM32\lndpcegs.ini
C:\WINDOWS\system32\nnnmkji.dll
C:\WINDOWS\SYSTEM32\qrtwa.ini
C:\WINDOWS\SYSTEM32\qrtwa.ini2
C:\WINDOWS\system32\sgecpdnl.dll
C:\WINDOWS\system32\upbdgpmb.dll
C:\WINDOWS\SYSTEM32\vuutv.ini2
C:\WINDOWS\system32\vwtvwosy.dll


.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


.
-------\LEGACY_SFSYNC02
-------\sfsync02



(((((((((((((((((((((((((   Files Created from 2007-11-21 to 2007-12-21  )))))))))))))))))))))))))))))))
.


2007-12-21 17:56 . 2007-12-21 17:56 54,156  --ah-----   C:\WINDOWS\QTFont.qfn
2007-12-21 17:56 . 2007-12-21 17:56 1,409   --a------   C:\WINDOWS\QTFont.for
2007-12-21 17:31 . 2007-12-21 17:31 <DIR>    d--------   C:\Program Files\Windows Defender
2007-12-21 16:01 . 2007-12-21 16:01 0   --a------   C:\WINDOWS\SYSTEM32\SBRC.dat
2007-12-21 16:01 . 2007-12-21 16:01 0   --a------   C:\WINDOWS\SYSTEM32\SBFC.dat
2007-12-21 15:50 . 2007-12-21 15:50 <DIR>    d--------   C:\Documents and Settings\NICHOLAS CHEW\Application Data\Sunbelt Software
2007-12-21 03:23 . 2007-12-21 13:12 <DIR>    d--------   C:\Program Files\Windows Live Safety Center
2007-12-21 02:59 . 2007-12-21 02:59 <DIR>    d--------   C:\Program Files\WIZET
2007-12-20 05:50 . 2007-12-20 06:02 <DIR>    d--hsc---   C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-20 05:49 . 2007-12-21 17:21 <DIR>    d--------   C:\Program Files\Windows Live
2007-12-20 05:48 . 2007-12-21 17:19 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-20 05:40 . 2007-12-21 09:30 <DIR>    d--------   C:\BackUpMSNCleaner
2007-12-20 03:41 . 2007-12-20 03:41 <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-20 03:39 . 2007-12-20 03:39 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-20 03:39 . 2007-12-21 04:52 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\avg7
2007-12-20 03:16 . 2007-12-20 03:16 <DIR>    d--------   C:\Program Files\Plasma Pong
2007-12-20 02:50 . 2007-12-21 12:59 <DIR>    d--------   C:\Documents and Settings\NICHOLAS CHEW\Application Data\AVG7
2007-12-20 02:47 . 2007-12-20 03:16 <DIR>    d--------   C:\Program Files\Grisoft(2)
2007-12-20 02:47 . 2007-12-20 03:16 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft(2)
2007-12-20 02:47 . 2007-12-20 03:15 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\avg7(2)
2007-12-20 02:21 . 2007-12-20 02:21 <DIR>    d--------   C:\Documents and Settings\NICHOLAS CHEW\DoctorWeb
2007-12-19 21:54 . 2007-12-19 21:54 74,304  --a------   C:\WINDOWS\SYSTEM32\pwajtnmk.exe
2007-12-19 11:33 . 2007-12-19 11:33 74,304  --a------   C:\WINDOWS\SYSTEM32\mnfnwrop.exe
2007-12-18 09:53 . 2007-12-18 10:17 6,630   --ahs----   C:\WINDOWS\SYSTEM32\fhkmp.ini


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 09:32    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2007-12-21 09:29    ---------   d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\Skype
2007-12-20 20:29    ---------   d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\Azureus
2007-12-20 19:15    ---------   d-----w C:\Program Files\Azureus
2007-12-19 19:16    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 15:39    729,088 ----a-w C:\WINDOWS\iun6002.exe
2007-12-04 15:39    ---------   d-----w C:\Program Files\Warcraft III
2007-11-21 17:11    ---------   d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\mIRC
2007-11-13 10:25    20,480  ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-08 15:14    ---------   d-----w C:\Documents and Settings\SIMON CHEW\Application Data\mIRC
2007-11-08 10:59    ---------   d-----w C:\Program Files\mIRC
2007-11-03 17:38    ---------   d-----w C:\Program Files\Windows Media Connect 2
2007-10-21 13:45    ---------   d-----w C:\Program Files\iTunes
2007-10-21 13:45    ---------   d-----w C:\Program Files\iPod
2007-10-21 13:44    ---------   d-----w C:\Program Files\QuickTime
2007-10-21 13:42    ---------   d-----w C:\Program Files\Apple Software Update
2007-10-21 13:41    ---------   d-----w C:\Program Files\Common Files\Apple
2007-10-21 13:41    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Apple
2006-01-21 02:00    4,234   ----a-w C:\Documents and Settings\SIMON CHEW\!versions.dat
2005-05-13 09:12    217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 03:13    66,560  --sha-r C:\WINDOWS\MOTA113.exe
2005-10-13 13:27    422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-07 11:14    308,224 --sha-r C:\WINDOWS\SYSTEM32\avisynth.dll
2005-07-14 04:31    27,648  --sha-r C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 07:32    616,448 --sha-r C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-21 14:37    45,568  --sha-r C:\WINDOWS\SYSTEM32\cygz.dll
2004-01-24 16:00    70,656  --sha-r C:\WINDOWS\SYSTEM32\i420vfw.dll
2006-04-27 02:24    2,945,024   --sha-r C:\WINDOWS\SYSTEM32\Smab.dll
2005-02-28 05:16    240,128 --sha-r C:\WINDOWS\SYSTEM32\x.264.exe
2004-01-24 16:00    70,656  --sha-r C:\WINDOWS\SYSTEM32\yv12vfw.dll
.


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-09 16:00]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" []


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 02:30]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-20 03:40]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 05:00    15360   --a------   C:\WINDOWS\system32\ctfmon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 01:05    127035  --a------   C:\WINDOWS\system32\dla\tfswctrl.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-01-27 01:02    86016   --a------   C:\Program Files\Dell\Media Experience\DMXLauncher.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 16:54    57344   ---------   C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-09-26 14:42    267064  --a------   C:\Program Files\iTunes\iTunesHelper.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 14:42    1404928 --a------   C:\Program Files\Analog Devices\Core\smax4pnp.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 13:03    36975   --a------   C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"NetSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)


S3 CEDRIVER51;CEDRIVER51;C:\Documents and Settings\NICHOLAS CHEW\My Documents\Cheat Engine\DBK32.sys []
S3 CEDRIVER52;CEDRIVER52;C:\Documents and Settings\NICHOLAS CHEW\My Documents\Cheat Engine\Cheat Engine\dbk32.sys []
S3 geebers12;geebers12;C:\Documents and Settings\SIMON CHEW\Desktop\Msea V0.42 hacks pack\Buffy Engine 2\nvid888.sys [2007-05-03 14:37]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\NICHOLAS CHEW\My Documents\PSP Games\moonlight engine 1105.1\moonlight engine 1105.1\IlvMoney1105.sys []


.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 10:30:01 C:\WINDOWS\Tasks\ANZ McAfee.com Scan for Viruses - My Computer (FAMILYROOM-JEANNIE CHAR).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-12-07 10:30:02 C:\WINDOWS\Tasks\ANZ McAfee.com Scan for Viruses - My Computer (FAMILYROOM-SIMON CHEW).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-12-20 09:27:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-21 09:58:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************


catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 17:56:03
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
Completion time: 2007-12-21 17:58:53 - machine was rebooted [NICHOLAS CHEW]
.
2007-12-20 19:05:22 --- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 6:07:35 PM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\NICHOLAS CHEW\My Documents\hijackthis\HijackThis.exe


O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} (Speed Class) - http://www.singnet.com.sg/technical/helptools/media/SpeedCtrl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138189840578
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

Hope there's someone who can save me. Thanks! :)

(Oh yes anyway, some of the files I mentioned seem to be picked up by ComboFix and deleted by CF. o.o)

windows-virus

Edited 11 Years Ago by happygeek because: fixed formatting

2 Contributors
11 Replies
281 Views
3 Days Discussion Span
Latest Post 16 Years Ago Latest Post by crunchie

crunchie 990 Most Valuable Poster

16 Years Ago

Hi and welcome to Daniweb forums :).

===============

Download the newest version of HiJackThis; version 2.0.2. Place it in a permanent folder before scanning. Repost your log after following the steps below. This version has features that might be more helpful in 'cleaning' up your system.

===============

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINDOWS\SYSTEM32\pwajtnmk.exe
C:\WINDOWS\SYSTEM32\mnfnwrop.exe

crunchie 990 Most Valuable Poster

16 Years Ago

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

FileLook::
C:\WINDOWS\SYSTEM32\pwajtnmk.exe
C:\WINDOWS\SYSTEM32\mnfnwrop.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]http://i5.photobucket.com/albums/y153/crunchie1/CFScript.gif[/IMG]

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

Combofix.txt
A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

crunchie 990 Most Valuable Poster

16 Years Ago

The Filelook:: did not seem to work. I think that maybe it will only work with one file at a time.
Can you locate the two files and get into their Properties and post back all the info on them please.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Droicut 0 Newbie Poster · Answer 1 · 2007-12-21T18:52:52+00:00

Here's the new log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:45 PM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\NICHOLAS CHEW\My Documents\hijackthis\HiJackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} (Speed Class) - http://www.singnet.com.sg/technical/helptools/media/SpeedCtrl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138189840578
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 6609 bytes

Now the issue is... I can't upload both files to jotti to scan. Says something about me uploading 0 bytes.

I also can't attach it in hotmail. Something about zero byte as well...

Droicut 0 Newbie Poster · Answer 2 · 2007-12-21T20:43:26+00:00

ComboFix 07-12-21.4 - NICHOLAS CHEW 2007-12-21 21:27:01.2 - NTFSx86
Running from: C:\Documents and Settings\NICHOLAS CHEW\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\NICHOLAS CHEW\Desktop\CFScript.txt
* Created a new restore point
.


(((((((((((((((((((((((((   Files Created from 2007-11-21 to 2007-12-21  )))))))))))))))))))))))))))))))
.


2007-12-21 17:31 . 2007-12-21 17:31 <DIR>    d--------   C:\Program Files\Windows Defender
2007-12-21 16:01 . 2007-12-21 16:01 0   --a------   C:\WINDOWS\SYSTEM32\SBRC.dat
2007-12-21 16:01 . 2007-12-21 16:01 0   --a------   C:\WINDOWS\SYSTEM32\SBFC.dat
2007-12-21 15:50 . 2007-12-21 15:50 <DIR>    d--------   C:\Documents and Settings\NICHOLAS CHEW\Application Data\Sunbelt Software
2007-12-21 03:23 . 2007-12-21 13:12 <DIR>    d--------   C:\Program Files\Windows Live Safety Center
2007-12-21 02:59 . 2007-12-21 02:59 <DIR>    d--------   C:\Program Files\WIZET
2007-12-20 05:50 . 2007-12-20 06:02 <DIR>    d--hsc---   C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-20 05:49 . 2007-12-21 17:21 <DIR>    d--------   C:\Program Files\Windows Live
2007-12-20 05:48 . 2007-12-21 17:19 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-20 05:40 . 2007-12-21 09:30 <DIR>    d--------   C:\BackUpMSNCleaner
2007-12-20 03:41 . 2007-12-20 03:41 <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-20 03:39 . 2007-12-20 03:39 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-20 03:39 . 2007-12-21 04:52 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\avg7
2007-12-20 03:16 . 2007-12-20 03:16 <DIR>    d--------   C:\Program Files\Plasma Pong
2007-12-20 02:50 . 2007-12-21 12:59 <DIR>    d--------   C:\Documents and Settings\NICHOLAS CHEW\Application Data\AVG7
2007-12-20 02:47 . 2007-12-20 03:16 <DIR>    d--------   C:\Program Files\Grisoft(2)
2007-12-20 02:47 . 2007-12-20 03:16 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft(2)
2007-12-20 02:47 . 2007-12-20 03:15 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\avg7(2)
2007-12-20 02:21 . 2007-12-20 02:21 <DIR>    d--------   C:\Documents and Settings\NICHOLAS CHEW\DoctorWeb
2007-12-19 21:54 . 2007-12-19 21:54 74,304  --a------   C:\WINDOWS\SYSTEM32\pwajtnmk.exe
2007-12-19 11:33 . 2007-12-19 11:33 74,304  --a------   C:\WINDOWS\SYSTEM32\mnfnwrop.exe
2007-12-18 09:53 . 2007-12-18 10:17 6,630   --ahs----   C:\WINDOWS\SYSTEM32\fhkmp.ini


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 13:35    ---------   d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\Skype
2007-12-21 09:32    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2007-12-20 20:29    ---------   d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\Azureus
2007-12-20 19:15    ---------   d-----w C:\Program Files\Azureus
2007-12-19 19:16    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 15:39    729,088 ----a-w C:\WINDOWS\iun6002.exe
2007-12-04 15:39    ---------   d-----w C:\Program Files\Warcraft III
2007-11-21 17:11    ---------   d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\mIRC
2007-11-13 10:25    20,480  ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-08 15:14    ---------   d-----w C:\Documents and Settings\SIMON CHEW\Application Data\mIRC
2007-11-08 10:59    ---------   d-----w C:\Program Files\mIRC
2007-11-03 17:38    ---------   d-----w C:\Program Files\Windows Media Connect 2
2007-10-30 23:42    3,590,656   ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-29 22:43    1,287,680   ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43    1,287,680   ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 09:40    222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 09:40    222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34    8,460,288   ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-21 13:45    ---------   d-----w C:\Program Files\iTunes
2007-10-21 13:45    ---------   d-----w C:\Program Files\iPod
2007-10-21 13:44    ---------   d-----w C:\Program Files\QuickTime
2007-10-21 13:42    ---------   d-----w C:\Program Files\Apple Software Update
2007-10-21 13:41    ---------   d-----w C:\Program Files\Common Files\Apple
2007-10-21 13:41    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-10-18 03:31    51,224  ----a-w C:\WINDOWS\SYSTEM32\sirenacm.dll
2007-10-10 23:56    824,832 ----a-w C:\WINDOWS\SYSTEM32\wininet(2).dll
2007-10-10 23:56    824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-10-10 23:56    232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-10-10 23:56    1,159,680   ----a-w C:\WINDOWS\SYSTEM32\urlmon(2).dll
2007-10-10 23:56    1,159,680   ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-10-10 23:55    671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-10-10 23:55    63,488  ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-10-10 23:55    6,065,664   ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-10-10 23:55    52,224  ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-10-10 23:55    478,208 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-10-10 23:55    459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-10-10 23:55    44,544  ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-10-10 23:55    384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-10-10 23:55    383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-10-10 23:55    27,648  ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-10-10 23:55    267,776 ----a-w C:\WINDOWS\SYSTEM32\iertutil(2).dll
2007-10-10 23:55    267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-10-10 23:55    230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-10-10 23:55    214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-10-10 23:55    193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-10-10 23:55    153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-10-10 23:55    132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-10-10 23:55    124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-10-10 23:55    105,984 ----a-w C:\WINDOWS\SYSTEM32\url(2).dll
2007-10-10 23:55    105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-10-10 23:55    102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-10-10 10:59    70,656  ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-10-10 10:59    625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-10-10 10:59    13,824  ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-10-10 05:46    161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2006-01-21 02:00    4,234   ----a-w C:\Documents and Settings\SIMON CHEW\!versions.dat
2005-05-13 09:12    217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 03:13    66,560  --sha-r C:\WINDOWS\MOTA113.exe
2005-10-13 13:27    422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-07 11:14    308,224 --sha-r C:\WINDOWS\SYSTEM32\avisynth.dll
2005-07-14 04:31    27,648  --sha-r C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 07:32    616,448 --sha-r C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-21 14:37    45,568  --sha-r C:\WINDOWS\SYSTEM32\cygz.dll
2004-01-24 16:00    70,656  --sha-r C:\WINDOWS\SYSTEM32\i420vfw.dll
2006-04-27 02:24    2,945,024   --sha-r C:\WINDOWS\SYSTEM32\Smab.dll
2005-02-28 05:16    240,128 --sha-r C:\WINDOWS\SYSTEM32\x.264.exe
2004-01-24 16:00    70,656  --sha-r C:\WINDOWS\SYSTEM32\yv12vfw.dll
.


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-09 16:00]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" []


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 02:30]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-20 03:40]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 05:00    15360   --a------   C:\WINDOWS\system32\ctfmon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 01:05    127035  --a------   C:\WINDOWS\system32\dla\tfswctrl.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-01-27 01:02    86016   --a------   C:\Program Files\Dell\Media Experience\DMXLauncher.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 16:54    57344   ---------   C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-09-26 14:42    267064  --a------   C:\Program Files\iTunes\iTunesHelper.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 14:42    1404928 --a------   C:\Program Files\Analog Devices\Core\smax4pnp.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 13:03    36975   --a------   C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"NetSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)


S3 CEDRIVER51;CEDRIVER51;C:\Documents and Settings\NICHOLAS CHEW\My Documents\Cheat Engine\DBK32.sys []
S3 CEDRIVER52;CEDRIVER52;C:\Documents and Settings\NICHOLAS CHEW\My Documents\Cheat Engine\Cheat Engine\dbk32.sys []
S3 geebers12;geebers12;C:\Documents and Settings\SIMON CHEW\Desktop\Msea V0.42 hacks pack\Buffy Engine 2\nvid888.sys [2007-05-03 14:37]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\NICHOLAS CHEW\My Documents\PSP Games\moonlight engine 1105.1\moonlight engine 1105.1\IlvMoney1105.sys []


.
Contents of the 'Scheduled Tasks' folder
"2007-12-21 10:30:01 C:\WINDOWS\Tasks\ANZ McAfee.com Scan for Viruses - My Computer (FAMILYROOM-JEANNIE CHAR).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-12-21 10:30:01 C:\WINDOWS\Tasks\ANZ McAfee.com Scan for Viruses - My Computer (FAMILYROOM-SIMON CHEW).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-12-20 09:27:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-21 09:58:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************


catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 21:35:32
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
Completion time: 2007-12-21 21:37:12
C:\ComboFix2.txt ... 2007-12-21 17:58
.
2007-12-20 19:05:22 --- E O F ---


New CF log here...


EDIT: Oops, forgot the HT logfile


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:31 PM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\NICHOLAS CHEW\My Documents\hijackthis\HiJackThis.exe


O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} (Speed Class) - http://www.singnet.com.sg/technical/helptools/media/SpeedCtrl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138189840578
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe


--
End of file - 6607 bytes

Droicut 0 Newbie Poster · Answer 3 · 2007-12-23T01:28:20+00:00

[IMG]http://img299.imageshack.us/img299/1845/pwajtnmkhq9.jpg[/IMG]

[IMG]http://img444.imageshack.us/img444/2163/mnfnwropml8.jpg[/IMG]

Here we go. Sorry for the delay... :)

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 4 · 2007-12-23T05:26:25+00:00

Judging by their size and date I would definitely say they are bad.

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\pwajtnmk.exe
C:\WINDOWS\SYSTEM32\mnfnwrop.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]http://i5.photobucket.com/albums/y153/crunchie1/CFScript.gif[/IMG]

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

Combofix.txt
A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Droicut 0 Newbie Poster · Answer 5 · 2007-12-23T22:27:57+00:00

Here's the new CF log. I had to reboot because CF stopped and left me with only my wallpaper.

ComboFix 07-12-21.4 - NICHOLAS CHEW 2007-12-24  0:09:39.3 - NTFSx86
Running from: C:\Documents and Settings\NICHOLAS CHEW\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\NICHOLAS CHEW\Desktop\CFScript.txt
* Created a new restore point


FILE
C:\WINDOWS\SYSTEM32\mnfnwrop.exe
C:\WINDOWS\SYSTEM32\pwajtnmk.exe
.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\WINDOWS\SYSTEM32\mnfnwrop.exe
C:\WINDOWS\SYSTEM32\pwajtnmk.exe


.
(((((((((((((((((((((((((   Files Created from 2007-11-23 to 2007-12-23  )))))))))))))))))))))))))))))))
.


2007-12-24 00:21 . 2007-12-24 00:21 54,156  --ah-----   C:\WINDOWS\QTFont.qfn
2007-12-24 00:21 . 2007-12-24 00:21 1,409   --a------   C:\WINDOWS\QTFont.for
2007-12-23 03:19 . 2007-12-23 03:19 2,855   --a------   C:\WINDOWS\SYSTEM32\mnfnwrop.PIF
2007-12-23 03:10 . 2007-12-23 03:10 <DIR>    d--h-----   C:\WINDOWS\PIF
2007-12-23 03:10 . 2007-12-23 03:19 2,855   --a------   C:\WINDOWS\SYSTEM32\pwajtnmk.PIF
2007-12-21 17:31 . 2007-12-21 17:31 <DIR>    d--------   C:\Program Files\Windows Defender
2007-12-21 16:01 . 2007-12-21 16:01 0   --a------   C:\WINDOWS\SYSTEM32\SBRC.dat
2007-12-21 16:01 . 2007-12-21 16:01 0   --a------   C:\WINDOWS\SYSTEM32\SBFC.dat
2007-12-21 15:50 . 2007-12-21 15:50 <DIR>    d--------   C:\Documents and Settings\NICHOLAS CHEW\Application Data\Sunbelt Software
2007-12-21 03:23 . 2007-12-21 13:12 <DIR>    d--------   C:\Program Files\Windows Live Safety Center
2007-12-21 02:59 . 2007-12-21 02:59 <DIR>    d--------   C:\Program Files\WIZET
2007-12-20 05:50 . 2007-12-20 06:02 <DIR>    d--hsc---   C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-20 05:49 . 2007-12-21 17:21 <DIR>    d--------   C:\Program Files\Windows Live
2007-12-20 05:48 . 2007-12-21 17:19 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-20 05:40 . 2007-12-21 09:30 <DIR>    d--------   C:\BackUpMSNCleaner
2007-12-20 03:41 . 2007-12-20 03:41 <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-20 03:39 . 2007-12-20 03:39 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-20 03:39 . 2007-12-21 04:52 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\avg7
2007-12-20 03:16 . 2007-12-20 03:16 <DIR>    d--------   C:\Program Files\Plasma Pong
2007-12-20 02:50 . 2007-12-24 00:02 <DIR>    d--------   C:\Documents and Settings\NICHOLAS CHEW\Application Data\AVG7
2007-12-20 02:47 . 2007-12-20 03:16 <DIR>    d--------   C:\Program Files\Grisoft(2)
2007-12-20 02:47 . 2007-12-20 03:16 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft(2)
2007-12-20 02:47 . 2007-12-20 03:15 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\avg7(2)
2007-12-20 02:21 . 2007-12-20 02:21 <DIR>    d--------   C:\Documents and Settings\NICHOLAS CHEW\DoctorWeb
2007-12-18 09:53 . 2007-12-18 10:17 6,630   --ahs----   C:\WINDOWS\SYSTEM32\fhkmp.ini


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-23 16:04    ---------   d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\Skype
2007-12-21 09:32    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2007-12-20 20:29    ---------   d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\Azureus
2007-12-20 19:15    ---------   d-----w C:\Program Files\Azureus
2007-12-19 19:16    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 15:39    729,088 ----a-w C:\WINDOWS\iun6002.exe
2007-12-04 15:39    ---------   d-----w C:\Program Files\Warcraft III
2007-11-21 17:11    ---------   d-----w C:\Documents and Settings\NICHOLAS CHEW\Application Data\mIRC
2007-11-13 10:25    20,480  ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-08 15:14    ---------   d-----w C:\Documents and Settings\SIMON CHEW\Application Data\mIRC
2007-11-08 10:59    ---------   d-----w C:\Program Files\mIRC
2007-11-03 17:38    ---------   d-----w C:\Program Files\Windows Media Connect 2
2006-01-21 02:00    4,234   ----a-w C:\Documents and Settings\SIMON CHEW\!versions.dat
2005-05-13 09:12    217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 03:13    66,560  --sha-r C:\WINDOWS\MOTA113.exe
2005-10-13 13:27    422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-07 11:14    308,224 --sha-r C:\WINDOWS\SYSTEM32\avisynth.dll
2005-07-14 04:31    27,648  --sha-r C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 07:32    616,448 --sha-r C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-21 14:37    45,568  --sha-r C:\WINDOWS\SYSTEM32\cygz.dll
2004-01-24 16:00    70,656  --sha-r C:\WINDOWS\SYSTEM32\i420vfw.dll
2006-04-27 02:24    2,945,024   --sha-r C:\WINDOWS\SYSTEM32\Smab.dll
2005-02-28 05:16    240,128 --sha-r C:\WINDOWS\SYSTEM32\x.264.exe
2004-01-24 16:00    70,656  --sha-r C:\WINDOWS\SYSTEM32\yv12vfw.dll
.


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-09 16:00]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" []


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 02:30]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-20 03:40]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 05:00    15360   --a------   C:\WINDOWS\system32\ctfmon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 01:05    127035  --a------   C:\WINDOWS\system32\dla\tfswctrl.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-01-27 01:02    86016   --a------   C:\Program Files\Dell\Media Experience\DMXLauncher.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 16:54    57344   ---------   C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-09-26 14:42    267064  --a------   C:\Program Files\iTunes\iTunesHelper.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 14:42    1404928 --a------   C:\Program Files\Analog Devices\Core\smax4pnp.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 13:03    36975   --a------   C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"NetSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)


S3 CEDRIVER51;CEDRIVER51;C:\Documents and Settings\NICHOLAS CHEW\My Documents\Cheat Engine\DBK32.sys []
S3 CEDRIVER52;CEDRIVER52;C:\Documents and Settings\NICHOLAS CHEW\My Documents\Cheat Engine\Cheat Engine\dbk32.sys []
S3 geebers12;geebers12;C:\Documents and Settings\SIMON CHEW\Desktop\Msea V0.42 hacks pack\Buffy Engine 2\nvid888.sys [2007-05-03 14:37]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\NICHOLAS CHEW\My Documents\PSP Games\moonlight engine 1105.1\moonlight engine 1105.1\IlvMoney1105.sys []


.
Contents of the 'Scheduled Tasks' folder
"2007-12-21 10:30:01 C:\WINDOWS\Tasks\ANZ McAfee.com Scan for Viruses - My Computer (FAMILYROOM-JEANNIE CHAR).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-12-21 10:30:01 C:\WINDOWS\Tasks\ANZ McAfee.com Scan for Viruses - My Computer (FAMILYROOM-SIMON CHEW).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-12-20 09:27:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-23 16:23:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************


catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 00:22:07
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
Completion time: 2007-12-24  0:25:02 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-21 21:37
C:\ComboFix3.txt ... 2007-12-21 17:58
.
2007-12-20 19:05:22 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:38 AM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\NICHOLAS CHEW\My Documents\hijackthis\HiJackThis.exe


O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} (Speed Class) - http://www.singnet.com.sg/technical/helptools/media/SpeedCtrl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138189840578
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe


--
End of file - 6643 bytes

I bolded two files in the CF log. Doesn't look promising.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 6 · 2007-12-24T03:55:01+00:00

See if you can delete those two manually. They should be no problem.
Your logs look ok. How is the pc?

Uninstall MyWebSearch from add/remove too. Almost missed it.

Droicut 0 Newbie Poster · Answer 7 · 2007-12-24T09:55:00+00:00

Found two shortcuts of that name. Turns out it actually leads to the .exe we deleted. Removed it successfully.

MyWebSearch isn't on my add/remove.

PC-wise, AVG resident shield hasn't gave me any more warnings after the first CF run. Everything seems to be rather smooth now. :)

Thanks!

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 8 · 2007-12-24T14:50:15+00:00

You are welcome :).

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Download CCleaner and install, then run it. It will clear out your temp folders.

Uncheck "Cookies" under "Internet Explorer".
Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Close when finished.

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, AVG anti-spyware, Ad-Aware SE and Spybot S&D.
Run them all on a regular basis, following the maker's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start | Run and type msconfig and press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.